Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through March 10.

Operation Epic Fury Timeline: March 2026 Conflict Updates

February 28, 2026 — Initial Strikes and Regional Retaliation

In parallel to these events, Flashpoint observed immediate system-level disruption: flight suspensions at Dubai airports following nearby strikes, and Iran’s move to blockade the Strait of Hormuz, elevating global energy and logistics risk.

March 1, 2026 — Air War Over Tehran, Soft Targets, and Hybrid Expansion

By March 1, the conflict had shifted from stand-off strikes to direct air operations over Tehran, signaling degradation of Iran’s integrated air defenses over the capital. Iranian state media described a transition to “offensive defense,” and retaliatory activity expanded across the region.

Notable developments included the reported strike on the Crowne Plaza Hotel in Manama, Bahrain, signaling increased risk to soft targets and commercial environments. Flashpoint also observed indicators of command-and-control friction on the Iranian side, including a reported friendly-fire incident involving the sanctioned “shadow fleet” tanker Skylight.

March 2, 2026 — Infrastructure and Economic Warfare Escalation

March 3, 2026 — Expansion of Infrastructure Warfare and Regional Combat

March 5, 2026 — Offensive Defense and Geographic Expansion

March 6, 2026 — Regime Fragmentation and Strategic Targeting

March 8–9, 2026 — Leadership Consolidation and Hybrid Warfare Expansion

March 10, 2026 — Decentralized Retaliation and Economic Pressure

March 1–10, 2026 — Infrastructure Targeting and Internationalization

Between March 1 and March 10, Flashpoint analysis indicates the conflict has evolved from broad regional exchanges into systematic targeting of energy, data, and command-and-control infrastructure with global downstream impact. Key reported incidents included a strike on Saudi Aramco’s facility at Ras Tanura and a disruption at an AWS data center in the UAE attributed to physical impact on the facility. The Israel–Lebanon front also intensified following Hezbollah missile launches and a broad Israeli response across Lebanon. March 2 also featured expanded strikes against Tehran’s state apparatus, including reported destruction of Iran’s national broadcasting headquarters and the Assembly of Experts’ building.

Flashpoint also tracked growing exposure for NATO-aligned assets, including reported damage at RAF Akrotiri (Cyprus). Meanwhile, the UK, France, and Germany signaled readiness to support action focused on Iran’s missile and drone capabilities — an indicator of potential further conflict expansion.

By March 3 and March 4, targeting patterns expanded further to include strategic communications infrastructure and hardened military facilities. Satellite analysis confirmed damage to US military communication nodes and early-warning radar infrastructure across multiple Gulf bases, while naval combat escalated with a US submarine sinking the Iranian frigate IRIS Dena in the Indian Ocean. These developments signal a shift toward degrading regional command-and-control networks alongside continued pressure on energy and logistics infrastructure.

Developments on March 5 further expanded the geographic scope of the conflict. Iranian drone strikes targeted infrastructure in Azerbaijan, drawing the country’s military onto high alert and raising the possibility of a northern expansion of the kinetic theater. At the same time, complex missile and drone attacks continued against US military facilities in the Gulf, including a major strike that caused significant damage at Ali Al Salem Air Base in Kuwait. These developments reflect a continued shift toward distributed regional engagements rather than isolated bilateral exchanges.

Developments on March 6 through March 9 indicate continued degradation of Iranian command infrastructure alongside widening regional impacts. Precision strikes reportedly targeted remaining Iranian leadership compounds and clandestine missile and nuclear facilities, while diplomatic evacuations and military mobilization along Iran’s northern border suggested the potential expansion of the conflict into new geographic theaters. At the same time, infrastructure targeting expanded beyond energy and communications to include water desalination facilities and additional cloud and data infrastructure, highlighting the growing risk to civilian survival systems and regional economic stability.

Developments on March 10 further underscored the economic dimension of the conflict. A drone strike on the Ruwais industrial complex in Abu Dhabi forced the shutdown of the region’s largest oil refinery, while global shipping giant MSC suspended exports from Gulf ports due to continued instability in the Strait of Hormuz. These disruptions highlight how the conflict is increasingly affecting global energy production and maritime supply chains beyond the immediate combat zone.

The Escalating Cyber and Information Front

From the opening hours, Flashpoint assessed that cyber activity in this conflict is not ancillary — it is being used as a synchronized force multiplier.

One of the most consequential developments has been the use of infrastructure compromise for psychological operations at national scale. Flashpoint observed the compromise of the BadeSaba prayer app ecosystem, enabling push notifications to be delivered to large user populations. Messaging included calls for mobilization and later content aimed at regime security forces and protest coordination. This reflects a shift from influence on social platforms toward platform-layer manipulation, where trusted everyday applications become vectors for narrative control during kinetic shock.

Flashpoint also observed disruption and interference affecting state-run Iranian outlets (including IRNA and ISNA), contributing to an information vacuum and driving users toward unverified channels for situational awareness.

As kinetic pressure increased, Flashpoint tracking indicated fluctuations in cyber tempo. Some updates suggested a temporary lull in broader Iranian cyber activity — potentially due to operational disruption from physical strikes — while other indicators pointed to a risk of renewed disruptive campaigns, including activity linked to personas associated with state-aligned hacktivist ecosystems.

On March 2, Flashpoint observed reporting on a coordinated campaign branded #OpIsrael, involving pro-Iranian and pro-Russian-aligned actors, with activity spanning DDoS, data exposure, and claimed intrusions.

• NoName057(16) + Cyber Islamic Resistance: Claimed large-scale DDoS activity targeting Israeli defense and municipal entities (including Elbit Systems).
  
• Cyber Islamic Resistance: Claimed breach of an Israeli health insurance provider and released internal CCTV footage as evidence of access.
  
• FAD Team (Iraq’s “Resistance Hub”): Claimed SQL injection activity and PII exposure across a wide set of targets, including US and non-US entities.
  
• Fatimion Cyber Team: Claimed disruption targeting Gulf states perceived as US-aligned, including Bahrain and Qatar-linked targets.
  
• Infrastructure claims: FAD Team claimed access to firewall monitoring dashboards in Mecca and Medina.
  

Additional activity observed March 3–4 includes:

• Handala Team: Claimed a breach of Saudi Aramco infrastructure and released internal documentation and schematics intended to validate the attack. Flashpoint has not verified these claims.
  
• PalachPro: Signaled coordination with Iranian hackers to amplify cyber campaigns targeting US and Israeli organizations.
  
• NoName057(16): Claimed access to an Israeli water management SCADA system under the ongoing #OpIsrael campaign. These claims remain unverified.
  
• Fatemiyoun Electronic Team: Conducted a denial-of-service attack against the Kuwaiti News Agency website.
  
• Targeting rhetoric shift: Pro-IRGC propaganda channels began framing major technology companies — including Google — as potential targets due to alleged support of US military operations.
  

Additional activity reported on March 5 indicates a renewed surge in coordinated cyber operations under the #OpIsrael banner:

• NoName057(16): Claimed administrative access to Israeli industrial control systems and SCADA interfaces, alleging the ability to manipulate pump activity and water flow. These claims remain unverified but represent a high-risk threat to essential services.
  
• Handala Group: Claimed the exfiltration and wiping of approximately 1.3 TB of data from Atlas Insurances Ltd., while simultaneously launching a doxxing campaign targeting individuals alleged to be connected to Israeli intelligence.
  
• Fatemiyoun Electronic Team: Claimed responsibility for taking multiple government ministry websites offline in Jordan and Kuwait and releasing personal data from a Kuwaiti government application.
  
• Cyber Islamic Resistance (Team 313): Claimed disruptions targeting Bahraini government infrastructure and published images allegedly taken from compromised surveillance camera networks.
  

Additional activity reported March 6–9 includes:

• MuddyWater (MOIS / Seedworm): Verified intrusions into US aerospace, defense, aviation, and financial networks using a newly identified backdoor known as “Dindoor.” These operations reportedly began prior to the kinetic phase of the conflict and have continued during the war.
• Telegram-Based Recruitment Networks: Iranian intelligence is reportedly using Telegram channels to recruit loosely affiliated operatives and criminal intermediaries across Europe for espionage and potential sabotage operations.
• Handala: Claimed to have wiped Israeli military weather servers and intercepted urban security feeds in Jerusalem (unverified).
• Cyber Islamic Resistance (Team 313): Claimed multiple website defacements targeting regional institutions, including Kurdish and Saudi organizations (unverified).
• NoName057(16): Continued distributed denial-of-service attacks under the #OpIsrael banner targeting Israeli political parties, telecommunications companies, and defense contractors.
  

Additional activity reported March 10 includes:

• Suspected banking-sector attacks: Multiple reports indicate that Iran’s largest banks, including Bank Melli Iran and Bank Sepah, experienced widespread service disruptions following suspected cyberattacks.
• NoName057(16): The pro-Russian group continued operations under the #OpIsrael banner, claiming distributed denial-of-service attacks targeting Israeli and Cypriot infrastructure, including Israel’s national water company Mekorot and UAV firm E.M.I.T. Aviation (unverified).
• BD Anonymous & MrSutrator Alliance: A newly formed pro-Palestinian cyber alliance announced “Operation Electronic Holocaust,” targeting Israeli defense contractor Rafael (unverified).
• DieNet: The group issued warnings of a potential large-scale cyber campaign targeting Israeli government infrastructure (unverified).

These developments indicate continued expansion of cyber activity across both offensive and retaliatory fronts, including financial infrastructure and public-facing services.

Strategic Chokepoints and Systemic Risk

Two chokepoints have emerged as persistent systemic risk drivers: maritime energy transit and regional air mobility.

Iran’s reported blockade of the Strait of Hormuz remains the primary near-term global economic concern. Flashpoint reporting also indicates an explicit escalation toward energy system disruption, with IRGC messaging framing a “war on energy supplies” and kinetic targeting expanding to oil and gas infrastructure. Even partial disruption introduces immediate volatility in energy markets and maritime logistics, increasing shipping costs, insurance premiums, and delivery delays well beyond the region.

Additional developments reported on March 3 indicate the IRGC has conducted strikes against multiple oil tankers operating in the Strait of Hormuz, further elevating risks to global energy transport. Iran has also declared the waterway effectively closed to most commercial shipping, introducing the possibility of sustained maritime disruption.

Infrastructure targeting has expanded to include desalination facilities and water supply systems in the Gulf. Because these plants provide essential potable water to large urban populations, attacks on desalination infrastructure represent a significant escalation that directly threatens civilian survival systems and urban stability across the region.

Global shipping disruption has also intensified. As of March 10, following continued instability and the effective closure of the Strait of Hormuz, major shipping firms including MSC have suspended exports from Gulf ports, introducing additional pressure on global logistics and energy markets.

Airspace disruption and interruptions to transit hubs — especially the reported suspensions affecting Dubai — compound that risk. Taken together, the maritime and aviation constraints create a reinforcing cycle: constrained routes increase congestion elsewhere, raise operational costs, and compress the time available for organizations to reroute people and goods.

With regional airports and Gulf maritime corridors under threat, organizations should plan for sustained degradation of commercial mobility and service availability rather than short-lived closures.

Business and Security Implications

As the conflict expands into commercial infrastructure and civilian logistics, enterprise exposure now extends well beyond traditional “high-risk” sectors. The targeting patterns observed throughout this conflict indicate that energy infrastructure, cloud assets, maritime corridors, and civilian-facing systems are all within scope.

Organizations should plan for volatility across personnel security, supply chains, cyber disruption, and regional service availability.

1. Personnel and Physical Security

Recent incidents including strikes near Gulf transit hubs, the targeting of a Western-branded hotel in Bahrain, and warnings regarding potential asymmetric attacks underscore that risk is no longer confined to military installations.

• The US State Department issued an expanded “DEPART NOW” advisory for Americans across 16 Middle Eastern countries, reflecting elevated risk to civilian and commercial environments.
  
• US Embassy in Amman reported active “duck and cover” alarms, signaling increased threat pressure on diplomatic facilities beyond core combat zones.
  
• Reporting indicates Iranian threats now extend to US bases in Europe, expanding the geographic risk envelope.
  
• Drone attacks targeting diplomatic facilities — including the US Consulate in Dubai and attempted strikes on the US Embassy in Riyadh — indicate expanding risk to diplomatic and government installations.
  
• Precautionary evacuations have also been implemented near US embassies across several Gulf states as regional tensions and retaliatory threats continue to rise.
  

Organizations with personnel in the Gulf region and surrounding areas should:

• Reassess travel posture to the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia.
  
• Elevate security protocols at commercial offices, hotels, and logistics facilities.
  
• Reinforce operational security practices (routine variation, avoidance of identifiable clothing tied to government or defense sectors).
  
• Coordinate closely with local authorities and diplomatic advisories regarding movement restrictions and emerging threat indicators.
  

2. Supply Chain and Energy Exposure

The reported blockade of the Strait of Hormuz, disruption to Dubai aviation, and the strike on Saudi Arabia’s Ras Tanura oil facility demonstrate that global energy and logistics systems are active pressure points. Iranian naval forces reportedly struck multiple oil tankers transiting the Strait of Hormuz on March 3, increasing the likelihood of extended maritime disruption and global energy price volatility.

IRGC statements framing a “war on energy supplies” increase the likelihood of sustained pressure on Gulf oil and gas infrastructure. Organizations must reassess exposure not only to energy price volatility, but also to infrastructure-driven availability shocks.

Organizations should:

• Model extended disruption to Gulf maritime routes rather than short-term interruption.
  
• Identify alternative shipping corridors and overland routing options.
  
• Stress-test supplier dependencies tied to Gulf ports or energy inputs.
  
• Prepare for price volatility and delivery delays impacting downstream operations.
  

3. Cloud and Technology Infrastructure

The reported physical impact to an AWS data center in the UAE reflects a significant escalation: commercial cloud infrastructure is no longer insulated from kinetic spillover. More recent reporting also indicates Iranian strikes targeting Microsoft Azure data infrastructure in the Gulf, expanding the threat profile to additional Western cloud platforms.

Iranian strikes against early-warning radars and satellite communication terminals across Gulf bases indicate a coordinated effort to degrade regional missile defense networks.

Enterprises should:

• Confirm geographic redundancy for critical workloads.
  
• Validate disaster recovery timelines (RTO/RPO) for Middle East–hosted environments.
  
• Review third-party dependencies tied to regional data centers.
  
• Ensure executive teams understand potential cascading impacts from localized physical disruption.
  
• Organizations operating near or dependent on US or allied military infrastructure in the region should monitor potential disruptions to air defense coverage and communications networks.
  

4. ICS / OT Environments

Claims of intrusion into industrial control systems — including grain silo logistics and remote control infrastructure — signal elevated risk to operational technology environments. March 2 cyber reporting also emphasized blended risk: cyber operations paired with physical disruption, increasing the chance of cascading outages and degraded visibility during response.

Organizations operating ICS/SCADA systems, particularly in energy, logistics, water, and manufacturing sectors, should:

• Audit all remote access pathways and eliminate unnecessary external exposure.
  
• Enforce phishing-resistant MFA for privileged and engineering accounts.
  
• Segment industrial networks from corporate IT and public internet access.
  
• Validate incident response plans for destructive malware or system manipulation scenarios.
  
• Conduct tabletop exercises assuming loss of visibility or control in critical systems.

What to Expect Next (48–72 Hours)

Flashpoint analysis indicates the conflict is entering a more decentralized phase characterized by hybrid warfare and expanding geographic scope.

Following the formal appointment of Mojtaba Khamenei as Supreme Leader, the Iranian state is expected to maintain a hardline military posture under strong IRGC influence. With conventional military capabilities increasingly degraded, Iranian strategy may rely more heavily on asymmetric tactics, including cyber operations, proxy mobilization, and attacks against economic and civilian infrastructure.

The fatwa issued by Grand Ayatollah Sistani introduces an additional destabilizing variable, potentially mobilizing Shiite militias across Iraq and the broader region. Combined with Kurdish mobilization along Iran’s western border and Azerbaijan’s heightened military posture in the north, the conflict may increasingly involve non-state and regional actors.

At the same time, cyber operations targeting Western defense, aviation, and infrastructure networks are likely to intensify as Iranian-linked actors attempt to expand the conflict’s impact beyond the immediate battlefield.

The activation of Iran’s decentralized “Mosaic Defense” protocol further complicates potential de-escalation. Because retaliatory authority is distributed across regional commanders, localized strike cycles may continue even if diplomatic negotiations emerge at higher political levels. This structure increases the likelihood of continued intermittent attacks across multiple theaters even as international pressure for conflict termination grows.

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

Blogs

Blog

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.

The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.

Flashpoint’s 2026 Global Threat Intelligence Report

Flashpoint’s 2026 Global Threat Intelligence Report (GTIR) was developed to anchor security leaders — from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office — with the data required to navigate this year’s greatest threats, rife with infostealers, vulnerabilities, ransomware, and malicious insiders.

Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:

• AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
• 3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
• From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
• Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.

These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:

1. A Clear Understanding of the New Convergence Between Identity and AI
   Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
   
2. Intelligence on the “Franchise Model” of Global Extortion
   Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
   
3. A Blueprint for Proactive Defense and Risk Mitigation
   Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.

“As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”

Josh Lefkowitz, CEO & Co-Founder at Flashpoint

The Top Threats at a Glance

Our latest report identifies four driving themes shaping the 2026 threat landscape:

2026 Is the Era of Agentic-Based Cyberattacks

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.

“2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.”

Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint

Identity Is the New Exploit

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

The Patching Window Is Rapidly Closing

Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.

Ransomware Is Hacking the Person, Not the Code

As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.

Build Resilience in a Converged Landscape

The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.

Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.

Blogs

Blog

What to Know About the Notepad++ Supply-Chain Attack

In this post we examine the mechanics of the CVE-2025-15556 supply-chain attack and provide actionable steps to secure your environment.

The cybersecurity community is still grappling with a sobering realization: one of the most ubiquitous tools in the developer’s toolkit, Notepad++, was hiding a critical vulnerability for over six months. Being so deeply embedded in daily workflows, many organizations did not realize they were vulnerable until a recent security update pulled back the curtain on a sophisticated Chinese state-sponsored campaign, dubbed “Lotus Blossom.”

Investigations have confirmed that the issue wasn’t just a coding error, it was a compromise at the hosting provider level. This means that for much of 2025, even organizations that followed best practices were still potentially open to backdoors from Chinese advanced persistent threat (APT) groups. Here is what you need to know to secure your environment.

Understanding the Notepad++ Vulnerability (CVE-2025-15556)

The vulnerability, tracked as CVE-2025-15556 (VulnDB ID: 430205), exploits a critical flaw in the Notepad++ updater component, WinGUP. In versions prior to the February 2026 patch, the updater failed to verify the file integrity signatures of downloaded installers.

By exploiting this lack of verification, threat actors are able to:

• Intercept legitimate update requests originating from WinGUp servers
• Redirect traffic to malicious servers via Man-in-the-Middle (MitM) attacks or DNS cache poisoning
• Deliver trojanized executables (disguised as update.exe) that appeared to be legitimate software patches

Leveraging this vulnerability, attackers have gained a persistent presence in high-value sectors. According to reports from Kaspersky, the impact has spanned government and telecommunications, critical infrastructure, and financial services.

How CVE-2025-15556 Works

The state-sponsored Lotus Blossom campaign was executed in three attack chains, between July and October 2025. Each phase evolved to evade detection by changing file sizes, IP addresses, and delivery methods.

Phase	Timeline (2025)	Execution Method	Payload
Chain #1	July – August	1MB NSIS installer (update.exe)	Multi-stage attack launching a Cobalt Strike beacon via ProShow.exe.
Chain #2	September	140KB NSIS installer (update.exe)	Rotated C2 URLs to maintain stealth while dropping a Cobalt Strike beacon.
Chain #3	October	Backdoor Deployment	Dropped BluetoothService.exe, log.DLL, and shellcode to establish the Chrysalis backdoor.

Mapping CVE-2025-15556 to MITRE ATT&CK

Flashpoint has mapped Lotus Blossom TTPs (tactics, tools, and procedures) to the MITRE ATT&CK framework. Flashpoint analysts have identified the following techniques:

Execution

Technique Title	ID	Recommendations
User Execution: Malicious File	T1204.002	M1040: Behavior Prevention on Endpoint M1038: Execution Prevention M1017: User Training
Native API	T1106	M1040: Behavior Prevention on Endpoint M1038: Execution Prevention
Command and Scripting Interpreter: Windows Command Shell	T1059.003	M1038: Execution Prevention

Persistence

Technique Title	ID	Recommendations
Hijack Execution Flow: DLL	T1574.002	M1013: Application Developer Guidance M1047: Audit M1038: Execution Prevention M1044: Restrict Library Loading M1051: Update Software
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Create or Modify System Process: Windows Service	T1543.003	M1047: Audit M1040: Behavior Prevention on Endpoint M1045: Code Signing M1028: Operating System Configuration M1018: User Account Management

Defense Evasion

Technique Title	ID	Recommendations
Masquerading	T1036	M1049: Antivirus/Antimalware M1047: Audit M1040: Behavior Prevention on Endpoint M1045: Code Signing M1038: Execution Prevention M1022: Restrict File and Directory Permissions M1018: User Account Management M1017: User Training
Obfuscated Files or Information	T1027	M1049: Antivirus/Antimalware M1047: Audit M1040: Behavior Prevention on Endpoint M1017: User Training
Obfuscated Files or Information: Dynamic API Resolution	T1027.007	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Deobfuscate/Decode Files or Information	T1140	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Process Injection	T1055	M1040: Behavior Prevention on Endpoint M1026: Privileged Account Management
Reflective Code Loading	T1620	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Execution Guardrails: Mutual Exclusion	T1480.002	M1055: Do Not Mitigate
Indicator Removal: File Deletion	T1070.004	*MITRE currently does not list any mitigation guidance to combat this attack technique.

Discovery

Technique Title	ID	Recommendations
File and Directory Discovery	T1083	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Ingress Tool Transfer	T1105	M1031: Network Intrusion Prevention

Collection

Technique Title	ID	Recommendations
Data from Local System	T1005	M1057: Data Loss Prevention

Command and Control

Technique Title	ID	Recommendations
Application Layer Protocol: Web Protocols	T1071.001	M1031: Network Intrusion Prevention
Encrypted Channel	T1573	M1031: Network Intrusion Prevention M1020: SSL/TLS Inspection

Exfiltration

Technique Title	ID	Recommendations
Exfiltration Over C2 Channel	T1041	M1057: Data Loss Prevention M1031: Network Intrusion Prevention

Protecting Against CVE-2025-15556

Proactive defense requires not only reactive patching of CVE-2025-15556, but also active threat hunting using the TTPs identified by Flashpoint analysts. Flashpoint recommends the following actions:

1. Immediate Update: Ensure all instances of Notepad ++ are updated to v8.9.1 or higher immediately. This version enforces the signature verification that was missing in previous releases.
2. Audit System Paths: Scan for malicious file paths used for persistence.
3. Network Defense: Monitor and block traffic to malicious domains.
4. Endpoint Hardening: Implement Behavior Prevention on Endpoints (M1040) and Audit (M1047) to detect unauthorized registry run keys or new system services.

Outpace Threat Actors Using Flashpoint

Software trust is only as strong as the infrastructure behind it. As organizations respond to these recent updates, having best-in-class vulnerability intelligence and direct visibility into threat actor TTPs is the best defense.

Leveraging Flashpoint vulnerability intelligence, organizations can move beyond CVE and NVD, by gaining deeper technical analysis and MITRE ATT&CK mapping to defend against sophisticated threat actors. Request a demo to learn more.

Begin your free trial today.

Blogs

Blog

Understanding the DarkCloud Infostealer

In this post, we analyze DarkCloud, a commercially available infostealer written in Visual Basic 6.0, examine its encryption and evasion techniques, and assess how this low-cost malware can provide threat actors with enterprise-wide access through harvested credentials.

Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape.

First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.

At the technical level, DarkCloud is written in Visual Basic 6.0 and compiled into a native C/C++ application. This legacy language choice is unusual in modern malware development — and likely deliberate. By leveraging outdated but still supported runtime components, DarkCloud appears to benefit from lower detection rates while maintaining full credential theft functionality.

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated. Flashpoint assesses it as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

The Commercialization of DarkCloud

DarkCloud represents a mature example of commodity malware-as-a-service.

It is openly sold through Telegram and a clearnet website, where it is misleadingly labeled as a keylogger. While it does include keylogging capabilities, this is only a minor component of a much broader infostealing toolkit.

Its real value proposition is credential harvesting across browsers, email clients, file transfer applications, VPN software, and more.

This dual positioning — public-facing “surveillance software” and underground stealer — provides plausible deniability while enabling large-scale credential operations.

Why Visual Basic 6.0 Matters

One of the most notable aspects of DarkCloud is its use of Visual Basic 6.0.

The payload is written in VB6 and compiled into a native C/C++ application. Microsoft no longer supports VB6 in its modern development environment, and VB6 applications rely on legacy components such as MSVBVM60.DLL for execution.

Flashpoint assesses this legacy language choice is deliberate, both for its simplicity and its potential to evade modern detection models.

In testing, Flashpoint analysts generated equivalent payloads in C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans.

The implication is clear: older languages are not necessarily obsolete in adversary tradecraft. In some cases, they may be strategically advantageous.

Encryption and String Obfuscation

DarkCloud employs a layered string encryption scheme that complicates static and dynamic analysis.

Most internal strings are encrypted and decrypted at runtime using Visual Basic’s Rnd() pseudo-random number generator, combined with a custom seed-generation algorithm.

The process involves:

• Hex-encoded encrypted strings
• Base64-encoded keys
• Seed calculation through a custom algorithm
• Resetting the VB pseudo-random number generator to a known state
• Iterative Rnd() calls to reconstruct plaintext strings

By resetting the PRNG with a known value before applying the calculated seed, the malware ensures deterministic output during decryption.

This approach does not rely on novel cryptography, but rather on abusing legacy language behavior to frustrate reverse engineering.

Credential Theft at Scale

DarkCloud’s primary objective is credential collection.

It targets:

Email clients:

• Outlook
• eM Client
• FoxMail
• Thunderbird
• 163Mail
• MailMaster

File transfer applications:

• FileZilla
• WinSCP
• CoreFTP

Browsers:

• Google Chrome
• Microsoft Edge
• Mozilla Firefox
• Brave
• Opera
• Yandex
• Vivaldi
• (and many additional Chromium- and Firefox-based browsers)

Other applications:

• Pidgin
• NordVPN

When extracting browser data, DarkCloud steals:

• Login credentials
• Cookies
• Credit card information

Email applications are additionally scraped for contact lists. This is likely intended to seed future phishing campaigns.

DarkCloud stores collected data locally in two directories under %APPDATA%\Microsoft\Windows\Templates. One directory (“DBS”) stores copied database files, while another (“_”) stores parsed data in unencrypted text format.

This local staging enables continuous exfiltration while maintaining structured log output.

Exfiltration Methods: Flexibility for Threat Actors

DarkCloud supports four exfiltration methods:

• SMTP
• FTP
• Telegram
• HTTP

SMTP and FTP require hardcoded credentials within each binary. Email subjects include the victim machine’s hostname and username, and stolen data is transmitted as attachments.

HTTP exfiltration appears less frequently used, though the capability is present.

This flexibility allows operators to tailor deployments depending on infrastructure preferences and operational security requirements.

From BluStealer to DarkCloud

Flashpoint analysts identified notable similarities between DarkCloud’s regular expressions for credit card parsing and those found in a publicly documented project known as “A310LoggerStealer,” also referred to as BluStealer.

The regex patterns appear in identical order and format.

Combined with the developer’s prior alias “BluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what became DarkCloud.

This evolution reflects a common pattern in commodity malware development: incremental refinement rather than radical innovation.

A Potent Entry-Level Threat

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated.

Its marketing as surveillance software attempts to normalize its presence while providing plausible deniability for buyers. Technically, however, its focus is clear: large-scale credential harvesting across browsers, email clients, financial data, and contact networks.

Flashpoint assesses DarkCloud as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

In a landscape where identity is the new perimeter, even a US$30 subscription can be operationally devastating.

Defending Against Commodity Infostealers

Commodity infostealers like DarkCloud may be commercially accessible, but defending against them requires enterprise-grade vigilance.

Organizations should:

• Treat phishing-delivered ZIP/RAR attachments as high-risk initial access vectors
• Monitor for abnormal data exfiltration over SMTP, FTP, and Telegram
• Audit credential reuse across browser and email applications
• Prioritize credential rotation and incident response playbooks following suspected compromise

Infostealers like DarkCloud are not breakthrough malware families. They do not rely on zero-days or advanced exploits.

Instead, they exploit scale, accessibility, and identity exposure.

To understand how credential harvesting campaigns are evolving and to embed real-time intelligence into your detection workflows, request a demo today and see how Flashpoint intelligence strengthens your defense posture.

Begin your free trial today.

Blogs

Blog

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

In this post, we explore how the psychological traps of operational security can unmask even the most sophisticated actors.

The threat intelligence landscape is often dominated with talks of sophisticated TTPs (tactics, tools, and procedures), zero-day vulnerabilities, and ransomware. While these technical threats are formidable, they are still managed by human beings, and it is the human element that often provides the most critical breakthroughs in attributing these attacks and de-anonymizing the threat actors behind them.

In our latest webinar, “OPSEC Fails: The Secret Weapon for People-Centric OSINT”,  Flashpoint was joined by Joshua Richards, founder of OSINT Praxis. Josh shared an intriguing case study where an attacker’s digital breadcrumbs led to a life-saving intervention. 

Here is how OSINT techniques, leveraged by Flashpoint’s expansive data capabilities, can dismantle illegal threat actor campaigns by turning a technical investigation into a human one.

Leveraging OPSEC as a Mindset

In a technical context, OPSEC is a risk management process that identifies seemingly innocuous pieces of information that, when gathered by an adversary, could be pieced together to reveal a larger, sensitive picture.

In the webinar, we break down the OPSEC mindset into three core pillars that every practitioner, and threat actor, must navigate. When these pillars fail, the investigation begins.

• Analyzing the Signature: Every human has a digital signature, such as the way they type (stylometry), the times they are active, and the tools they prefer.
• Identity Masking & Persona Management: This involves ensuring that your investigative identity has zero overlap with your real life. A common failure includes using the same browser for personal use and investigative research, which allows cookies to bridge the two identities.
• Traffic Obfuscation: Even with a VPN, certain behaviors such as posting on a dark web forum and then using that same connection to check personal banking can expose an IP address, linking it to a practitioner or threat actor.

“Effective OPSEC isn’t about the tools you use; it’s about what breadcrumbs you are leaving behind that hackers, investigation subjects, or literally anyone could find about you.”

Joshua Richards, founder of Osint Praxis

Leveraging the Mindset for CTI

Understanding the OPSEC mindset allows security teams to think like the target. When we know the psychological traps attackers fall in, we know exactly where to look for their mistakes.

Assumption	The Mindset Trap	The Investigative Reality
Insignificant	“I’m not a high-value target; no one is looking for me.”	Automated Aggression: Hackers use scripts to scan millions of accounts. You aren’t “chosen”; you are “discovered” via automation.
Invisible	“I don’t have a LinkedIn or X account, so I don’t have a footprint.”	Shadow Data: Public birth records, property taxes, and historical data breaches create a footprint you didn’t even build yourself.
Invincible	“I have 2FA and complex passwords; I’m unhackable.”	Session Hijacking: Infostealer malware steals “session tokens” (cookies). This allows an actor to be you in a browser without ever needing your 2FA code.

During the webinar, Joshua shares a masterclass in how leveraging these concepts can turn a vague dark web threat into a real-world arrest. Check out the on-demand webinar to see exactly how the investigation started on Torum, a dark web forum, and ended with an arrest that saved the lives of two individuals.

Turn the Tables Using Flashpoint

The insights shared in this session powerfully illustrate that even the most dangerous threat actors are rarely as anonymous as they believe. Their downfall isn’t usually a failure of their technical prowess, but a failure of their mindset. By understanding these OSINT techniques, intelligence practitioners can transform a sea of digital noise into a clear path toward attribution.

The most effective way to dismantle threats is to bridge the gap between technical indicators and human behavior. Whether your teams are conducting high-stakes OSINT or protecting your own organization’s digital footprint, every breadcrumb counts. By leveraging Flashpoint’s expansive threat intelligence collections and real-time data, you can stay one step ahead of adversaries. Request a demo to learn more.

Request a demo today.

Blogs

Blog

N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation

In this post we explore the data-driven shrinkage of the Time to Exploit (TTE) window from 745 days to just 44, and examine why N-day vulnerabilities have become the “turn-key” weapon of choice for modern threat actors.

The race between defenders and threat actors has entered a new, more volatile phase: the rapidly accelerating exploitation of N-day vulnerabilities. Different from zero-days, N-day vulnerabilities are known security flaws that have been publicly disclosed but remain unpatched or unmitigated on an organization’s systems.

Historically, enterprises operated under the assumption of a “patching grace period,” the designated window of time allowed for a vendor to test and deploy a fix before a system is considered non-compliant or at high risk. However, this window is effectively collapsing, with Flashpoint finding that N-days now represent over 80% of all Known Exploited Vulnerabilities (KEVs) tracked over the past four years.

The Collapse of the Time to Exploit (TTE) Window

The most sobering trend for security operations (SecOps) and exposure management teams is the dramatic reduction in Time to Exploit (TTE). In 2020, the average TTE, the time between a vulnerability’s disclosure and its first observed exploitation, was 745 days. By 2025, Flashpoint found that this window has now plummeted to an average of just 44 days.

	2025	2024	2023	2022	2021	2020
Average TTE	44	115	296	405	518	745

This contraction represents a strategic shift in adversary tempo. Attackers are no longer waiting for complex, bespoke exploits; they are moving at breakneck speeds to weaponize public disclosures.

N-Days Provide a “Turn-Key” Exploit Advantage

Adversaries have gained a significant advantage through the rapid weaponization of researcher-published Proof-of-Concept (PoC) code. When a fully functional exploit is released alongside a vulnerability disclosure, it becomes a “turn-key” solution for attackers. By combining these ready-made exploits with internet-wide scanning tools like Shodan or FOFA, even unsophisticated threat actors can conduct mass exploitation across large segments of the internet in hours.

A prime example of this path of least resistance approach was observed in the leaked internal chat logs of the BlackBasta ransomware group. Analysis revealed that of the 65 CVEs discussed by the group, 54 were already known KEVs. Rather than spending resources on original zero-day research, threat actors are simply leveraging known, yet unpatched and exploitable vulnerabilities for their campaigns.

Defensive Software is a Primary Target for N-Days

The very software designed to protect enterprise firewalls, VPN gateways, and edge networking devices is consistently the most targeted category for both N-day and zero-day exploitation.

Because cybersecurity devices must be internet-facing to function, they provide a constant, unauthenticated attack surface. In 2025 alone, Flashpoint observed 37 N-days and 52 zero-days specifically targeting security and perimeter software. The requirement for these systems to remain open to external traffic means they will continue to be disproportionately targeted by advanced persistent threat (APT) groups and cybercriminals alike.

Attributing N-Day Attacks

While tracking the “how” of an attack is critical, tracking who is responsible remains a fragmented challenge for the industry. Attribution is often hampered by naming fatigue, where different vendors assign their own designated unique monikers to the same actor. For instance, the widely known threat actor group Lazarus has over 40 distinct designations across the industry, including “Diamond Sleet,” “NICKEL ACADEMY,” and “Guardians of Peace”.

Despite these naming complexities, global activity patterns remain clear. China remains the most active nation-state actor in the vulnerability exploitation space, consistently outpacing Russia, Iran, and North Korea in both the volume and scope of their campaigns.

Obstacles for Enterprise Security: Asset Blindness and the CVE Dependency Trap

Why are organizations struggling to keep pace? The primary factor isn’t a lack of effort, but a lack of visibility.

1. The Asset Inventory Gap

The single greatest breakthrough an enterprise can achieve is not a new AI tool, but a complete asset inventory. Most large organizations are lucky to have an accurate inventory of even 25% of their total assets. Without knowing what you own, vulnerability scans can take days or weeks to return results that the adversary is already using to probe your network.

2. The CVE Blindspot

Most traditional security tools are CVE-dependent. However, thousands of vulnerabilities are disclosed every year that never receive an official CVE ID. These “missing” vulnerabilities represent a massive blindspot for standard scanners. Intelligence-led exposure management requires looking beyond the CVE ecosystem into proprietary databases like Flashpoint’s VulnDB, which tracks over 105,000 vulnerabilities that public sources miss.

Move Towards Intelligence-Led Exposure Management Using Flashpoint

To survive in an era where weaponization can happen in under 24 hours, organizations must shift from reactive patching to a threat-informed and proactive security approach. This means:

• Prioritizing by Exploitability and Threat Actor Activity: Focus on vulnerabilities that are remotely exploitable and have known public exploits, rather than just high CVSS scores.
• Adopting an Asset-Inventory Approach: Moving away from slow, periodic scans in favor of continuous asset mapping that allows for immediate triage.
• Operationalizing Intelligence: Embedding real-time threat data directly into SOC and IR workflows to reduce the “mean time to action”.

The goal of exposure management is to look at your organization through the adversary’s lens. By understanding which N-days threat actors are actually discussing and weaponizing in the wild, defenders can finally start to close the window of exposure before a potential compromise can occur.

Flashpoint’s vulnerability threat intelligence can help your organization go from reactive to proactive. Request a demo today and gain access to quality vulnerability intelligence that enables intelligence-led exposure management.

Request a demo today.

Blogs

Blog

Cyber and Physical Risks Targeting the 2026 Winter Olympics

In this post we analyze the multi-vector threat landscape of the 2026 Winter Olympics, examining how the Games’ dispersed geographic footprint and high digital complexity create unique potential for cyber sabotage and physical disruptions.

The Milano-Cortina 2026 Winter Olympics represent a historic milestone as the first Games co-hosted by two major cities. However, the event’s expansive geographic footprint—covering 22,000 square kilometers across northern Italy—presents a complex security environment. From the metropolitan centers of Milan to the alpine peaks of Cortina d’Ampezzo, security forces are contending with a multi-vector threat landscape.

Kinetic and Physical Security Challenges

The geographically dispersed nature of the Milano-Cortina 2026 Winter Games also creates unique physical security challenges. Because venues are spread across thousands of square kilometers of the Alps, securing transit corridors and ensuring rapid emergency response across different Italian regions—including Lombardy, Veneto, and Trentino—is an incredible logistical hurdle. New tunnels, increased train services, and extended bus routes have been welcomed but create new potential targets for physical disruption by threat actors or protestors.

Terrorist and Extremist Threats

Flashpoint has not identified any terrorist or extremist threats to the Winter Olympic Games. However, lone threat actors in support of international terrorist organizations or domestic violence extremists remain a persistent threat due to the large number of attendees expected and the media attention that this event will attract.

Authorities in northern Italy are investigating a series of sabotage attacks on the national railway network that coincided with the opening of the 2026 Winter Olympic Games. The coordinated incidents—which included arson at a track switch, severed electrical cables, and the discovery of a rudimentary explosive device—caused delays of over two hours and temporarily disabled the vital transport hub of Bologna.

Protests

Flashpoint analysts identified several protests targeting the 2026 Winter Olympics:

• US Presence and ICE Backlash: Hundreds of demonstrators have participated in protests in central Milan to demand that US ICE agents withdraw from security roles at the upcoming Winter Olympics.
• Anti-Olympic and Environmental Activism: The most organized opposition comes from the Unsustainable Olympics Committee. They have already staged marches in Milan and Cortina, with more planned for February.
• Pro-Palestinian Groups: Organizations such as BDS Italia are actively campaigning to boycott the games, demanding that Israel not be permitted to participate. Other pro-Palestinian groups have attempted to disrupt the Torch Relay in several cities and are expected to hold flash mob-style demonstrations in Milan’s Piazza del Duomo during the Opening Ceremony.
• Labor Strikes: Italy frequently experiences transport strikes, which often fall on Fridays. Because the Opening Ceremony is on Friday, February 6, unions are leveraging this for maximum impact. An International Day of Protest has been coordinated by port and dock workers across the Mediterranean for February 6.
  

On February 7, a massive protest of approximately 10,000 people near the Olympic Village in Milan descended into violence as a peaceful march against the Winter Games ended in clashes with Italian police. While the majority of demonstrators initially focused on the environmental destruction caused by Olympic infrastructure, a smaller group of masked protestors engaged security forces with flares, stones, and firecrackers.

Cyber Threats Facing the 2026 Winter Olympics

The Milano-Cortina 2026 Winter Olympics will be among the most digitally complex global events, making it a prime target for cyberattacks. The greatest risks stem from familiar tactics such as phishing, spoofed websites, and business email compromise, which exploit human trust rather than technical flaws. With billions of viewers and a vast network of cloud services, vendors, and connected systems, the games create an expansive attack surface under intense operational pressure.

Italy blocked a series of cyberattacks targeting its foreign ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo, with officials attributing the attempts to Russian sources. Foreign Minister Antonio Tajani confirmed the attacks were prevented just days before the Games’ official opening, which began with curling matches on February 4. 

Past Olympic Games show a clear pattern of heightened cyber activity, including phishing campaigns, distributed denial-of-service (DDoS) attacks, ransomware, and online scams targeting both organizers and the public. A mix of cybercriminals, advanced persistent threats, and hacktivists is expected to exploit the event for financial gain, espionage, or publicity. Experts emphasize that improving security awareness, verifying digital interactions, and strengthening supply chain defenses are critical, as the most damaging incidents often arise from ordinary threats amplified by scale and urgency.

Staying Safe at the 2026 Winter Games

The security success of Milano-Cortina 2026 relies on the integration of real-time intelligence, advanced technological safeguards, and public vigilance. As the Games proceed, the intersection of cyber-sabotage and physical protest remains the most likely source of operational disruption.

To stay safe at this year’s Games, participants should:

1. Download Official Apps: Install the Milano Cortina 2026 Ground Transportation App and the Atm Milano app for real-time updates on transit, road closures, and “guaranteed” travel windows during strikes.
2. Plan Around Friday Strikes: Be aware that transport strikes (Feb 6, 13, and 20) typically guarantee services only between 6:00 AM – 9:00 AM and 6:00 PM – 9:00 PM. Plan your venue transfers accordingly.
3. Secure Your Digital Footprint: Avoid public Wi-Fi at major venues. Use a VPN and ensure Multi-Factor Authentication (MFA) is active on all your ticketing and banking accounts.
4. Stay Clear of Protests: While most demonstrations are expected to be peaceful, they can cause sudden police cordons and transit delays.
5. Respect the Drone Ban: Unauthorized drones are strictly prohibited over Milan and venue clusters. Leave yours at home to avoid heavy fines or interception by security units.

Stay Safe Using Flashpoint

While there are no current indications of imminent threats of extreme violence targeting the Milano-Cortina 2026 Winter Olympics, the event’s vast geographic footprint and digital complexity demand constant vigilance. Securing an event that spans 22,000 square kilometers requires more than just a physical presence; it necessitates a multi-faceted approach that bridges the gap between digital and kinetic risks.

To effectively navigate the intersection of cyber-sabotage, civil unrest, and logistical challenges, organizations and attendees must adopt a comprehensive strategy that integrates real-time intelligence with proactive security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

Request a demo today.

Blogs

Blog

Flashpoint’s Threat Intelligence Capability Assessment

In this post we introduce a new free assessment designed to pinpoint intelligence gaps, top strategic priorities for progress, and prioritized practical actions to drive real impact.

Many organizations today have some form of threat intelligence. Far fewer have a threat intelligence function that is structured, measurable, and trusted across the business. Experienced security professionals know that volume does not equal value—having more feeds, more alerts, or more dashboards doesn’t automatically translate into better intelligence. In reality, teams need clear visibility into the source of their intelligence data, how it aligns to their most important risks, and whether it’s actually influencing decisions.

Without this baseline, organizations struggle to answer fundamental questions: 

• Are we collecting intelligence that reflects our real risk exposure?
• Are we missing upstream threats—or over-prioritizing noise?
• Is our intelligence tailored to our environment, or largely generic?
• Is it reaching the right teams at the right moment to drive action?

These blind spots create friction across security operations—and make it difficult to improve with confidence.

How is Your Intelligence Working Across Your Environment?

That’s why Flashpoint created the Threat Intelligence Capability Assessment out of a simple observation: the most successful intelligence functions aren’t defined by the size of their budget or the number of feeds they ingest. They are defined by how intelligence flows across the full threat intelligence lifecycle:

1. Requirements & Tasking: How clear are your intelligence priorities, and how directly are they tied to real business risk?
2. Collection & Discovery: Is your visibility broad, deep, and flexible enough to keep pace with changing threats?
3. Analysis & Prioritization: How effectively are signals, context, and impact being connected to inform decisions?
4. Dissemination & Action: Is intelligence reaching the teams and leaders who need it, when they need it?
5. Feedback & Retasking: How consistently are priorities reviewed, refined, and adjusted based on outcomes?

By examining each stage independently, our assessment reveals where intelligence accelerates decisions and where it quietly breaks down.

Why This Assessment is Different

Most maturity assessments focus on inputs: tooling, headcount, or abstract maturity labels.

Flashpoint’s Threat Intelligence Capability Assessment takes a different approach. It evaluates how intelligence actually functions across the full intelligence lifecycle— from requirements and tasking through feedback and retasking—and what that means in practice for day-to-day operations.

Rather than stopping at a score, the assessment helps organizations:

1. Understand what their stage means in real operational terms
2. Identify constraints and patterns that may be limiting impact
3. Focus on top strategic priorities for progress
4. Take immediate, practical actions to strengthen intelligence workflows
5. Apply a 90-day planning framework to turn insight into execution

Critically, The Threat Intelligence Capability Assessment is grounded in operational reality, not vendor theory, and is designed to be applied by function, recognizing that intelligence maturity is rarely uniform across an organization.

“As cyber threats grow in scale, complexity, and impact, organizations need a clear understanding of how effectively intelligence supports their ability to detect high-priority risks and respond with speed. This assessment helps teams move beyond a score to understand what’s holding them back, where to focus next, and how to turn intelligence into action.”

Josh Lefkowitz, CEO and co-founder of Flashpoint

Where Do You Stand?

This assessment isn’t about simply measuring where you are today—it’s about identifying holding you back, and where targeted improvements can deliver the greatest return.  

After taking Flashpoint’s quick 5 minute assessment, security leaders can evaluate each component of their intelligence program—such as SOCs (Security Operations Center), vulnerability teams, fraud teams, and physical security—and benchmark them to surface potential gaps and needed improvements.
Whether your program is at the developing, maturing, advanced, or leader stage, the goal is the same: to move from intelligence as a supporting activity to intelligence as a driver of proactive operations.

• Developing: The early stages of building a dedicated intelligence function. Work is largely reactive—driven primarily by escalations or stakeholder questions—and may be reliant on open sources, vendor feeds, internal alerts, or ad-hoc investigations.
• Maturing: Processes have moved beyond reactive workflows and are beginning to operate with a consistent structure. There are documented priority intelligence requirements and teams are intentionally building depth across sources, workflows, and reporting.
• Advanced: In this stage, intelligence functions shape how your organization understands, prioritizes, and responds to threats. Requirements are well-defined, visibility spans multiple layers of the threat ecosystem, and analysts apply structured tradecraft that produces actionable intelligence.
• Leader: Intelligence functions are a core component of organizational risk strategy. Outputs are trusted and used across the business to inform high-stakes decisions, shape long-range planning, and provide early warning across cyber, fraud, physical, brand, and geopolitical domains.

A Practical Roadmap, Not a Judgment

No matter which stage you are currently in, advancing an intelligence function requires deeper visibility into relevant ecosystems, stronger analytic rigor, and the ability to act on intelligence at the moment it matters. To move the needle, organizations need clear requirements, direct visibility into where threats originate, structured tradecraft, and intelligence that drives decisions.

Flashpoint helps teams accelerate progress with the data, expertise, and workflows that strengthen intelligence programs at every stage—without requiring a new operational model. Take the assessment now to see where your intelligence program stands. Or, learn more about how Flashpoint helps intelligence teams progress faster, reduce fragmentation, and sustain momentum toward intelligence-led operations, delivered through the Flashpoint Ignite Platform.

Request a demo today.

Blogs

Blog

Protecting the Big Game: A Threat Assessment for Super Bowl LX

This threat assessment analyzes potential physical and cyber threats to Super Bowl LX.

Each year, the Super Bowl draws one of the largest live audiences of any global sporting event, with tens of thousands of spectators attending in person and more than 100 million viewers expected to watch worldwide. Super Bowl LX, taking place on February 8, 2026 at Levi’s Stadium, will feature the Seattle Seahawks and the New England Patriots, with Bad Bunny headlining the halftime show and Green Day performing during the opening ceremony.

Beyond the game itself, the Super Bowl represents one of the most influential commercial and media stages in the world, with major brands investing in some of the most expensive advertising time of the year. The scale, visibility, and economic significance of the event make it an attractive target for threat actors seeking attention, disruption, or financial gain, underscoring the need for heightened security awareness.

Cybersecurity Considerations

At this time, Flashpoint has not observed any specific cyber threats targeting Super Bowl LX. Despite the absence of overt threats, it remains possible that threat actors may attempt to obtain personal information—including financial and credit card details—through scams, malware, phishing campaigns, or other opportunistic cyber activity.

High-profile events such as the Super Bowl have historically been leveraged as bait for cyber campaigns targeting fans and attendees rather than league infrastructure. In October 2024, the online store of the Green Bay Packers was hacked, exposing customers’ financial details. Previous incidents also include the February 2022 “BlackByte” ransomware attack that targeted the San Francisco 49ers in the lead-up to Super Bowl LVI.

Although Flashpoint has not identified any credible calls for large-scale cyber campaigns against Super Bowl LX at this time, analysts assess that cyber activity—if it occurs—is more likely to focus on fraud, impersonation, and social engineering directed at ticket holders, travelers, and high-profile attendees.

Online Sentiment

Flashpoint is currently monitoring online sentiment ahead of Super Bowl LX. At the time of publishing, analysts have identified pockets of increasingly negative online chatter related primarily to allegations of federal immigration enforcement activity in and around the event, as well as broader political and social tensions surrounding the Super Bowl.

Online discussions include calls for protests and boycotts tied to perceived Immigration and Customs Enforcement (ICE) involvement, as well as controversy surrounding halftime and opening ceremony performers. While sentiment toward the game itself and associated events remains largely positive, Flashpoint continues to monitor for escalation in rhetoric that could translate into real-world activity.

Potential Physical Threats

Protests and Boycotts

Flashpoint analysts have identified online chatter promoting protests in the Bay Area in response to allegations that Immigration and Customs Enforcement (ICE) agents will conduct enforcement operations in and around Super Bowl LX. A planned protest is scheduled to take place near Levi’s Stadium on February 8, 2026, during game-day hours.

At this time, Flashpoint has not identified any calls for violence or physical confrontation associated with these actions. However, analysts cannot rule out the possibility that demonstrations could expand or relocate, potentially causing localized disruptions near the venue or surrounding infrastructure if protesters gain access to restricted areas.

In addition, Flashpoint has identified online calls to boycott the Super Bowl tied to both the alleged ICE presence and controversy surrounding the event’s halftime and opening ceremony performers. Flashpoint has not identified any chatter indicating that players, NFL personnel, or affiliated organizations plan to boycott or disrupt the game or related events.

Terrorist and Extremist Threats

Flashpoint has not identified any direct or credible threats to Super Bowl LX or its attendees from violent extremists or terrorist groups at this time. However, as with any high-profile sporting event, lone actors inspired by international terrorist organizations or domestic violent extremist ideologies remain a persistent risk due to the scale of attendance and global media attention.

Super Bowl LX is designated as a SEAR-1 event, necessitating extensive interagency coordination and heightened security measures. Law enforcement presence is expected to be significant, with layered security protocols, strict access control points, and comprehensive screening procedures in place throughout Levi’s Stadium and surrounding areas. Contingency planning for crowd management, emergency response, and evacuation scenarios is ongoing.

Mitigation Strategies and Executive Protection

Given the absence of specific, identified threats, mitigation strategies for key personnel attending Super Bowl LX focus on general best practices. Security teams tasked with executive protection should remove sensitive personal information from online sources, monitor open-source and social media channels, and establish targeted alerts for potential threats or emerging protest activity.

Physical security teams and protected individuals should also familiarize themselves with venue layouts, emergency exits, nearby medical facilities, and law enforcement presence, and remain alert to changes in crowd dynamics or protest activity in the vicinity of the event.

The nearest medical facilities are:

• O’Connor Hospital (Santa Clara Valley Healthcare)
  
• Kaiser Permanente Santa Clara Medical Center
  
• Santa Clara Valley Medical Center
  
• Valley Health Center Sunnyvale

Several of these facilities offer 24/7 emergency services and are located within a short driving distance of the stadium.

The primary law enforcement facility near the venue is:

• Santa Clara Police Department

As a SEAR-1 event, extensive coordination is expected among local, state, and federal law enforcement agencies throughout the Bay Area.

Stay Safe Using Flashpoint

Although there are no indications of any credible, immediate threats to Super Bowl LX or attendees at this time, it is imperative to be vigilant and prepared. Protecting key personnel in today’s threat environment requires a multi-faceted approach. To effectively bridge the gap between online and offline threats, organizations must adopt a comprehensive strategy that incorporates open source intelligence (OSINT) and physical security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

Request a demo today.

Blogs

Blog

How China’s “Walled Garden” is Redefining the Cyber Threat Landscape

In our latest webinar, Flashpoint unpacks the architecture of the Chinese threat actor cyber ecosystem—a parallel offensive stack fueled by government mandates and commercialized hacker-for-hire industry.

For years, the global cybersecurity community has operated under the assumption that technical information was a matter of public record. Security research has always been openly discussed and shared through a culture of global transparency. Today, that reality has fundamentally shifted. Flashpoint is witnessing a growing opacity—a “Walled Garden”—around Chinese data. As a result, the competence of Chinese threat actors and APTs has reached an industrialized scale.

In Flashpoint’s recent on-demand webinar, “Mapping the Adversary: Inside the Chinese Pentesting Ecosystem,” our analysts explain how China’s state policies surrounding zero-day vulnerability research have effectively shut out the cyber communities that once provided a window into Chinese tradecraft. However, they haven’t disappeared. Rather, they have been absorbed by the state to develop a mature, self-sustaining offensive stack capable of targeting global infrastructure.

Understanding the Walled Garden: The Shift from Disclosure to Nationalization

The “Walled Garden” is a direct result of a Chinese regulatory turning point in 2021: the Regulations on the Management of Security Vulnerabilities (RMSV). While the gradual walling off of China’s data is the cumulative result of years of implementing regulatory and policy strategies, the 2021 RMSV marks a critical turning point that effectively nationalized China’s vulnerability research capabilities. Under the RMSV, any individual or organization in China that discovers a new flaw must report it to the Ministry of Industry and Information Technology (MIIT) within 48 hours. Crucially, researchers are prohibited from sharing technical details with third parties—especially foreign entities—or selling them before a patch is issued.

It is important to note that this mandate is not limited to Chinese-based software or hardware; it applies to any vulnerability discovered, as long as the discoverer is a Chinese-based organization or national. This effectively treats software vulnerabilities as a national strategic resource for China. By centralizing this data, the Chinese government ensures it has an early window into zero-day exploits before the global defensive community. 

For defenders, this means that by the time a vulnerability is public, there is a high probability it has already been analyzed and potentially weaponized within China’s state-aligned apparatus.

The Indigenous Kill Chain: Reconnaissance Beyond Shodan

Flashpoint analysts have observed that within this Walled Garden, traditional Western reconnaissance tools are losing their effectiveness. Chinese threat actors are utilizing an indigenous suite of cyberspace search engines that create a dangerous information asymmetry, allowing them to peer at defender infrastructure while shielding their own domestic base from Western scrutiny.

While Shodan remains the go-to resource for security teams, Flashpoint has seen Chinese threat actors favor three IoT search engines that offer them a massive home-field advantage:

• FOFA: Specializes in deep fingerprinting for middleware and Chinese-specific signatures, often indexing dorks for new vulnerabilities weeks before they appear in the West.
• Zoomai: Built for high-speed automation, offering APIs that integrate with AI systems to move from discovery to verified target in minutes.
• 360 Quake: Provides granular, real-time mapping through a CLI with an AI engine for complex asset portraits.

In the full session, we demonstrate exactly how Chinese operators use these tools to fuse reconnaissance and exploitation into a single, automated step—a capability most Western EDRs aren’t yet tuned to detect.

Building a State-Aligned Offensive Stack

Leveraging their knowledge of vulnerabilities and zero-day exploits, the illicit Chinese ecosystem is building tools designed to dismantle the specific technologies that power global corporate data centers and business hubs.

In the webinar, our analysts explain purpose-built cyber weapons designed to hunt VMware vCenter servers that support one-click shell uploads via vulnerabilities like Log4Shell. Beyond the initial exploit, Flashpoint highlights the rising use of Behinder (Ice Scorpion)—a sophisticated web shell management tool. Behinder has become a staple for Chinese operators because it encrypts command-and-control (C2) traffic, allowing attackers to evade conventional inspection and deep packet analytics.

Strengthen Your Defenses Against the Chinese Offensive Stack with Flashpoint

By understanding this “Walled Garden” architecture, defenders can move beyond generic signatures and begin to hunt for the specific TTPs—such as high-entropy C2 traffic and proprietary Chinese scanning patterns—that define the modern Chinese threat actor.

How can Flashpoint help? Flashpoint’s cyber threat intelligence platform cuts through the generic feed overload and delivers unrivaled primary-source data, AI-powered analysis, and expert human context.

Watch the on-demand webinar to learn more, or request a demo today.

Request a demo today.

Blogs

Blog

The Five Phases of the Threat Intelligence Lifecycle: A Strategic Guide

The threat intelligence lifecycle is a fundamental framework for all fraud, physical, and cybersecurity programs. It is useful whether a program is mature and sophisticated or just starting out.

What is the Core Purpose of the Threat Intelligence Lifecycle?

The threat intelligence lifecycle is a foundational framework for all fraud, physical security, and cybersecurity programs at every stage of maturity. It provides a structured way to understand how intelligence is defined, built, and applied to support real-world decisions.

At a high level, the lifecycle outlines how organizations move from questions to insight to action. Rather than focusing on tools or outputs alone, it emphasizes the practices required to produce intelligence that is relevant, timely, and trusted. This iterative, adaptable methodology consists of five stages that guide how intelligence requirements are set, how information is collected and analyzed, how insight reaches decision-makers, and how priorities are continuously refined based on feedback and changing risk conditions.

The Five Phases of the Threat Intelligence Lifecycle

Key Objectives at Each Phase of the Threat Intelligence Lifecycle

PHASE 1: Requirements & Tasking

The first phase of the threat intelligence lifecycle is arguably the most important because it defines the purpose and direction of every activity that follows. This phase focuses on clearly articulating what intelligence needs to answer and why.

As an initial step, organizations should define their intelligence requirements, often referred to as Priority Intelligence Requirements (PIRs). In public sector contexts, these may also be called Essential Elements of Information (EEIs). Regardless of terminology, the goal is the same: establish clear, stakeholder-driven questions that intelligence is expected to support.

Effective requirements are tied directly to business risk and operational outcomes. They should reflect what the organization is trying to protect, the threats of greatest concern, and the decisions intelligence is meant to inform, such as reducing operational risk, improving efficiency, or accelerating detection and response.

This process often resembles building a business case, and that’s intentional. Clearly defined requirements make it easier to align intelligence efforts with organizational priorities, establish meaningful key performance indicators (KPIs), and demonstrate the value of intelligence over time.

In many organizations, senior leadership, such as the Chief Information Security Officer (CISO or CSO), plays a key role in shaping requirements by identifying critical assets, defining risk tolerance, and setting expectations for how intelligence should support decision-making.

Key Considerations in Phase 1

PHASE 2: Collection & Discovery

The Collection & Discovery phase focuses on building visibility into the threat environments most relevant to your organization. Both the breadth and depth of collection matter. Too little visibility creates blind spots; too much unfocused data overwhelms teams with noise and false positives.

At this stage, organizations determine where and how intelligence is collected, including the types of sources monitored and the mechanisms used to adapt coverage as threats evolve. This can include visibility into phishing activity, compromised credentials, vulnerabilities and exploits, malware tooling, fraud schemes, and other adversary behaviors across open, deep, and closed environments.

Effective programs increasingly rely on Primary Source Collection, or the ability to collect intelligence directly from original sources based on defined requirements, rather than consuming static, vendor-defined feeds. This approach enables teams to monitor the environments where threats originate, coordinate, and evolve—and to adjust collection dynamically as priorities shift.

Discovery extends collection beyond static source lists. Rather than relying solely on predefined feeds, effective programs continuously identify new sources, communities, and channels as threat actors shift tactics, platforms, and coordination methods. This adaptability is critical for surfacing early indicators and upstream activity before threats materialize internally.

The processing component of this phase ensures collected data is usable. Raw inputs are normalized, structured, translated, deduplicated, and enriched so analysts can quickly assess relevance and move into analysis. Common processing activities include language translation, metadata extraction, entity normalization, and reduction of low-signal content.

Key Considerations in Phase 2

PHASE 3: Analysis & Prioritization

The Analysis & Prioritization phase focuses on transforming processed data into meaningful intelligence that supports real decisions. This is where analysts connect signals across sources, enrich raw findings with context, assess credibility and relevance, and determine why a threat matters to the organization.

Effective analysis evaluates activity, likelihood, impact, and business relevance. Analysts correlate threat actor behavior, infrastructure, vulnerabilities, and targeting patterns to understand exposure and prioritize response. This step is critical for moving from information awareness to actionable insight.

As artificial intelligence and machine learning continue to mature, they increasingly support this phase by accelerating enrichment, correlation, translation, and pattern recognition across large datasets. When applied thoughtfully, AI helps analysts scale their work and improve consistency, while human expertise remains essential for judgment, context, and prioritization especially for high-risk or ambiguous threats.

This phase delivers clarity and a defensible view of what requires attention first and why.

Key Considerations in Phase 3

PHASE 4: Dissemination & Action

Once analysis and prioritization are complete, intelligence must be delivered in a way that enables action. The Dissemination & Action phase focuses on translating finished intelligence into formats that are clear, relevant, and aligned to how different stakeholders make decisions.

This phase is dedicated to ensuring the right information reaches the right teams at the right time. Effective dissemination considers audience, urgency, and operational context, whether intelligence is supporting detection engineering, incident response, fraud prevention, vulnerability remediation, or executive decision-making.

Finished intelligence should include clear assessments, confidence levels, and recommended actions. These recommendations may inform incident response playbooks, ransomware mitigation steps, patch prioritization, fraud controls, or monitoring adjustments. The goal is to remove ambiguity and enable stakeholders to act decisively.

Ultimately, intelligence only delivers value when it drives outcomes. In this phase, stakeholders evaluate the intelligence provided and determine whether, and how, to act on it.

Key Considerations in Phase 4

PHASE 5: Feedback & Retasking

The Feedback & Retasking phase closes the intelligence lifecycle loop by ensuring intelligence remains aligned to real-world needs as threats, priorities, and business conditions change. Rather than treating intelligence delivery as an endpoint, this phase focuses on evaluating impact and continuously refining what the intelligence function is working on and why.

Once intelligence has been acted on, stakeholders assess whether it was timely, relevant, and actionable. Their feedback informs updates to requirements, collection priorities, analytic focus, and delivery methods. Mature programs use this input to adjust tasking in near real time, ensuring intelligence efforts remain focused on the threats that matter most.

Improvements at this stage often center on shortening retasking cycles, reducing low-value outputs, and strengthening alignment between intelligence producers and decision-makers. Over time, this creates a more adaptive and responsive intelligence function that evolves alongside the threat landscape.

Key Considerations in Phase 5 

Assessing Your Threat Intelligence Lifecycle in Practice

Understanding the threat intelligence lifecycle is one thing. Knowing how effectively it operates inside your organization today is another.

Most teams don’t struggle because they lack intelligence activities; they struggle because those activities aren’t consistently aligned, operationalized, or adapted as needs change. Requirements may be defined in one area, while collection, analysis, and dissemination evolve unevenly across teams like CTI, vulnerability management, fraud, or physical security.

To help organizations move from conceptual understanding to practical evaluation, Flashpoint developed the Threat Intelligence Capability Assessment.

The assessment maps directly to the lifecycle outlined above, evaluating how intelligence functions across five core dimensions:

• Requirements & Tasking – How clearly intelligence priorities are defined and tied to real business risk
• Collection & Discovery – Whether visibility is broad, deep, and adaptable as threats evolve
• Analysis & Prioritization – How effectively analysts connect signals, context, and impact
• Dissemination & Action – How intelligence reaches operations and decision-makers
• Feedback & Retasking – How frequently priorities are reviewed and adjusted

Based on responses, organizations are mapped to one of four stages—Developing, Maturing, Advanced, or Leader—reflecting how intelligence actually flows across the lifecycle today.

Teams can apply insights by function or workflow, using the results to identify where intelligence is working well, where friction exists, and where targeted changes will have the greatest impact. Each participant also receives a companion guide with practical guidance, including strategic priorities, immediate actions, and a 90-day planning framework to help translate lifecycle insight into execution.

Take the Threat Intelligence Capability Assessment to evaluate how your program aligns to the lifecycle and where to focus next.

See Flashpoint in Action

Flashpoint’s comprehensive threat intelligence platform supports intelligence teams across every phase of the threat intelligence lifecycle, from defining clear requirements and expanding visibility into relevant threat ecosystems, to analysis, prioritization, dissemination, and continuous retasking as conditions change.

Schedule a demo to see how Flashpoint delivers actionable intelligence, analyst expertise, and workflow-ready outputs that help teams identify, prioritize, and respond to threats with greater clarity and confidence—so intelligence doesn’t just inform awareness, but drives timely, measurable action across the organization.

Frequently Asked Questions (FAQs)

What are the five phases of the threat intelligence lifecycle?

The threat intelligence lifecycle consists of five repeatable phases that describe how intelligence moves from intent to action:

Requirements & Tasking, Collection & Discovery, Analysis & Prioritization, Dissemination & Action, and Feedback & Retasking.

Together, these phases ensure that intelligence is driven by real business needs, grounded in relevant visibility, enriched with context, delivered to decision-makers, and continuously refined as threats and priorities change.

Phase	Primary Objective
Requirements & Tasking	Defining intelligence priorities and tying them to real business risk
Collection & Discovery	Gathering data from relevant sources and expanding visibility as threats evolve
Analysis & Prioritization	Connecting signals, context, and impact to determine what matters most
Dissemination & Action	Delivering intelligence to operations and decision-makers in usable formats
Feedback & Retasking	Reviewing outcomes and adjusting priorities, sources, and focus over time

How do intelligence requirements guide security operations?

Intelligence requirements—often formalized as Priority Intelligence Requirements (PIRs)—define the specific questions intelligence teams must answer to support the business. They provide the north star for what to collect, analyze, and report on.

Clear requirements help teams:

• Focus: Reduce noise by prioritizing intelligence aligned to real risk
• Measure: Track whether intelligence outputs are driving decisions or action
• Align: Ensure security, fraud, physical security, and risk teams are working toward shared outcomes
  

Without clear requirements, intelligence efforts often default to reactive collection and generic reporting that struggle to deliver impact.

Why is the feedback phase of the intelligence lifecycle necessary for a proactive defense?

Feedback & Retasking turns the intelligence lifecycle from a linear process into a continuous improvement loop. It ensures intelligence stays aligned with changing threats, business priorities, and operational needs.

Through regular review and stakeholder input, teams can:

• Identify which intelligence outputs led to action and which did not
  
• Retire low-value sources or reporting formats
  
• Adjust requirements, collection, and analysis as new threats emerge

This phase is essential for moving from static reporting to intelligence-led operations, where priorities evolve in near real time and intelligence continuously improves its relevance and impact.

Blogs

Blog

The Top Threat Actor Groups Targeting the Financial Sector

In this post, we identify and analyze the top threat actors that have been actively targeting the financial sector between 2024 and 2026.

Between 2024 and 2026, Flashpoint analysts have observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period.

However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud.

Why Finance?

The financial sector has long been one of the most attractive targets for threat actors, consistently ranking among the most targeted industries globally.

These institutions manage massive volumes of sensitive data—from high-value financial transactions and confidential customer information to vast sums of capital, making them especially lucrative for threat actors seeking financial gain. Additionally, the urgency and criticality of financial operations increases the chances that victim organizations will succumb to extortion and ransom demands.

Even beyond direct financial incentives, the financial sector remains an attractive target due to its deep interconnectivity with other industries.This means that malicious actors may simply target financial institutions to gain information about another target organization, as a single data breach can have far-reaching and cascading consequences for involved partners and third parties.

The Threat Actors Targeting the Financial Sector

To understand the complexities of the financial threat landscape, organizations need a comprehensive understanding of the key players involved. The following threat actors represent some of the most prominent and active groups targeting the financial sector between April 2024 and April 2025:

RansomHub

Despite being a relatively new Ransomware-as-a-Service (RaaS) group that emerged in February 2024, RansomHub quickly rose to prominence, becoming the second-most active ransomware group in 2024. Notably, they claimed 38 victims in the financial sector between April 2024 and April 2025. Their known TTPs include phishing and exploiting vulnerabilities. RansomHub is also known to heavily target the healthcare sector.

Akira

Active since March 2023, Akira has demonstrated increasingly sophisticated tactics and has targeted a significant number of victims across various sectors. Between April 2024 and April 2025, they targeted 34 organizations within the financial sector. Evidence suggests a potential link to the defunct Conti ransomware group. Akira commonly gains initial access through compromised credentials, Virtual Private Network (VPN) vulnerabilities, and Remote Desktop Protocol (RDP). They employ a double extortion model, exfiltrating data before encryption.

LockBit Ransomware

A long-standing and highly prolific RaaS group operating since at least September 2019, LockBit continued to be a major threat to the financial sector, claiming 29 publicly disclosed victims between April 2024 and April 2025. LockBit utilizes various initial access methods, including phishing, exploitation of known vulnerabilities, and compromised remote services.

Most notably, in June 2024, LockBit claimed it gained access to the US Federal Reserve, stating that they exfiltrated 33 TB of data. However, Flashpoint analysts found that the data posted on the Federal Reserve listing appears to belong to another victim, Evolve Bank & Trust.

FIN7

This financially motivated threat actor group, originating from Eastern Europe and active since at least 2015, focuses on stealing payment card data. They employ social engineering tactics and create elaborate infrastructure to achieve their goals, reportedly generating over $1 billion USD in revenue between 2015 and 2021. Their targets within the financial sector include interbank transfer systems (SWIFT, SAP), ATM infrastructure, and point-of-sale (POS) terminals. Initial access is often gained through phishing and exploiting public-facing applications.

Scattering Spider

Emerging in 2022, Scattered Spider has quickly become known for its rapid exploitation of compromised environments, particularly targeting financial services, cryptocurrency services, and more. They are notorious for using SMS phishing and fake Okta single sign-on pages to steal credentials and move laterally within networks. Their primary motivation is financial gain.

Lazarus Group

This advanced persistent threat (APT) group, backed by the North Korean government, has demonstrated a broad range of targets, including cryptocurrency exchanges and financial institutions. Their campaigns are driven by financial profit, cyberespionage, and sabotage. Lazarus Group employs sophisticated spear-phishing emails, malware disguised in image files, and watering-hole attacks to gain initial access.

Top Attack Vectors Facing the Financial Sector

Between April 2024 and April 2025, our analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections. How are these prolific threat actor groups gaining a foothold into financial data and systems? Examining Flashpoint intelligence, malicious actors are capitalizing on third-party compromises, initial access brokers, insider threats, amongst other attack vectors:

Third-Party Compromise

Ransomware attacks targeting third-party vendors can have a direct and significant impact on financial institutions through data exposure and compromised credentials. The Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024 serves as a stark reminder of this risk.

Initial Access Brokers (IABs)

Initial Access Brokers specialize in gaining initial access to networks and selling these access credentials to other threat groups, including ransomware operators. Their tactics include phishing, the use of information-stealing malware, and exploiting RDP credentials, posing a significant risk to financial entities. Between April 2024 and April 2025, analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections.

Insider Threat

Malicious insiders, whether recruited or acting independently, can provide direct access to sensitive data and systems within financial institutions. Telegram has emerged as a prominent platform for advertising and recruiting insider services targeting the financial sector.

Deepfake and Impersonation

The increasing sophistication and accessibility of AI tools are enabling new forms of fraud. Deepfakes can bypass traditional security measures by creating convincing audio and video impersonations. While still evolving, this threat vector, along with other impersonation tactics like BEC and vishing, presents a growing concern for the financial sector. Within the past year, analysts observed 1,238 posts across fraud-related Telegram channels discussing impersonation of individuals working for financial institutions.

Defend Against Financial Threats Using Flashpoint

The financial sector remains a high-value target, facing a persistent and evolving array of threats. Understanding the tactics, techniques, and procedures (TTPs) of these top threat actors, as well as the broader threat landscape, is crucial for financial institutions to develop and implement effective security strategies.

Flashpoint is proud to offer a dedicated threat intelligence solution for banks and financial institutions. Our platform combines comprehensive data collection, AI-powered analysis, and expert human insight to deliver actionable intelligence, safeguarding your critical assets and operations. Request a demo today to see how our intelligence can empower your security team.

Request a demo today.

Blogs

Blog

Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy

In this post, we break down the 91,321 instances of insider activity observed by Flashpoint in 2025, examine the top five cases that defined the year, and provide the technical and behavioral red flags your team needs to monitor in 2026.

Every organization houses sensitive assets that threat actors actively seek. Whether it is proprietary trade secrets, intellectual property, or the personally identifiable information (PII) of employees and customers, these datasets are the lifeblood of the modern enterprise—and highly lucrative commodities within the illicit underground.

In 2025, Flashpoint observed 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related illicit activity. This underscores a critical reality—it is far more efficient for threat actors to recruit an “insider” to circumvent multi-million dollar security stacks than it is to develop a complex exploit from the outside. 

An insider threat, any individual with authorized access, possesses the unique ability to bypass traditional security gates. Whether driven by financial gain, ideological grievances, or simple human error, insiders can potentially compromise a system with a single keystroke. To protect our customers from this internal risk, Flashpoint monitors the illicit forums and marketplaces where these threats are being solicited. 

In this post, we unpack the evolving insider threat landscape and what it means for your security strategy in 2026. By analyzing the volume of recruitment activity and the specific industries being targeted, organizations can move from a reactive posture to a proactive defense.

By the Numbers: Mapping the 2025 Insider Threat Landscape

Last year, Flashpoint collected and researched:

• 91,321 posts of insider solicitation and service advertising
• 10,475 channels containing insider-related illicit activity
• 17,612 total authors

On average, 1,162 insider-related posts were published per month, with Telegram continuing to be one of the most prominent mediums for insiders and threat actors to identify and collaborate with each other. Analysts also identified instances of extortionist groups targeting employees at organizations to financially motivate them to become insiders.

Insider Threat Landscape by Industry

The telecommunications industry observed the most insider-related activity in 2025. This is due to the industry’s central role in identity verification and its status as the primary target for SIM swapping—a fraudulent technique where threat actors convince employees of a mobile carrier to link a victim’s phone number to a SIM card controlled by the attacker. This allows the threat actor to receive all the victim’s calls and texts, allowing them to bypass SMS-based two-factor authentication.

Flashpoint analysts identified 12,783 notable posts where the level of detail or the specific target was particularly concerning.

Top Industries for Insiders Advertising Services (Supply):

1. Telecom
2. Financial
3. Retail
4. Technology

Top Industries for Threat Actors Soliciting Access (Demand):

1. Technology
2. Financial
3. Telecom
4. Retail

6 Notable Insider Threat Cases of 2025

The following cases highlight the variety of ways insiders impacted enterprise systems this year, ranging from intentional fraud to massive technical oversights.

Type of Incident	Description
Malicious	Approximately nine employees accessed the personal information of over 94,000 individuals, making illegal purchases using changed food stamp cards.
Nonmalicious	An unprotected database belonging to a Chinese IoT firm leaked 2.7 billion records, exposing 1.17 TB of sensitive data and plaintext passwords.
Malicious	An insider at a well-known cybersecurity organization was terminated after sharing screenshots of internal dashboards with the Scattered Lapsus$ Hunters threat actor group.
Malicious	An employee working for a foreign military contractor was bribed to pass confidential information to threat actors.
Malicious	A third-party contractor for a cryptocurrency firm sold customer data to threat actors and recruited colleagues into the scheme, leading to the termination of 300 employees and the compromise of 69,000 customers.
Malicious	Two contractors accessed and deleted sensitive documents and dozens of databases belonging to the Internal Revenue Service and US General Services Administration.

Catching the Warning Signs Early

Potential insiders often display technical and nontechnical behavior before initiating illicit activity. Although these actions may not directly implicate an employee, they can be monitored, which may lead to inquiries or additional investigations to better understand whether the employee poses an elevated risk to the organization.

Flashpoint has identified the following nontechnical warning signs associated with insiders:

• Behavioral indicators: Observable actions that deviate from a known baseline of behaviors. These can be observed by coworkers or management or through technical indicators. Behavioral indicators can include increasingly impulsive or erratic behavior, noncompliance with rules and policies, social withdrawal, and communications with competitors.
• Financial changes: Significant and overlapping changes in financial standing—such as significant debt, financial troubles, or sudden unexplained financial gain—could indicate a potential insider threat. In the case of financial distress, an employee can sell their services to other threat actors via forums or chat services, thus creating additional funding streams while seeming benign within their organization.
• Abnormal access behavior: Resistance to oversight, unjustified requests for sensitive information beyond the employee’s role, or the employee being overprotective of their access privileges might indicate malicious intent.
• Separation on bad terms: Employees who leave an organization under unfavorable circumstances pose an increased insider threat risk, as they might want to seek revenge by exploiting whatever access they had or might still possess after leaving.
• Odd working hours: Actors may leverage atypical after-hours work to pursue insider threat activity, as there is less monitoring. By sticking to an atypical schedule, threat actors maintain a cover of standard work activity while pursuing illicit activity simultaneously.
• Unusual overseas travel: Unusual and undocumented overseas travel may indicate an employee’s potential recruitment by a foreign state or state-sponsored actor. Travel might be initiated to establish contact and pass sensitive information while avoiding raising suspicions in the recruit’s home country.

The following are technical warning signs:

• Unauthorized devices: Employees using unauthorized devices for work pose an insider threat, whether they have malicious intent or are simply putting themselves at higher risk of human error. Devices that are not controlled and monitored by the organization fall outside of its scope of operational security, while still carrying all of the sensitive data and configuration of the organization.
• Abnormal network traffic: An unusual increase in network traffic or unexplained traffic patterns associated with the employee’s device that differ from their normal network activity could indicate malicious intent. This includes network traffic employing unusual protocols, using uncommon ports, or an overall increase in after-hours network activity.
• Irregular access pattern: Employees accessing data outside the scope of their job function may be testing and mapping the limits of their access privileges to restricted areas of information as they evaluate their exfiltration capabilities for their planned illicit actions.
• Irregular or mass data download: Unexpected changes in an employee’s data handling practices, such as irregular large-scale downloads, unusual data encryption, or uncharacteristic or unauthorized data destinations, are significant indicators of an insider threat.

Insider Threats: What to Expect in 2026

As 2026 unfolds, insider threat actors will continue to be a major threat to organizations. Ransomware groups and initial access threat actors will continue recruiting interested insiders and exploiting human vulnerabilities through social engineering tactics. Following Telegram’s recent bans on many illicit groups and channels, Flashpoint assesses that threat actors are likely to migrate to different platforms, such as Signal, where encrypted chats make their activity harder to monitor.

As AI technologies continue to advance, organizations will be better equipped to identify and mitigate insider risks. At the same time, threat actors will likely increasingly abuse AI and other tools to access sensitive information. 
Is your organization equipped to spot the warning signs? Request a demo to learn more and to mitigate potential risk from within your organization.

Request a demo today.

Blogs

Blog

Why Effective CTEM Must be an Intelligence-Led Program

Continuous Threat Exposure Management (CTEM) is a continuous program and operational framework, not a single pre-boxed platform. Flashpoint believes that effective CTEM must be intelligence-led, using curated threat intelligence as the operational core to prioritize risk and turn exposure data into defensible decisions.

Continuous Threat Exposure Management (CTEM) is Not a Product

Since Gartner’s introduction of CTEM as a framework in 2022, cybersecurity vendors have engaged in a rapid “productization” race. This has led to inconsistent market definitions, with a variety of vendors from vulnerability scanners to Attack Surface Management (ASM) providers now claiming to be an “exposure management” solution.

The current approach to productizing CTEM is flawed. There is no such thing as a single “exposure management platform.” The enterprise reality is that most enterprises buy three or more products just to approximate what CTEM promises in theory. Even with these technologies, organizations still require heavy lifting with people, process, and custom integrations to actually make it work.

The Exposure Stack: When One Platform Becomes Three (or More)

A functional CTEM approach typically requires multiple platforms or tools, including: 

• Continuous Penetration/Exploitation Testing & Attack Path Analysis for continuous pentesting, attack path validation, and hands-on exposure validation.
• Vulnerability and Exposure Management for vulnerability scanning, exposure scoring, and asset risk views.
• Intelligence for deep, curated vulnerability, compromised credentials, card fraud, and other forms of intelligence that goes far beyond the scope of technology-based “management platforms”.

In some cases, organizations may also use an ASM vendor for shadow IT discovery, a CMDB for asset context, and ticketing integrations to drive remediation. This multi-platform model is the rule, not the exception. And that raises a hard truth: if you need three or more products, plus a dedicated team to implement CTEM, you need an intelligence-led CTEM program.

CTEM is an Operational Discipline, Not a Single Product

The narrative that CTEM can be packaged into a single product breaks down for three critical reasons:

1. CTEM is a Program, Not a Platform

You cannot buy a capability that requires full-stack asset visibility, contextualized threat actor data, real-world validation, and remediation orchestration from one tool. Each component spans a different domain of expertise and data. A vulnerability scanner, alone, cannot validate exploitability, a pentest service has a tough time scaling to daily monitoring, and generic threat intelligence feeds cannot provide critical business context.

However, CTEM requires orchestration of all these components in one operational loop. No single product delivers this comprehensively out of the box; this is why CTEM must be viewed as a continuous program, not a one-size-fits-all product.

2. Human Expertise is Irreplaceable

Vendors often advertise automation, however, key intelligence functions are still powered by and reliant on human analysis. Even with best-in-class AI tools in place, security teams are depending on human insights for:

• Triaging noisy CVE lists
• Cross-referencing exposure data with asset inventories
• Manually validating if risks are real
• Prioritizing based on threat intelligence and internal context
• Writing custom logic and integrations to bridge platforms together

In other words, exposure management today still relies on human insights and expertise. So while vendors advertise “automation and intelligence,” what they’re really delivering is a starting point. Ultimately, AI is a force multiplier for threat analysts, not a replacement.

3. Risk Without Intelligence Is Just Data

Most platforms treat exposure like a math problem. But real risk isn’t just CVSS (Common Vulnerability Scoring System) scores or asset counts, it requires answering critical, intelligence-based questions:

1. How likely is this vulnerability to be exploited, and what’s the impact if it is?
2. How likely is this misconfiguration to be exploited, and what is its impact?
3. How likely is this compromised credential to be used by a threat actor, and what is the potential impact?

These answers require intelligence, not just data. Best-in-class intelligence provides security teams with confirmed exploit activity in the wild, context around attacker usage in APT (Advanced Persistent Threat) campaigns, and detailed metadata for prioritization where CVSS fails. That is why Flashpoint intelligence is leveraged by over 800 organizations as the operational core of exposure management, turning exposure data into defensible decisions.

CTEM Productization vs. CTEM Reality

If your risk strategy requires continuous penetration and exploit testing, vulnerability management, threat intelligence, and manual prioritization and validation, you’re not buying CTEM; you’re building it. At Flashpoint, we’re helping organizations build CTEM the right way: driven by intelligence, and powered by integrations and AI.

The Intelligence-Led Future of Exposure Management

Flashpoint treats CTEM for what it really is, as a program that must be constructed intelligently, iteratively, and contextually.

That means:

• Using threat and vulnerability intelligence to drive what actually gets prioritized
• Treating scanners, ASM platforms, and pentesting as inputs, not outcomes
• Building processes where intelligence, context, and validation inform exposure decisions, not just ticket creation
• Investing in platform interconnectivity, not just feature checklists

Using Flashpoint’s intelligence collections, organizations can achieve intelligence-led exposure management, with threat and vulnerability intelligence working together to provide context and actionable insights in a continuous, prioritized loop. This empowers security teams to build and scale their own CTEM programs, which is the only realistic approach in a cybersecurity landscape where no single platform can do it all.

Achieve Elite Operation Control Over Your CTEM Program Using Flashpoint

If you’re evaluating exposure management tools, ask yourself:

• What happens when we find a critical vulnerability and how do we know it matters?
• Can this platform correlate attacker behavior with our asset landscape?
• Does it validate risk or just report it?
• How many other tools will we need to buy just to complete the picture?

The answers may surprise you. At Flashpoint, we’re helping organizations build CTEM the right way, driven by intelligence, powered by integration, and grounded in reality. Request a demo today and see how best-in-class intelligence is the key to achieving an effective CTEM program.

Request a demo today.

Blogs

Blog

Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups

Ukrainian national indicted and rewards announced for co-conspirators relating to destructive cyberattacks worldwide.

Begin your free trial today.

Blogs

Blog

Flashpoint Weekly Vulnerability Insights and Prioritization Report

Week of December 20 – December 26, 2025

Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization.

Flashpoint’s VulnDB documents over 400,000 vulnerabilities and has over 6,000 entries in Flashpoint’s KEV database, making it a critical resource as vulnerability exploitation rises. However, if your organization is relying solely on CVE data, you may be missing critical vulnerability metadata and insights that hinder timely remediation. That’s why we created this weekly series—where we surface and analyze the most high priority vulnerabilities security teams need to know about.

Key Vulnerabilities:
Week of December 20 – December 26, 2025

Foundational Prioritization

Of the vulnerabilities Flashpoint published this week, there are 34 that you can take immediate action on. They each have a solution, a public exploit exists, and are remotely exploitable. As such, these vulnerabilities are a great place to begin your prioritization efforts.

Diving Deeper – Urgent Vulnerabilities

Of the vulnerabilities Flashpoint published last week, four are highlighted in this week’s Vulnerability Insights and Prioritization Report because they contain one or more of the following criteria:

• Are in widely used products and are potentially enterprise-affecting
• Are exploited in the wild or have exploits available
• Allow full system compromise
• Can be exploited via the network alone or in combination with other vulnerabilities
• Have a solution to take action on

In addition, all of these vulnerabilities are easily discoverable and therefore should be investigated and fixed immediately.

To proactively address these vulnerabilities and ensure comprehensive coverage beyond publicly available sources on an ongoing basis, organizations can leverage Flashpoint Vulnerability Intelligence. Flashpoint provides comprehensive coverage encompassing IT, OT, IoT, CoTs, and open-source libraries and dependencies. It catalogs over 100,000 vulnerabilities that are not included in the NVD or lack a CVE ID, ensuring thorough coverage beyond publicly available sources. The vulnerabilities that are not covered by the NVD do not yet have CVE ID assigned and will be noted with a VulnDB ID.

CVE ID	Title	CVSS Scores (v2, v3, v4)	Exploit Status	Exploit Consequence	Ransomware Likelihood Score	Social Risk Score	Solution Availability
CVE-2025-33222	NVIDIA Isaac Launchable Unspecified Hardcoded Credentials	5.0 9.8 9.3	Private	Credential Disclosure	High	Low	Yes
CVE-2025-33223	NVIDIA Isaac Launchable Unspecified Improper Execution Privileges Remote Code Execution	10.0 9.8 9.3	Private	Remote Code Execution	High	Low	Yes
CVE-2025-68613	n8n Package for Node.js packages/workflow/src/expression-evaluator-proxy.ts Workflow Expression Evaluation Remote Code Execution	9.0 9.9 9.4	Public	Remote Code Execution	High	High	Yes
CVE-2025-14847	MongoDB transport/message_compressor_zlib.cpp ZlibMessageCompressor::decompressData() Function Zlib Compressed Protocol Header Handling Remote Uninitialized Memory Disclosure (Mongobleed)	10.0 9.8 9.3	Public	Uninitialized Memory Disclosure	High	High	Yes

Flashpoint Ignite lays all of these components out. Below is an example of what this vulnerability record for CVE-2025-33223 looks like.

Analyst Comments on the Notable Vulnerabilities

Below, Flashpoint analysts describe the five vulnerabilities highlighted above as vulnerabilities that should be of focus for remediation if your organization is exposed.

CVE-2025-33222

NVIDIA Isaac Launchable contains a flaw that is triggered by the use of unspecified hardcoded credentials. This may allow a remote attacker to trivially gain privileged access to the program.

CVE-2025-33223

NVIDIA Isaac Launchable contains an unspecified flaw that is triggered as certain activities are executed with unnecessary privileges. This may allow a remote attacker to potentially execute arbitrary code.

CVE-2025-68613

n8n Package for Node.js contains a flaw in packages/workflow/src/expression-evaluator-proxy.ts that is triggered as workflow expressions are evaluated in an improperly isolated execution context. This may allow an authenticated, remote attacker to execute arbitrary code with the privileges of the n8n process.

CVE-2025-14847

MongoDB contains a flaw in the ZlibMessageCompressor::decompressData() function in mongo/transport/message_compressor_zlib.cpp that is triggered when handling mismatched length fields in Zlib compressed protocol headers. This may allow a remote attacker to disclose uninitialized memory contents on the heap.

Previously Highlighted Vulnerabilities

CVE/VulnDB ID	Flashpoint Published Date
CVE-2025-21218	Week of January 15, 2025
CVE-2024-57811	Week of January 15, 2025
CVE-2024-55591	Week of January 15, 2025
CVE-2025-23006	Week of January 22, 2025
CVE-2025-20156	Week of January 22, 2025
CVE-2024-50664	Week of January 22, 2025
CVE-2025-24085	Week of January 29, 2025
CVE-2024-40890	Week of January 29, 2025
CVE-2024-40891	Week of January 29, 2025
VulnDB ID: 389414	Week of January 29, 2025
CVE-2025-25181	Week of February 5, 2025
CVE-2024-40890	Week of February 5, 2025
CVE-2024-40891	Week of February 5, 2025
CVE-2024-8266	Week of February 12, 2025
CVE-2025-0108	Week of February 12, 2025
CVE-2025-24472	Week of February 12, 2025
CVE-2025-21355	Week of February 24, 2025
CVE-2025-26613	Week of February 24, 2025
CVE-2024-13789	Week of February 24, 2025
CVE-2025-1539	Week of February 24, 2025
CVE-2025-27364	Week of March 3, 2025
CVE-2025-27140	Week of March 3, 2025
CVE-2025-27135	Week of March 3, 2025
CVE-2024-8420	Week of March 3, 2025
CVE-2024-56196	Week of March 10, 2025
CVE-2025-27554	Week of March 10, 2025
CVE-2025-22224	Week of March 10, 2025
CVE-2025-1393	Week of March 10, 2025
CVE-2025-24201	Week of March 17, 2025
CVE-2025-27363	Week of March 17, 2025
CVE-2025-2000	Week of March 17, 2025
CVE-2025-27636 CVE-2025-29891	Week of March 17, 2025
CVE-2025-1496	Week of March 24, 2025
CVE-2025-27781	Week of March 24, 2025
CVE-2025-29913	Week of March 24, 2025
CVE-2025-2746	Week of March 24, 2025
CVE-2025-29927	Week of March 24, 2025
CVE-2025-1974 CVE-2025-2787	Week of March 31, 2025
CVE-2025-30259	Week of March 31, 2025
CVE-2025-2783	Week of March 31, 2025
CVE-2025-30216	Week of March 31, 2025
CVE-2025-22457	Week of April 2, 2025
CVE-2025-2071	Week of April 2, 2025
CVE-2025-30356	Week of April 2, 2025
CVE-2025-3015	Week of April 2, 2025
CVE-2025-31129	Week of April 2, 2025
CVE-2025-3248	Week of April 7, 2025
CVE-2025-27797	Week of April 7, 2025
CVE-2025-27690	Week of April 7, 2025
CVE-2025-32375	Week of April 7, 2025
VulnDB ID: 398725	Week of April 7, 2025
CVE-2025-32433	Week of April 12, 2025
CVE-2025-1980	Week of April 12, 2025
CVE-2025-32068	Week of April 12, 2025
CVE-2025-31201	Week of April 12, 2025
CVE-2025-3495	Week of April 12, 2025
CVE-2025-31324	Week of April 17, 2025
CVE-2025-42599	Week of April 17, 2025
CVE-2025-32445	Week of April 17, 2025
VulnDB ID: 400516	Week of April 17, 2025
CVE-2025-22372	Week of April 17, 2025
CVE-2025-32432	Week of April 29, 2025
CVE-2025-24522	Week of April 29, 2025
CVE-2025-46348	Week of April 29, 2025
CVE-2025-43858	Week of April 29, 2025
CVE-2025-32444	Week of April 29, 2025
CVE-2025-20188	Week of May 3, 2025
CVE-2025-29972	Week of May 3, 2025
CVE-2025-32819	Week of May 3, 2025
CVE-2025-27007	Week of May 3, 2025
VulnDB ID: 402907	Week of May 3, 2025
VulnDB ID: 405228	Week of May 17, 2025
CVE-2025-47277	Week of May 17, 2025
CVE-2025-34027	Week of May 17, 2025
CVE-2025-47646	Week of May 17, 2025
VulnDB ID: 405269	Week of May 17, 2025
VulnDB ID: 406046	Week of May 19, 2025
CVE-2025-48926	Week of May 19, 2025
CVE-2025-47282	Week of May 19, 2025
CVE-2025-48054	Week of May 19, 2025
CVE-2025-41651	Week of May 19, 2025
CVE-2025-20289	Week of June 3, 2025
CVE-2025-5597	Week of June 3, 2025
CVE-2025-20674	Week of June 3, 2025
CVE-2025-5622	Week of June 3, 2025
CVE-2025-5419	Week of June 3, 2025
CVE-2025-33053	Week of June 7, 2025
CVE-2025-5353	Week of June 7, 2025
CVE-2025-22455	Week of June 7, 2025
CVE-2025-43200	Week of June 7, 2025
CVE-2025-27819	Week of June 7, 2025
CVE-2025-49132	Week of June 13, 2025
CVE-2025-49136	Week of June 13, 2025
CVE-2025-50201	Week of June 13, 2025
CVE-2025-49125	Week of June 13, 2025
CVE-2025-24288	Week of June 13, 2025
CVE-2025-6543	Week of June 21, 2025
CVE-2025-3699	Week of June 21, 2025
CVE-2025-34046	Week of June 21, 2025
CVE-2025-34036	Week of June 21, 2025
CVE-2025-34044	Week of June 21, 2025
CVE-2025-7503	Week of July 12, 2025
CVE-2025-6558	Week of July 12, 2025
VulnDB ID: 411705	Week of July 12, 2025
VulnDB ID: 411704	Week of July 12, 2025
CVE-2025-6222	Week of July 12, 2025
CVE-2025-54309	Week of July 18, 2025
CVE-2025-53771	Week of July 18, 2025
CVE-2025-53770	Week of July 18, 2025
CVE-2025-54122	Week of July 18, 2025
CVE-2025-52166	Week of July 18, 2025
CVE-2025-53942	Week of July 25, 2025
CVE-2025-46811	Week of July 25, 2025
CVE-2025-52452	Week of July 25, 2025
CVE-2025-41680	Week of July 25, 2025
CVE-2025-34143	Week of July 25, 2025
CVE-2025-50454	Week of August 1, 2025
CVE-2025-8875	Week of August 1, 2025
CVE-2025-8876	Week of August 1, 2025
CVE-2025-55150	Week of August 1, 2025
CVE-2025-25256	Week of August 1, 2025
CVE-2025-43300	Week of August 16, 2025
CVE-2025-34153	Week of August 16, 2025
CVE-2025-48148	Week of August 16, 2025
VulnDB ID: 416058	Week of August 16, 2025
CVE-2025-32992	Week of August 16, 2025
CVE-2025-7775	Week of August 24, 2025
CVE-2025-8424	Week of August 24, 2025
CVE-2025-34159	Week of August 24, 2025
CVE-2025-57819	Week of August 24, 2025
CVE-2025-7426	Week of August 24, 2025
CVE-2025-58367	Week of September 1, 2025
CVE-2025-58159	Week of September 1, 2025
CVE-2025-58048	Week of September 1, 2025
CVE-2025-39247	Week of September 1, 2025
CVE-2025-8857	Week of September 1, 2025
CVE-2025-58321	Week of September 8, 2025
CVE-2025-58366	Week of September 8, 2025
CVE-2025-58371	Week of September 8, 2025
CVE-2025-55728	Week of September 8, 2025
CVE-2025-55190	Week of September 8, 2025
VulnDB ID: 419253	Week of September 13, 2025
CVE-2025-10035	Week of September 13, 2025
CVE-2025-59346	Week of September 13, 2025
CVE-2025-55727	Week of September 13, 2025
CVE-2025-10159	Week of September 13, 2025
CVE-2025-20363	Week of September 20, 2025
CVE-2025-20333	Week of September 20, 2025
CVE-2022-4980	Week of September 20, 2025
VulnDB ID: 420451	Week of September 20, 2025
CVE-2025-9900	Week of September 20, 2025
CVE-2025-52906	Week of September 27, 2025
CVE-2025-51495	Week of September 27, 2025
CVE-2025-27224	Week of September 27, 2025
CVE-2025-27223	Week of September 27, 2025
CVE-2025-54875	Week of September 27, 2025
CVE-2025-41244	Week of September 27, 2025
CVE-2025-61928	Week of October 6, 2025
CVE-2025-61882	Week of October 6, 2025
CVE-2025-49844	Week of October 6 2025
CVE-2025-57870	Week of October 6, 2025
CVE-2025-34224	Week of October 6, 2025
CVE-2025-34222	Week of October 6, 2025
CVE-2025-40765	Week of October 11, 2025
CVE-2025-59230	Week of October 11, 2025
CVE-2025-24990	Week of October 11, 2025
CVE-2025-61884	Week of October 11, 2025
CVE-2025-41430	Week of October 11, 2025
VulnDB ID: 424051	Week of October 18, 2025
CVE-2025-62645	Week of October 18, 2025
CVE-2025-61932	Week of October 18, 2025
CVE-2025-59503	Week of October 18, 2025
CVE-2025-43995	Week of October 18, 2025
CVE-2025-62168	Week of October 18, 2025
VulnDB ID: 425182	Week of October 25, 2025
CVE-2025-62713	Week of October 25, 2025
CVE-2025-54964	Week of October 25, 2025
CVE-2024-58274	Week of October 25, 2025
CVE-2025-41723	Week of October 25, 2025
CVE-2025-20354	Week of November 1, 2025
CVE-2025-11953	Week of November 1, 2025
CVE-2025-60854	Week of November 1, 2025
CVE-2025-64095	Week of November 1, 2025
CVE-2025-11833	Week of November 1, 2025
CVE-2025-64446	Week of November 8, 2025
CVE-2025-36250	Week of November 8, 2025
CVE-2025-64400	Week of November 8, 2025
CVE-2025-12686	Week of November 8, 2025
CVE-2025-59118	Week of November 8, 2025
VulnDB ID: 426231	Week of November 8, 2025
VulnDB ID: 427979	Week of November 22, 2025
CVE-2025-55796	Week of November 22, 2025
CVE-2025-64428	Week of November 22, 2025
CVE-2025-62703	Week of November 22, 2025
VulnDB ID: 428193	Week of November 22, 2025
CVE-2025-65018	Week of November 22, 2025
CVE-2025-54347	Week of November 22, 2025
CVE-2025-55182	Week of November 29, 2025
CVE-2024-14007	Week of November 29, 2025
CVE-2025-66399	Week of November 29, 2025
CVE-2022-35420	Week of November 29, 2025
CVE-2025-66516	Week of November 29, 2025
CVE-2025-59366	Week of November 29, 2025
CVE-2025-14174	Week of December 6, 2026
CVE-2025-43529	Week of December 6, 2026
CVE-2025-8110	Week of December 6, 2026
CVE-2025-59719	Week of December 6, 2026
CVE-2025-59718	Week of December 6, 2026
CVE-2025-14087	Week of December 6, 2026
CVE-2025-62221	Week of December 6, 2026

Transform Vulnerability Management with Flashpoint

Request a demo today to see how Flashpoint can transform your vulnerability intelligence, vulnerability management, and exposure identification program.

Request a demo today.

Blogs

Blog

The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion

In this post, we analyze the evolving bypass tactics threat actors are using to neutralize traditional security perimeters and fuel the global surge in infostealer infections.

Infostealer-driven credential theft in 2025 has surged, with Flashpoint observing a staggering 800% increase since the start of the year. With over 1.8 billion corporate and personal accounts compromised, the threat landscape finds itself in a paradox: while technical defenses have never been more advanced, the human attack surface has never been more vulnerable.

Information-stealing malware has become the most scalable entry point for enterprise breaches, but to truly defend against them, organizations must look beyond the malware itself. As teams move into 2026 security planning, it is critical to understand the deceptive initial access vectors—the latest tactics Flashpoint is seeing in the wild—that threat actors are using to manipulate users and bypass modern security perimeters.

Here are the latest methods threat actors are leveraging to facilitate infections:

1. Neutralizing Mark of the Web (MotW) via Drag-and-Drop Lures

Mark of the Web (MotW) is a critical Windows defense feature that tags files downloaded from the internet as “untrusted” by adding a hidden NTFS Alternate Data Stream (ADS) to the file. This tag triggers “Protected View” in Microsoft Office programs and prompts Windows SmartScreen warnings when a user attempts to execute an unknown file.

Flashpoint has observed a new social engineering method to bypass these protections through a simple drag-and-drop lure. Instead of asking a user to open a suspicious attachment directly, which would trigger an immediate MotW warning, threat actors are instead instructing the victim to drag the malicious image or file from a document onto their desktop to view it. This manual interaction is highly effective for two reasons:

1. Contextual Evasion: By dragging the file out of the document and onto the desktop, the file is executed outside the scope of the Protected View sandbox.
2. Metadata Stripping: In many instances, the act of dragging and dropping an embedded object from a parent document can cause the operating system to treat the newly created file as a local creation, rather than an internet download. This effectively strips the MotW tag and allows malicious code to run without any security alerts.

2. Executing Payloads via Vulnerabilities and Trusted Processes

Flashpoint analysts uncovered an illicit thread detailing a proof of concept for a client-side remote code execution (RCE) in the Google Web Designer for Windows, which was first discovered by security researcher Bálint Magyar.

Google Web Designer is an application used for creating dynamic ads for the Google Ads platform. Leveraging this vulnerability, attackers would be able to perform remote code execution through an internal API using CSS injection by targeting a configuration file related to ads documents.

Within this thread, threat actors were specifically interested in the execution of the payload using the chrome.exe process. This is because using chrome.exe to fetch and execute a file is likely to bypass several security restrictions as Chrome is already a trusted process. By utilizing specific command-line arguments, such as the –headless flag, threat actors showed how to force a browser to initiate a remote connection in the background without spawning a visible window. This can be used in conjunction with other malicious scripts to silently download additional payloads onto a victim’s systems.

3. Targeting Alternative Softwares as a Path of Least Resistance

As widely-used software becomes more hardened and secure, threat actors are instead pivoting to targeting lesser-known alternatives. These tools often lack robust macro-protections. By targeting vulnerabilities in secondary PDF viewers or Office alternatives, attackers are seeking to trick users into making remote server connections that would otherwise be flagged as suspicious.

Understanding the Identity Attack Surface

Social engineering is one of the driving factors behind the infostealer lifecycle. Once an initial access vector is successful, the malware immediately begins harvesting the logs that fuel today’s identity-based digital attacks.

As detailed in The Proactive Defender’s Guide to Infostealers, the end goal is not just a password. Instead, attackers are prioritizing session cookies, which allow them to perform session hijacking. By importing these stolen cookies into anti-detect browsers, they bypass Multi-Factor Authentication and step directly into corporate environments, appearing as a legitimate, authenticated user.

Understanding how threat actors weaponize stolen data is the first step toward a proactive defense. For a deep dive into the most prolific stealer strains and strategies for managing the identity attack surface, download The Proactive Defender’s Guide to Infostealers today.

Request a demo today.

Blogs

Blog

Surfacing Threats Before They Scale: Why Primary Source Collection Changes Intelligence

This blog explores how Primary Source Collection (PSC) enables intelligence teams to surface emerging fraud and threat activity before it reaches scale.

Spend enough time investigating fraud and threat activity, and a familiar pattern emerges. Before a tactic shows up at scale—before credential stuffing floods login pages or counterfeit checks hit customers—there is almost always a quieter formation phase. Threat actors test ideas, trade techniques, and refine playbooks in small, often closed communities before launching coordinated campaigns.

The signals are there. The challenge is that most organizations never see them.

For years, intelligence programs have leaned heavily on static feeds: prepackaged streams of indicators, alerts, and reports delivered on a fixed cadence. These feeds validate what is already known, but they rarely surface what is still taking shape. They are designed to summarize activity after it has matured, not to discover it while it is still evolving.

Meanwhile, the real innovation in fraud and threat ecosystems happens elsewhere in invite-only Telegram channels, dark web marketplaces, and regional-language forums that update in real time. By the time a static feed flags a new technique, it is often already widespread.

This disconnect has consequences. When intelligence arrives too late, teams are left responding to impact rather than shaping outcomes.

How Threats Actually Evolve

Fraudsters and threat actors do not work in isolation, they collaborate. In closed forums and encrypted channels, one actor experiments with a new login bypass, another tests two-factor authentication evasion, and a third packages those ideas into a tool or service. What begins as a handful of screenshots or code snippets quickly becomes a repeatable process.

These shared processes often take the form of playbooks that act as step-by-step guides that document how to execute a fraud scheme or exploit a weakness. Once a playbook begins circulating, scale is inevitable. Techniques that started as limited tests turn into thousands of coordinated attempts almost overnight.

Every intelligence or fraud analyst has experienced the moment when an unfamiliar tactic suddenly overwhelms detection systems. The frustrating reality is that the warning signs were often visible weeks earlier, they simply never made it into the static feeds teams were relying on.

Why Static Collection Falls Short

Static collection creates a sense of coverage, but that coverage is often shallow. Sources are fixed. Cadence is slow. Context is stripped away.

A feed might tell you that a domain, handle, or email address is associated with a known tactic, but not how that tactic was developed, who is promoting it, or whether it has any relevance to your organization’s specific exposure. You are seeing the exhaust, not the engine.

This lag matters. The window between a tactic being tested in a small community and being deployed at scale is often the most valuable moment for intervention. Miss that window, and response becomes exponentially more expensive.

As threats accelerate and collaboration among adversaries increases, intelligence programs that depend solely on static inputs struggle to keep pace.

A Different Model: Primary Source Collection

Primary Source Collection (PSC) changes how intelligence is gathered by starting with the questions that matter most and collecting directly from the original environments where those answers exist.

Gain the Threat Intelligence Advantage with Primary Source Collection

Rather than relying on a predefined list of sources or vendor-determined priorities, PSC begins with a defined intelligence requirement. Collection is then shaped around that requirement, directing analysts to the forums, marketplaces, and channels where relevant activity is actively unfolding.

This means monitoring closed communities advertising check alteration services. It means observing invite-only groups trading identity fraud tutorials. It means collecting original posts, screenshots, files, and discussions while they are still part of an active conversation instead of weeks later in summarized form. When actors begin discussing a new bypass technique or sharing proof-of-concept screenshots, that is the moment to act, not weeks later when the same method is being resold across marketplaces.

Primary Source Collection provides that window. It surfaces the conversations, artifacts, and early indicators that reveal what is coming next and gives teams the time they need to intervene before campaigns scale.

This does not replace analytics, automation, or baseline monitoring. It strengthens them by feeding earlier, richer insight into downstream systems. It ensures that detection and response are informed by how threats are actually developing, not just how they appear after the fact.

In one case, a financial institution using this approach identified counterfeit checks featuring its brand being advertised in underground marketplaces weeks before customers began reporting losses. By collecting directly from those spaces, analysts flagged the images, traced sellers, and alerted internal teams early enough to prevent further exploitation.

That is what early warning looks like when collection is aligned with purpose.

Making Intelligence Taskable

One of the most important shifts enabled by Primary Source Collection is tasking.

Traditional intelligence programs operate like autopilot. They deliver a steady stream of data, but that stream reflects the provider’s priorities rather than the organization’s evolving needs. Analysts spend valuable time triaging irrelevant information while emerging risks go unnoticed.

In classified intelligence environments, this problem has long been addressed through tasking. Every collection effort begins with a clearly defined requirement and priorities drive collection, not the other way around.

PSC applies that same discipline to open-source and commercial intelligence. Teams define Priority Intelligence Requirements (PIRs), such as identifying actors testing bypass methods for specific login flows, and immediately direct collection toward those needs. As priorities change, tasking changes with them.

This transforms intelligence from a passive stream into an operational capability. Analysts are no longer waiting for someone else’s update cycle. They are shaping visibility in real time, testing hypotheses, validating concerns, and uncovering tactics before they mature.

For leadership, this provides something more valuable than indicators: confidence that critical developments are not happening just out of sight.

How Taskable Collection Works in Practice

A taskable Primary Source Collection framework is dynamic by design. As stakeholder priorities shift due to a new campaign, incident, or geopolitical development, collection pivots immediately.

In practice, this approach includes:

• Source discovery: Identifying new, relevant sources as they emerge, using a combination of analyst expertise and automated tooling.
• Secure access: Entering closed or restricted spaces safely and ethically through controlled environments and vetted identities.
• Direct collection: Capturing original content directly from threat actor environments, including posts, images, and files.
• Processing and enrichment: Applying techniques such as optical character recognition, entity extraction, and metadata tagging to transform raw material into usable intelligence.
• Delivery and collaboration: Routing outputs into investigative workflows or directly to stakeholders to accelerate response.

Intelligence can then mirror the agility of modern threats instead of lagging behind them.

Why This Shift Matters Now

Threat and fraud operations are moving faster than ever. Barriers to entry are lower. Tooling is more accessible. Collaboration rivals legitimate software development cycles.

Defenders cannot afford to move slower than the adversaries they are trying to stop.

Primary Source Collection is how intelligence teams keep pace. It aligns collection with mission needs, enables real-time tasking, and delivers insight early enough to change outcomes instead of just documenting them.

The signals have always been there. What has changed is the ability to surface them while they still matter.

See Primary Source Collection in Action

Flashpoint supports intelligence teams across fraud, cyber, and executive protection with taskable, primary source intelligence. Request a walkthrough to see how PSC enables earlier, more confident decision-making.

Request a demo today.

Blogs

Blog

The CTI Analyst’s Isolated Arsenal: Desktop Tools for High-Risk Intelligence

This blog explores how CTI teams safely analyze high-risk environments, engage with threat actors, and process sensitive data using Flashpoint Managed Attribution.

Cyber Threat Intelligence (CTI) analysts routinely operate in high-risk digital spaces where threat actors operate, such as Dark Web forums, encrypted chat rooms, and sites hosting massive breached datasets. Engaging with this data requires absolute confidence that your operational security (OPSEC) is up-to-date.

OPSEC failures can have significant consequences. A single attribution error or host-machine exposure can put both the analyst at risk, and compromise the organization’s security posture. To ensure your organization’s CTI activities remain anonymous, secure, and effective, this post focuses on two essentials: 

• The types of desktop applications and tools that must run in a secure, isolated environment
• How Flashpoint Managed Attribution (MA) provides the operational foundation for safe CTI workflows.

OPSEC & Access

Successful execution of CTI operations hinges on establishing a complete shield between the analyst and the target environment. These tools form the base layer for secure and anonymous activity, ensuring that an analyst’s real identity and location are never exposed.

Tool Category	Tool/Type	Use Case
Network Anonymity	VPN Clients	IP Masking & Geo-Shifting: Adding a layer of IP obfuscation, especially when accessing geo-restricted content or high-risk sites (often used before Tor for added protection).
Secure Communication	Telegram, Session, Tox, Pidgin (with OTR/OMEMO)	Threat Actor Engagements: Contacting a threat actor (TA) about a posted dataset, discussing access, or validating a claimed compromise.
Network Utility	Torsocks / Proxychains	Script Anonymization: Forcing data collection scripts (Python, Go, etc.) to use an anonymized network when scraping or downloading data.

Operational Case Study: Secure Threat Actor Engagement with Telegram and Flashpoint Managed Attribution

When communicating anonymously with a threat actor, the Flashpoint Managed Attribution workflow provides the following key advantages for CTI teams:

• Identity Protection: Creates a secure, isolated virtual machine with robust anonymization (VPN, Tor, rotating IPs) to protect the analyst’s identity. The analyst sets up messaging clients like Telegram within this secure environment, making it impossible for the threat actor to trace their real IP or location.
• Continuous OPSEC: Continuously masks the operational footprint with constantly changing and untraceable IP addresses, ensuring all communication is routed through multiple layers of anonymity.
• Host Machine Isolation & Secure Logging: All information exchanged is handled within this isolated environment to prevent malicious files from affecting the analyst’s host machine, while all communications are securely logged for later analysis.

Data Processing & Automation

CTI analysts routinely process massive log files and breach dumps that are unstable, unvalidated, or potentially malicious. By deploying essential data processing and automation tools within an isolated environment like Flashpoint Managed Attribution, you ensure this high-risk content never compromises the analyst’s host machine.

Tool Category	Tool/Type	Use Case
Scripting & Automation	Python, Golang, Bash/PowerShell	Breach Data Analysis: Creating custom scraping and parsing scripts to download and search breached datasets (often multi-terabyte files) from ransomware or other leak sites.
Command-Line Tools	grep, awk, sed, curl, wget	Assess Exposure: Quickly search for company-specific keywords, employee names, or technical indicators across massive, potentially compromised datasets.
Data Encoding/Decoding	CyberChef (Desktop/Local Instance)	Indicator of Compromise (IOC) Transformation: Decoding obfuscated strings, converting data formats, or analyzing potentially malicious content without sending it to an external server.

Operational Case Study: Automating Breach Data Analysis with Python and Flashpoint Managed Attribution

Within a Flashpoint Managed Attribution workspace, a CTI analyst deploys a Python script. The anonymized MA environment ensures:

• This script crawls and downloads data through an untraceable, constantly changing IP network, performing on-the-fly parsing and storing extracted intelligence in an encrypted database. 
• Data ingestion and analysis is executed securely, leaving no trace of the analyst’s activity.

Open Source Intelligence (OSINT) & Analysis

The below applications help analysts connect the dots between various pieces of intelligence but often require handling data from unverified or hostile sources, necessitating strict isolation.

Tool Category	Tool/Type	Use Case
Research	Tor Browser	Dark Web Collection: Accessing closed forums, markets, and hosting sites for intelligence gathering and monitoring.
Link Analysis	Maltego	Mapping Threat Actors: Identifying the infrastructure, affiliates, and complex relationships of a cybercrime group under investigation.
Evidence Preservation	Hunch.ly	Chain of Custody: Securely capturing and preserving online evidence (e.g., from a hacktivist blog or a ransomware leak page) before it is taken down.
Metadata Analysis	ExifTool (Desktop Client)	Source Attribution: Analyzing a file downloaded from a threat actor site to extract potential clues like hidden usernames, internal network paths, or original creation dates.

Operational Case Study: Analyzing a Ransomware Leak Page with Hunch.ly

When a new ransomware group emerges, a CTI analyst uses tools like Hunch.ly to safely collect evidence from leak sites. Hunch.ly captures all data, timestamps it, and creates a cryptographic hash to ensure integrity. Using tools like Hunch.ly inside of a secure virtual machine like Flashpoint Managed Attribution ensures the analyst’s anonymity, enabling thorough analysis without risking the analyst’s system or identity.

Unlock Maximum Tool Utility with Flashpoint Managed Attribution

Ultimately, while these desktop tools are indispensable for CTI analysts operating in high-risk environments, their effective and secure deployment hinges on a robust underlying platform. This is where Flashpoint Managed Attribution becomes an invaluable asset. By providing a secure, anonymous workspace, Flashpoint Managed Attribution allows analysts to leverage these powerful tools, from network anonymizers and secure communication channels to advanced OSINT and data processing applications within an environment specifically built for operational security. 

Request a demo today to ensure that gathered critical intelligence remains untraceable to your organization or analysts.

Request a demo today.

Blogs

Blog

Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

In this post Flashpoint reveals how an infostealer infection on a North Korean threat actor’s machine exposed their digital operational security failures and reliance on AI. Leveraging Flashpoint intelligence, we pivot from a single persona to a network of fake identities and companies targeting the Web3 and crypto industry.

Last week, Hudson Rock published a blog on “Trevor Greer,” a persona tied to a North Korean IT Worker. Flashpoint shared additional insights with our clients back in July, and we’re now making those findings public.

Trevor Greer, a North Korean operative, was identified via an infostealer infection on their own machine. Information-stealing malware, also known as Infostealers or stealers, are malware designed to scrape passwords and cookies from unsuspecting victims. Stealers (like LummaC2 or RedLine) are typically used by cybercriminals to steal login credentials from everyday users to sell on the Dark Web. It is rare to see them infect the machines of a state-sponsored advanced persistent threat group (APT).

However, when adversaries unknowingly infect themselves, they can expose valuable insights into the inner workings of their campaigns. Leveraging Flashpoint intelligence sourced from the leaked logs of “Trevor Greer,” our analysts uncovered a myriad of fake identities and companies used by DPRK APTs.

Finding Trevor Greer

Flashpoint analysts have been tracking the Trevor Greer email address since December 2024 in relation to the “Contagious Interview” campaign, in which threat actors operated as LinkedIn recruiters to target Web3 developers, resulting in the deployment of multiple stealers compromising developer Web3 wallets. Flashpoint also identified the specific persona’s involvement in a campaign in which North Korean threat actors posed as IT freelance workers and applied for jobs at legitimate companies before compromising the organizations internally.

ByBit Compromise

The ByBit compromise in late February 2025 further fueled Flashpoint’s investigations into the Trevor Greer email address. Bybit, a cryptocurrency exchange, suffered a critical incident resulting in North Korean actors extorting US $1.5 billion worth of cryptocurrency. In the aftermath, Silent Push researchers identified the persona “Trevor Greer” associated with the email address trevorgreer9312@gmail[.]com, which registered the domain “Bybit-assessment[.]com” prior to the Bybit compromise.

A later report claimed that the domain “getstockprice[.]com” was involved in the compromise. Despite these domain discrepancies, both investigations attributed the attack to North Korean advanced persistent threat (APT) nexus groups.

Tracing the Infection

Using Flashpoint’s vast intelligence collections, we performed a full investigation of compromised virtual private servers (VPS), revealing the actor’s potential involvement in several other operations, including remote IT work, several self-made blockchain and cryptocurrency exchange companies, and a potential crypto scam dating back to 2022.

Flashpoint analysts also discovered that the Trevor Greer email address was linked to domains infected with information-stealing malware.

What the Logs Revealed

Analysts extracted information about the associated infected host from Trevor Greer, revealing possible tradecraft and tools used. Analysts further identified specific indicators of compromise (IOCs) used in the campaigns mentioned above, as well as email addresses used by the actor for remote work.

The data painted a vivid picture of how these threat actors operate:

Preparation for “Contagious Interviews”

The browser history revealed the actor logging into Willo, a legitimate video interview platform. This suggests the actor was conducting reconnaissance to clone the site for the “Contagious Interview” campaign, where they lured Web3 developers into fake job interviews to deploy malware.

Reliance on AI Tools

The logs exposed the actor’s reliance on AI to bridge the language gap. The operator frequently accessed ChatGPT and Quillbot, likely using them to write convincing emails, build resumes, and generate code for their malware.

Pivoting: One Node to a Network

By analyzing the “Trevor Greer” logs, we were able to pivot to other personas and campaigns involved in the operation.

• Fake Employment: The logs contained credentials for freelance platforms, such as Upwork and Freelancer, associated with other aliases, including “Kenneth Debolt” and “Fabian Klein.” This confirmed the actor was part of a broader scheme to infiltrate Western companies as remote IT workers.
• Fake Companies: The data linked the actor to fake corporate entities, such as Block Bounce (blockbounce[.]xyz), a sham crypto trading firm set up to appear legitimate to potential victims. 
• Developer Personas: The infection data linked the actor to the GitHub account svillalobosdev, which had been active in open source projects to build credibility before the attack.
• Legitimate Platforms & Tools: Analysts observed the actor using job boards such as Dice and HRapply[.]com, freelance platforms such as Upwork and Freelancer, and direct applications through company Workday sites. To improve their resume, the actor used resumeworded[.]com or cakeresume[.]com. For conversing, the threat actor likely relies on a mix of both GPT and Quilbot, as found in infected host logins, to ensure they sound human. During interviews, analysts determined that they potentially used Speechify. 
• Deep & Dark Web Resources: The actor also likely purchased Social Security numbers (SSNs) from SSNDOB24[.]com, a site for acquiring Social Security data.

Disrupt Threat Actors Using Flashpoint

The “Trevor Greer” case study illustrates a critical shift in modern threat intelligence. We are no longer limited to analyzing the malware adversaries deploy; sometimes, we can analyze the adversaries themselves.

Using their own tools against them, Flashpoint transformed a faceless state-sponsored entity into a tangible user with bad habits, sloppy OPSEC, and a trail of digital breadcrumbs. Behind every sophisticated APT campaign is a human operator, and sometimes, they click the wrong link too. 

Request a demo today to delve deeper into the tactics, techniques, and procedures of advanced persistent threats and learn how Flashpoint’s intelligence strengthens your defenses.

Request a demo today.