The paradoxes of todayโs digital world are well-known to anyone with a smartphone.
Over the last decade, connectivity has expanded, yet the world has become more fragmented. Our everyday lives are more digital, but we spend more time parsing text messages for scams or deliberating the authenticity of potential deepfakes. Technology is delivering great productivity gains to small businesses while making them a larger target for cybercriminals.
In this environment, exposure becomes the default: Access points are growing, control is hard and reacting to change stops working. AI intensifies these dynamics because it compresses time for everyone, including adversaries.
Today, trust has become the most critical tool to move all businesses forward. Without trust, even the best ideas stall. People hesitate, adoption slows and growth stagnates.
Trust used to be something businesses tried to repair after a breach. Now it must be the starting point, and something to nurture and continuously prove in a world that has fundamentally changed.
It would be impossible to eliminate the risk entirely. Some estimates project cybercrime could cost the world $15.6 trillion annually before 2030, surpassing all but two of the worldโs largest economies. Instead, the goal must be to build the ability to see sooner, decide faster and limit impact when, not if, something breaks. Trust today is all about bringing together speed, intelligence and collaboration, and thatโs exactly what weโre developing across our teams.
Getting this right isnโt just good business sense, but the only way to ensure new technologies are embraced and economies can keep growing.
The advantage is intelligence
Real advantage comes from understanding context and connecting signals across systems. Thatโs what turns data into better decisions. This kind of intelligence increases speed, reduces risk and enables proactive action. With the right intelligence, teams can hunt for threats continuously, test assumptions and act before harm occurs, not just triage alerts after the fact.
You can see this shift in how the payments industry is evolving, including the work weโre doing by bringing Recorded Futureโs threat intelligence together with Mastercardโs security capabilities, payments infrastructure and partnership models. Weโre helping organizations understand where risk concentrates, how it propagates, and how quick, collective action can reduce the cost of cybercrime.
Faster insights mean earlier action, which minimizes impact โ and deepens trust.
Trust is built through collaboration
Security doesnโt scale through isolated heroics. It scales through ecosystems: shared signals, shared standards and partners who can move together as new threats arise, attack vectors shift and failures spread.
Resilience is strongest when public and private sectors plan, exercise and respond together, rather than in parallel. Different players have different sightlines in the digital ecosystem. Startups look at the edges of innovation. Enterprises understand the realities of operating in todayโs environment. Governments see where systemic risk concentrates. When those visions combine, our shields strengthen and expand, pushing cybercriminals out of the frame.
During our time here in Miami for the eMerge Americas conference, weโve had the opportunity to speak to enterprises, startups, investors and government leaders about the need to accelerate resilience in Latin America, where the digital economy is booming but security hasnโt always kept pace. The region has the worldโs fastest-growing rate of disclosed cyber incidents โ in 2025 alone, Recorded Future tracked 452 ransomware incidents โ but only seven countries have developed cybersecurity plans protecting critical infrastructure, and only 20 have formal computer security incident response teams.
That gap is where trust breaks, and where more collaboration can become a growth necessity. We canโt build sustainable economic growth in Latin America without building digital trust and cyber resilience. Thatโs why we are deepening our footprint here, enhancing regional threat intelligence and resilience and paving the way for stronger public-private collaboration to address these complex risks.
Secure digital access unlocks economic opportunity โ and insecurity shuts it down fast. For a first-time digital user, one fraud incident can be enough to opt out for good. For a small business, one account takeover can wipe out months of progress. Thatโs why trust is inextricably linked to financial health. People canโt build stability on top of systems theyโre afraid to use. At Mastercard, weโve committed to connecting and protecting 500 million people and small businesses by 2030, because secure participation is foundational, not optional.
The bar for digital innovation today is not what we can deliver, but what people will trust enough to use, depend upon and harness for their own financial health. Because in the end, trust is the superpower.
AI vulnerability research and discovery capabilities are improving, but they have not changed the fundamentals of vulnerability management. Instead, they are scaling up problems familiar to vulnerability managers: patch prioritization and remediation backlogs.
For defenders, the timeline for determining which vulnerabilities matter most and remediating them before exploitation begins is narrowing, even as the overall volume of vulnerabilities rises. Organizations that rely on manual prioritization, slow patch cycles, or legacy software will face growing operational and security risks.
Figure 1: Reality versus hype of automated vulnerability research
The Vulnerability to Exploit Ratio
Vulnerabilities are software flaws attackers can use to gain access, run malicious code, escalate privileges, or disrupt operations. However, not every bug becomes a real-world threat: many are hard to reach, difficult to weaponize, or simply not worth an attackerโs time.
The total number of disclosed vulnerabilities has increased sharply in recent years, rising from roughly 21,000 in 2021 to nearly 50,000 in 2025. Part of that increase likely reflects stronger disclosure practices and bug bounty activity, though software growth, a broader attack surface, and more systematic reporting also play a role. Nonetheless, in 2025, Recorded Future only identified 446 vulnerabilities that were actively exploited in the wild, a reminder that confirmed exploitations remain a small fraction of total disclosures.
Figure 2:Yearly comparison of disclosed CVEs against CVEs with public exploits and vulnerabilities assessed as actively exploited by the Cybersecurity and Infrastructure Agencyโs Known Exploited Vulnerabilities (KEV) Catalog and Recorded Future, 2021-2025
This is because attackers do not exploit every bug they find. Instead, they focus on developing exploits for the small subset of vulnerabilities that offer the best combination of reach, reliability, and return on investment, such as flaws that can be exploited remotely or affect widely used software. In other words, a vulnerability still has to be validated, turned into a reliable exploit, matched to a target, and integrated into an attack path worth the effort.
When a flaw matches the criteria, however, exploitation can move quickly. VulnCheck found that nearly 29% of KEVs in 2025 were exploited on or before CVE publication, a slight increase from the previous year, indicating the continued prevalence of zero-days and n-days. Much as their legitimate counterparts use AI in software development, adversaries are already using AI to accelerate parts of the attack workflow, including vulnerability research, exploit-path analysis, and malware development, even if its precise effect on exploitation timelines is hard to quantify. Some trackers estimate the median time-to-exploit may now be measured in hours rather than days, demonstrating the shortening window of time to act on a high-impact vulnerability.
How AI Changes the Equation
Anthropic and OpenAI recently drew significant attention through their limited release of what they claimed were uniquely powerful cyber defense models. An independent evaluation of Anthropicโs Mythos found significant improvements in multi-step cyberattack simulations. However, AI-assisted vulnerability discovery and penetration testing predate these models, and most frontier models have already demonstrated the ability to identify vulnerabilities and assist with exploit development. At present, these tools are still most effective in the hands of capable operators rather than enabling frictionless, low-skill exploitation at scale. This matters, too, as even if these capabilities are used primarily by security researchers in the near term, the resulting increase in disclosures, proofs of concept, and validated findings still adds to the defensive burden.
This impacts vulnerability management in three important ways:
More credible vulnerability reports to triage: New agentic systems can do more than flag suspicious code; they can reason through program behavior, validate findings, and help identify which weaknesses appear most exploitable.
Less time to mitigate exploitable vulnerabilities: Large-language models (LLMs) are accelerating the speed and scale of weaponization, meaning the path from disclosure to exploit could go from hours to minutes.
Reduced the cost of exploit development: Emerging models appear more capable of producing proof-of-concept exploit code, testing attack paths, and helping skilled operators iterate toward weaponizable exploits faster than before.
Figure 3: The vulnerability equation: How automated capabilities will likely impact reporting, exploit development, and impact
More Reports, More Noise
Using AI agents for software code will almost certainly increase the number of reported vulnerabilities and developed proofs-of-concept. Microsoftโs April 2026 Patch Tuesday, which followed Anthropicโs Project Glasswing announcement, was the companyโs second-largest on record. However, according to Microsoft, it โdoes not reflect a significant increase in AIโdriven discoveries, though [they] did credit one vulnerability to an Anthropic researcher using Claude.โ The more important question is not whether more flaws will be found โ because they will be โ but whether defenders can process, validate, and prioritize them fast enough to act.
Vulnerability submissions are already overwhelming researchersโ ability to assess their overall risk, creating a backlog of vulnerability enrichment and scoring. If AI sharply increases the volume of plausible findings, defenders will face even more uncertainty around which vulnerabilities represent the next high-impact systemic event and which are background noise.
Less Time to Act
For the vulnerabilities that are actually a problem, defenders have even less time to respond. Automated exploit development will likely shorten the path from discovery to proof of concept and, in some cases, to weaponization for the subset of vulnerabilities worth pursuing. Adding to the triage problem, some medium-severity or otherwise โnon-criticalโ vulnerabilities will need to be re-evaluated as possible components of exploit chains, even if they would not normally rank as urgent on their own.
Drowning out the Alarms
Even as defenders deal with more noise, a larger volume of reported, plausible findings is likely to increase the absolute number of high-impact exploits they need to address quickly. As a result, defenders face an even greater challenge in identifying the small subset of issues that matter most before attackers do.
This does not mean every newly disclosed flaw will be weaponized, or that high-impact, โinternet-breakingโ events will become commonplace; however, even a modest increase in exploited vulnerabilities puts more pressure on prioritization, patching speed, and compensating controls, especially for organizations already struggling with manual triage, slow patch cycles, or legacy software.
How to Use Automation for Good
For most organizations, the immediate risk is not that every vulnerability will suddenly be exploited, but that defenders will have less time to determine which findings matter most. Vulnerability discovery and exposure management should therefore be treated as related but distinct problems: AI may increase the number of findings, but defenders still need context to determine which exposures are actually reachable, high-impact, and worth urgent remediation.
In this environment, using AI-enabled vulnerability discovery, prioritization, and defensive remediation will be essential to keeping pace with attackers. The five actions listed in the following section can help organizations stay ahead of the threat.
1. Automate Vulnerability Prioritization and Response
Shift from CVSS-only scoring to real-time exploitability and exposure-based risk scoring to handle the surge in AI-assisted vulnerability discovery. Deploy automated scanning, validation, and threat hunting to identify exploitation activity quickly, especially in widely used software and internet-facing systems. Recorded Futureโs Insikt Group regularly reports on new vulnerabilities and exploit trends and develops Nuclei templates to detect actively exploited vulnerabilities.
2. Accelerate Patching and Upgrade Cycles
As the time to exploit shifts from days to hours, the time to mitigate vulnerabilities will similarly shorten. Patch management will need to move faster, particularly for internet-facing systems, widely used software components, and critical dependencies. Automated remediation and automated compensating controls will likely become necessary to keep pace with AI-accelerated discovery. The Vulnerability Intelligence module in the Recorded Future Intelligence Operations Platform can help with prioritization based on the likelihood of exploitation. Ensure all automated actions are logged and regularly audited by a human, and require a human-in-the-loop for any actions on high-impact systems.
3. Reduce Dependence on Legacy and Unsupported Software
AI may make it easier for threat actors to identify and validate exploitable weaknesses in older, under-maintained codebases. Unsupported systems and aging software are likely to become increasingly difficult to justify unless they are strongly isolated and tightly controlled.
4. Shift Vulnerability Detection Earlier in the Software Lifecycle
Organizations should integrate automated security testing and AI-assisted vulnerability discovery into development pipelines. Early detection can help defenders fix vulnerabilities before production, reducing remediation burden later.
5. Get Ready for the Next High-Impact Event
Develop emergency response and mitigation playbooks specifically for high-impact, broadly applicable flaws, including scenarios where a patch is not immediately available. Preparation should include not just patching, but also containment measures such as segmentation, access restrictions, traffic filtering, and other compensating controls.
Integrate, don't replace. Recorded Future enriches your existing security tools by automatically layering in contextual threat intelligence, reducing manual effort and enabling faster, better-informed decisions.
Know where you stand. Assessing your organization's maturity across four stages โ reactive, proactive, predictive, and autonomous โ helps you identify which workflows to prioritize and where automation can have the most impact.
Start simple, then scale. Four core workflows (i.e., IOC enrichment, vulnerability prioritization, Autonomous Threat Operations, and watch list automation) offer a practical on-ramp, and many integrations can be activated in just a few clicks through Recorded Future's Integration Center.
Threat intelligence can elevate cybersecurity programs from reactive to autonomous, transforming workflows and delivering measurable improvements. In a recent webinar, we shared practical steps for integrating threat intelligence into existing security stacks, optimizing workflows, and accelerating organizational maturity in cybersecurity practices.
Read on for actionable insights, frameworks, and tools shared during the session.
Bridging the gap: threat intelligence integration
The key to effective threat intelligence is making your tools work together seamlessly. Recorded Future doesnโt aim to replace your existing cybersecurity tools, but rather to enrich and connect them.
When Recorded Future connects to the tools already in your stack, it automatically adds contextually relevant threat intelligence to whatever you're working on. This can mean less manual effort and faster, better-informed decisions.
Understanding your organizationโs cyber maturity
A useful starting point is assessing where your organization currently stands across four stages of cybersecurity maturity: reactive, proactive, predictive, and autonomous:
Reactive organizations focus on responding to incidents as they occur.
Proactive organizations hunt for threats before they lead to incidents and align detection systems to adapt toward emerging risks.
Predictive programs extend threat intelligence beyond the security operations center (SOC) to other organizational stakeholders.
Autonomous programs leverage automation to identify and respond to threats in real time at machine speed.
Maturity doesn't have to be assessed at the program level alone. Individual use cases may be at different stages. Alert management, for instance, may already be highly automated, while other workflows remain more reactive.
A helpful way to identify where to focus is to ask a series of questions, including:
What does my current alert workflow look like?
What's my most time-consuming process?
What's my top priority for the next 12 months?
Your answers will enable you to identify areas for improvement and then prioritize your workflows as needed.
Three key integration workflowsโand one bonus workflow
Next, we suggest integration workflows that are designed to help you optimize your security operations with Recorded Future threat intelligence:
1. Indicator of compromise (IOC) enrichment
Detection tools often generate alerts with limited context, leaving you asking why something was flagged and how risky it actually is.By integrating Recorded Future, youโll find that those alerts can be automatically enriched with information such as malware families, exploited vulnerabilities, and threat actor connectionsโenabling better, faster decisions without additional manual research.
2. Vulnerability prioritization
Most organizations depend on CVSS scores or vendor-provided data to assess vulnerabilities, but that approach doesn't always reflect real-world risk. A more effective strategy is asking: Is this vulnerability being actively exploited in targeted campaigns? Are threat actors targeting my industry with it?
Recorded Future enhances vulnerability management primarily through threat intelligence context, with risk scoring that tells you why something is riskyโspecifically whether a CVE is being actively exploited in the wild, and whether it's targeting organizations in your industry.
3. Autonomous Threat Operations
The most advanced workflow involves automating threat detection and prevention from end to end. Recorded Future can identify emerging threats, initiate retroactive threat hunts, and automatically update detection and blocking lists in tools like EDR platformsโall without manual intervention. This will enable your security team to shift from reactive firefighting to real-time, autonomous threat prevention. Learn more about Autonomous Threat Operations, available in Recorded Futureโs Professional and Elite pricing packages.
4. Bonus workflow: Watch list automation
Your existing vulnerability scanners like Tenable, Qualys, Wiz, and Rapid7 are already identifying vulnerabilities in your environment. A Watch List automation connector can link those tools directly into Recorded Future's Watch Lists, so the Platform automatically reflects your real threat footprint at all times. Instead of tracking a static list of top vulnerabilities, you get contextual intelligence tied to what's actually in your environment, and you're automatically alerted when vulnerabilities change in risk status.This shifts vulnerability management from a reactive posture to a predictive one, and makes prioritization effectively autonomous.
The role of Recorded Futureโs Integration Center
The Integration Center makes it straightforward to connect with popular security tools including Splunk, ServiceNow, CrowdStrike, and SentinelOne. Many of these integrations are pre-built and can be activated in just a few clicks, meaning there may already be value waiting to be unlocked within your existing SIEM, SOAR, EDR, TIP, vulnerability management tools, GRC platforms, and more.
Driving business value with integrated threat intelligence
Beyond operational efficiency, well-integrated threat intelligence workflows build organizational trust and give security leaders a stronger, data-backed narrative about how their teams are operating. Automating enrichment and response creates the space to focus on strategic prioritiesโand makes it easier to demonstrate the program's value to leadership.
The path toward autonomous threat operations requires sophisticated technology, seamless integrations, smart prioritization, and strategic planning. The best approach is simply to start: Activate a workflow, see the value it delivers, and build from there.
If you need help getting started or have questions about your organizationโs specific needs, book a custom demo.
Business impersonation is the hidden thread connecting old and new fraud. Discover how the same core tactic is fueling both a surge in commercial check fraud and an explosion of AI-powered online shopping scams targeting younger consumers.
Tools like Positive Pay and 3D Secure authentication, while effective against the fraud they were built to stop, have pushed threat actors to evolve their schemes in ways that render those controls irrelevant.
Ecosystem gaps are often the real vulnerability. Fraudsters exploit the chain of assumed trust between social media platforms, card networks, merchant onboarders, banks, and local business registries โ turning each party's reliance on the last into an open door.
If youโre a millennial or Gen Z-er, then you probably havenโt used a paper check in a while. According to the Federal Reserve Bank of Atlanta, just 1 out of 5 of your peers used a check in the last 30 days, versus 2 out of 5 Gen Xers and 3 out of 5 boomers. Yet despite year-on-year decreases in overall usage, Nasdaq Verafin saw check fraud instances rise another 11% in 2025.
Then again, if you are a millennial or Gen Z-er, you will have seen an advertisement for a cheap product on social media. For 40% of you, that has meant falling for an online shopping scam.
On the face of it, these look like two ends of the fraud spectrum:
On the one hand, we have what feels like the past: paper check usage rates even among those aged 65+ fell from 13% of transactions in 2013 to 6% in 2025 (Federal Reserve Bank of Atlanta).
On the other hand, we have the future: online shopping scams target a younger demographic through AI-enabled brand impersonation and sprawling social media ad ecosystems.
The payment instruments, demographics, and the teams working at financial institutions to address these problems differ. So whatโs the thread linking them together? Business impersonation. It manifests itself differently across schemes, but for anti-fraud systems built to detect check washing and counterfeiting on the one hand, and unauthorized third-party card fraud on the other, business impersonation has emerged as the fraudsterโs response to exploit both.
Commercial checks and copycat businesses across state lines
In the past, stolen checks were often whitewashed to change the recipient and amount, and then walked into banks for cashout. The Postal Inspection Service received over 299,000 mail theft complaints in a single 12-month periodโa 161% increase from the prior year. Recorded Futureโs Fraud Intelligence Team analyzed and mapped stolen checks to US geographies, illustrating hot spots of physical crime and observing that it remains a national issue that extends beyond heavily urbanized areas.
Mapping stolen checks by zip code; courtesy of Recorded Future
Yet even among declining consumer check usage rates, businessesโ use of commercial checks remains stubbornly high in the US: the Association for Financial Professionals (AFP) found that 91% of organizations are still using checks, and 63% experienced check fraud in 2024. When businesses send checks to suppliers, the amounts can rise quickly, leading fraudsters to expand beyond simple check-washing schemes.
In perhaps the most eye-catching example, fraudsters intercepted a commercial check destined for bubble-gum giant Bazooka in 2022. A $1.24 million check. Over the next two weeks, they transferred and withdrew over half a million dollars. Howโd they do it? You canโt just wash out the payee name on a million-dollar check, replace it with John Smith, and expect it to clear after depositing it into a personal checking account.
Instead, the threat actors just created a fake Bazooka. The real Bazooka is registered in Delaware under the name โThe Bazooka Companies, LLCโ, so culprits registered a fictitious company in New York under the name โThe Bazooka Companies 1 Incโ. They then used the official business license to open a corporate bank account for the new fictitious business. From there, they used cashier checks, withdrawals, and transfers to personal accounts to cash out the funds.
Fast forward to today, and the scheme is still happening. Recent research from Recorded Future Payment Fraud Intelligence(PFI) surveyed stolen checks for sale on Telegram in Q4 2025 and found over 30 checks with a business as the payee, along with suspicious new entities registered in other states a few days later. The total face value of the checks amounted to $2M.
As with most fraud, this schemeโs emergence is based on:
Exploiting ecosystem gaps between disparate parties: Businesses can have the same name as another when registered in different states. Pair that with most statesโ limited mandate to investigate business registrations, and weโre left with the first gap:
โAs long as the basic filing requirements are met, the office[s] may have little or no authority to question or reject a document submitted for filing or to verify information included in the filingโ (National Association of Secretaries of State, September 2025)
When a fraudster approaches a bank to open a business bank account, the bank conducts its own due diligence. But the focus here is on money laundering threats and the legitimacy of documents and applicants. If the fraudsters are using a clean identity โ synthetic or otherwise โ then the bank wonโt have a clear reason to reject the application just because a business called Johnโs Toilet Supply, LLC exists in another state.
Delivering a reactionary counterpunch to effective fraud processes: Think of this as the cat-and-mouse game. Fraud defenders figure out how to stop one scheme, forcing fraudsters to innovate. In this case, Positive Pay has proven remarkably effective at preventing check washing and counterfeit checks (when parties agree to use it). Payee Positive Pay, in particular, allows the payer to make sure that when their checks are deposited, the check number, date, payee name, and amount match their files. But what happens if everything is correct, but a copycat payee deposits the check? Cases like Bazooka.
80% discount on shoes? How can you say no?
If we detour into e-commerce, we see a very similar dynamic play out, but at a staggeringly larger scale. The premise is simple: use AI to launch a fake online shop impersonating company A, B, or C, buy ad space on social media to drive traffic, pocket the proceeds, and launder the funds while customers wait for goods that never arrive.
The scheme works because 53% of consumers, and 76% of Gen Zers, now begin shopping journeys on social media, according to Salesforceโs 2025 report. The problem is that the journey is littered with traps: in November 2025, leaked internal documents from Meta claimed the โcompany shows its platformsโ users an estimated 15 billion โhigher riskโ scam advertisements โ those that show clear signs of being fraudulent โ every dayโ. Industry reporting paints the same picture, with the Better Business Bureau finding online shopping scams as the most reported scam type and social media advertisements as the most common originator.
Brand impersonation shopping scams impacting shoppers in January 2026; courtesy of Recorded Future
The basics of the scheme are nothing new. Capture payment card data by creating a fake online store and advertise too-good-to-be discounts. Whatโs changed is that these are no longer just phishing websites. Theyโre functional online shops that process payments via merchant accounts. Behind each of these merchant accounts is a registered business.
This is creating problems throughout the ecosystem:
Cardholders see websites that exactly mimic major (and increasingly niche) brands, letting discounts outweigh better judgment.
Financial institutions face the challenge of balancing their duty of care to process customer transactions with the risks of fraud and money laundering. But in these cases, the traditional indicators of cyber-enabled fraud arenโt present. The cardholder is authorizing the transaction, and thereโs nothing suspicious within the behavioral or device indicators of the 3D Secure authentication stream. (Because, again, itโs the cardholder doing the transacting under manipulation.)
The fingers begin to point back at the acquirers and payment facilitators responsible for merchant onboarding, but, from their perspective, the entity holds a proper commercial license to engage in business issued by the local authorities. (Though, as a divergence from the check fraud scheme, the fraudsters in online shopping scams rarely impersonate a real big-name brand at the business creation and merchant onboarding stage. Instead, the fraudsters hide evidence of impersonation from the merchant onboarders and leave the impersonation for the ads and fake online shops visible to victims.)
But just like with the check fraud example, a big part of why online shopping scams have exploded โ outside of generative AI making brand abuse content easier than ever to create at scale โ is ecosystem gaps and fraudsters reacting to the defense:
Exploiting ecosystem gaps between disparate parties: By the time a victim is making a purchase on an online shopping scam website, each entity along the way has looked to the one before and trusted that due diligence had been performed. The cardholder wants to trust that the social media platform screened out malicious advertisers; the card issuer wants to trust the cardholder vetted the merchant; the card network wants to trust the merchant onboarder verified the business; and the merchant onboarder wants to trust local authorities properly licensed the business. A big, long line of incentivized trust.
Delivering a reactionary counterpunch to effective fraud processes: The industry has made huge strides in combating unauthorized, third-party card-not-present (CNP) fraud in the last decade. A major part of the success has been built on 3D Secure, introducing a layer of authentication on top of existing authorization controls. Online shopping scams completely sidestep the defensive layer by making the merchant the fraud surface and rendering cardholder authentication controls irrelevant.
Thinking towards the way out
On the check fraud side, the best solution may already be available, but, as with most solutions, it comes with trade-offs and adoption issues. The basic idea of Positive Pay and its derivative, Payee Positive Pay, is that a business informs its bank of the checks it is sending, and the bank only disburses funds if the check matches what the business provided. Positive Pay was designed to combat counterfeit and forged checks, and it does that very well.
Of course, in the Bazooka example of same-name business impersonation, this wouldnโt help. Nothing about the check was modified. So here, banks offer Reverse Positive Pay, which basically means the business personally signs off on each sent check. It can solve the problem but shifts more operational and investigatory expenses onto the business (which might explain why adoption rates are south of 20%, according to Datos Insights and Alkamai). In the end, though, it makes you wonder why not heed the advice and move to alternative electronic payment methods?
On the online shopping scam side, solutions are more complex and scattered across the ecosystem.
At the top of the funnel, thereโs rising pressure on online advertising platforms to do a better job at limiting the presence of fraudulent advertisements. Based on more leaked internal Meta documents, regulatory pressure may not be producing the desired outcome.
At the merchant onboarding level, both the major card networks are forcing acquirers and payment facilitators to do more to defend the gates into payment processing, while also devoting more resources to identifying scam merchants that do make it in.
For card issuers on the frontline, itโs a more delicate dance. Card issuers arenโt on the hook for authorized card payments to fraudsters under the Fair Credit Billing Act (FCBA) or Electronic Funds Transfer Act (EFTA), but 67% of cardholders expect them to cover scam losses. Though when cards transacting on scam websites end up on the dark web for resale, and unauthorized charges start rolling in, it is the issuerโs problem.
The best solution aligns with the industryโs movement toward CTI-fusion models to address the cyber component of cyber-enabled fraud. The convergence of online shopping and purchase scams is precisely the type of problem the new organizational model was meant to combat.
In applying the CTI-fraud fusion model to purchase scams, traditional fraud assets start at the end of the fraud attack chain to correlate reported cardholder manipulation and non-delivery alerts against merchant account patterns. The CTI assets start at the beginning, sourcing online shopping scams at runtime and attributing the abused merchant accounts. The two teams then meet in the middle, using modeled transaction patterns and threat-hunted active scam websites, ultimately leading to the deployment of merchant-based fraud risk rules.
So, in the meantime, where does all this leave us? The same thing youโve heard plenty of times: stop using checks if you can and donโt trust too-good-to-be-true offers from online ads.
How Recorded Future Helps
The research in this blog came directly from Recorded Future's Fraud Intelligence teams. Two capabilities speak to the threats described.
Payment Fraud Intelligence โ tracks the complete fraud lifecycle: for check fraud, it uses OCR to extract payee, amount, and date from compromised checks being sold in forums, enabling deposit screening against known stolen checks; for card fraud, it monitors compromised merchants, stolen cards on criminal marketplaces, and the tester merchants fraudsters use to validate cards before striking.
Digital Risk Protection โ provides continuous monitoring across millions of sources for malicious sites, brand and executive impersonation, data leakage, and dark web mentions โ with risk-based alerting that surfaces only actionable threats and takedown workflows built directly into the Platform.
TeamPCP exploited a single stolen credential to gain write access to trusted software repositories, inject credential-harvesting malware, and cascade across five ecosystems in five days.
Stolen credentials can enable payroll redirection, freight rerouting, and extortion โ active campaigns Insikt Group is tracking that show how a software supply chain breach can quickly become a business operations crisis.
Learn why an inventory of your software components isn't enough when malicious code is injected after the source commit, and what a truly effective defense โ combining third-party due diligence. cryptographic signing, and AI-driven anomaly detection โ actually requires.
In March 2026, a group calling itself TeamPCP compromised LiteLLM (a Python package with roughly 97 million monthly downloads used by thousands of organizations to connect to AI services) and Checkmarx (one of the most widely used application security testing platforms on the planet). How they got in isnโt publicly confirmed. But the result was write access to a trusted software repository.
From there, they injected a credential-harvesting payload into the software and poisoned two Checkmarx GitHub Actions workflows. The malware ran silently on installation, vacuuming up access keys, cloud credentials, secrets, and (the cruelest irony) every AI API key that LiteLLM was specifically designed to manage. The stolen data was encrypted, then pushed to a lookalike domain.
And here is the part that should keep you up at night: this was one campaign, by one group, in one week. The downstream consequences are still unfolding.
Identity Is the Perimeter (and the Attack Surface)
The throughline in the TeamPCP campaign is identity. Start to finish.
TeamPCP intelligence summary courtesy of Recorded Future.
No one has publicly confirmed exactly how TeamPCP gained access to the LiteLLM maintainerโs repository, but the most likely vector is stolen credentials. Recorded Futureโs identity intelligence contains almost 1 million compromised GitHub developer credentials harvested by infostealers and sold across dark web marketplaces. A single publishing token or access key, lifted from a prior infection and left unrotated, would have been sufficient. TeamPCPsโ earlier compromise of Aqua Securityโs Trivy infrastructure in late February (where incomplete credential rotation left residual access open for weeks) demonstrates exactly this pattern: one stolen token, one missed rotation, and the door stays open.
Whatever the precise mechanism, TeamPCP used valid credentials to push malicious code into trusted repositories. No firewall to bypass. No endpoint to exploit. Just a valid login and the implicit trust that comes with it.
Then the payload itself was designed to steal more identities. Each compromised environment yielded credentials that unlocked the next target. Trivy led to GitHub Actions. GitHub Actions led to four additional software distribution ecosystems. One incomplete incident response created a cascading chain of supply chain compromises across five ecosystems in five days.
This is the identity and access management problem stated as plainly as possible: if the perimeter is identity, then every stolen credential is a breach in the wall. And unlike a firewall rule, a stolen credential doesnโt trigger an alert. It just works.
We previously wrote about how deserialization vulnerabilities have plagued enterprise software for over a decade. The pattern is always the same: trusting input that should not be trusted. Supply chain attacks are the organizational equivalent. We trust the packages we install. We trust the pipelines we build. We trust the security tools we deploy. TeamPCP exploited every layer of that trust, starting with a single compromised identity.
The Impact Is Not Just Ransomware
TeamPCPsโ Telegram channel references a ransomware victimโs site. The group appears to operate as a ransomware affiliate and has publicly discussed extorting companies by threatening to release over 300 GB of stolen data. Reports indicate a possible collaboration with the Lapsus$ extortion group. Ransomware is the obvious play.
CipherForce intelligence summary courtesy of Recorded Future.
But ransomware is only the most visible impact. The more dangerous question is: what else can you do with over a million stolen cloud credentials, API keys, and service account tokens?
The answer, based on what Insikt Group is tracking across multiple unrelated campaigns, is far broader than encryption and extortion.
Redirect payroll. Late last year (2025) Insikt Group was monitoring activity around a campaign called โSwiper,โ run by likely Russian-speaking actors who set up phishing infrastructure impersonating major financial institutions and payroll service providers. Stolen credentials were transmitted in real time, enabling the actors to alter direct deposit accounts and redirect payments before anyone noticed. The responsible actor was identified through a dispute on a criminal forum, and their cryptocurrency wallet has processed over 7,000 transactions. This was a credential theft operation that converted identity compromise directly into financial theft. Now imagine that same playbook amplified by a supply chain attack that harvests payroll platform credentials at scale.
Reroute shipments. Separately, Insikt Group has identified TAG-160, a threat group targeting the US logistics and transportation sector. TAG-160 impersonates logistics companies, sends fraudulent rate confirmations via phishing emails, and delivers remote access malware. But TAG-160 has also been caught running โdouble brokering scams,โ where they pose as a legitimate carrier, obtain valid load details from a real broker, then re-advertise the load under the brokerโs name to contract a different carrier. The legitimate carrier moves the freight. The threat actor collects the payment. The real carrier never gets paid. A second, unrelated threat cluster targets German logistics companies with a similar playbook.
These are not theoretical scenarios. They are active campaigns running in parallel with the TeamPCP supply chain compromises. And the common denominator across all of them is credential theft and identity abuse.
In the five risk impact categories we use as a framework for translating cyber threats into business risk, the TeamPCP compromise touches every single one: operational disruption (ransomware, system lockout), financial fraud (payroll redirection, double brokering fraud, extortion payments), competitive disadvantage (credentials, trade secrets, PII), brand impairment (customers learning their security tooling was the vector), and legal and compliance consequences (breach notification obligations, potential liability for downstream impacts).
The tendency is to categorize supply chain attacks as a โsecurity tool problemโ or a โdeveloper problem.โ It is neither. It is a business risk problem whose blast radius extends from IT operations to payroll to logistics to the boardroom.
Organizations should ask how they can use AI-driven analysis to continuously verify the integrity of every package and build artifact entering their production systems. This means comparing distributed packages against their source repositories to detect injected code. It means analyzing updates to flag anomalous changes in behavior. It means automated provenance verification that traces software from source to distribution, flagging breaks in the chain.
But the TeamPCP campaign exposed a truth the industry has been slow to internalize: the security tools themselves are targets. TeamPCP specifically chose a vulnerability scanner and an application security platform because those tools have the broadest access to credentials and infrastructure. Compromising the tool that checks your code is the ultimate fox-in-the-henhouse scenario.
The organizations that weather this era of supply chain risk will be those that treat code integrity verification as a continuous, automated, AI-augmented process rather than a periodic audit.
So What. Now What.
TeamPCP is not done. Their Telegram channel explicitly states the operation is still unfolding, and they claim to be working with new partners to monetize stolen data at scale.
For security leaders, the immediate actions are straightforward: if your organization uses LiteLLM, Trivy, or Checkmarx GitHub Actions, assume compromise and rotate every credential on affected systems. Audit your software pipelines for unauthorized changes. Pin software dependencies to verified, immutable versions.
But the longer-term lesson is more fundamental. Supply chain attacks convert the trust model of modern software development into an attack surface. The packages you install, the tools you run, the pipelines you build: these are not neutral infrastructure. They are vectors. And the credential stolen today from a compromised software package could show up tomorrow as a payroll redirect, a rerouted shipment, or a ransomware demand.
The keys to your kingdom are scattered across every package manager, every automation token, and every service account in your environment. Someone is collecting them. And your supply chain breach is already someone elseโs payday.
How Recorded Future Helps
The TeamPCP campaign left signals at every stage. Three Recorded Future capabilities speak directly to this threat:
Identity Intelligence โ monitors infostealer logs, dark web markets, and credential dumps in real time, automatically detecting compromised employee credentials and triggering immediate response โ including the nearly one million compromised GitHub developer credentials already in Recorded Future's dataset.
Insikt Group โ elite analysts with deep government, law enforcement, and intelligence agency experience who produced the TeamPCP, Swiper, TAG-160, and CipherForce research in this blog. Customers see threats as they develop, not after they've made headlines.
Third-Party Risk โ continuously monitors vendors for ransomware extortion activity, breach indicators, and credential leaks, replacing point-in-time questionnaires with real-time visibility across your supply chain.
Recorded Future is now offering four solutions covering cyber operations, digital risk protection, third-party risk, and payment fraud.
Three tiered packages (Core, Professional, Elite) bundle these solutions to scale with an organization's security program.
Packages include unlimited users and integrations so intelligence reaches everyone who needs it.
The global threat landscape didn't simplify in 2025. It shattered. Recorded Future's Insikt Groupยฎ 2026 State of Security documented how geopolitical fragmentation, state-sponsored operations, and criminal ecosystem adaptation reshaped global risk. Threats that once stayed in distinct lanes converged, and they converged fast.
Consider what Insikt Groupยฎ tracked last year:
State-sponsored cyber actors shifted from intelligence collection to persistent access, pre-positioning inside target infrastructure so they can disrupt operations the moment geopolitical tensions escalate.
Weak governance and systemic corruption fueled industrialized cybercrime, enabling payment fraud and criminal operations to scale like legitimate businesses.
Influence operators and hacktivist groups multiplied alongside rising interstate conflict, amplifying fear, uncertainty, and doubt through exaggerated exploit claims.
Loosely organized criminal collectives used social engineering to compromise third-party SaaS platforms, rapidly adapting to law enforcement action and traditional defenses alike.
The risk surface has expanded well beyond networks and endpoints. Your brand, your third-party vendors, your payment networks: each has its own threat actors, its own attack methods, and its own intelligence requirements. Yet most intelligence programs only cover one of these domains. Or they monitor them in silos, with no shared context.
The right intelligence, from the right sources, at the right time, is a critical competitive advantage. But intelligence only matters if you can act on it across every critical risk domain before attackers reach their objective.
Re-Imagining How Intelligence Is Delivered And Operationalized
Historically, Recorded Future has been sold on a per-user and per-capability basis - a model that worked well in a simpler world where security teams were focused on solving the most urgent problem in front of them.
Todayโs threat landscape is fast, more complex, and deeply interconnected. Customers are no longer looking for point solutions, theyโre asking for a fundamentally different way to consume and operationalize intelligence.
Customers are asking us to provide:
Complete capabilities to support use cases aligned with core risk domains.
Democratized access to intelligence across teams, workflows and systems.
A simplified and predictable way to purchase for ease of budgeting and adoption.
In response, weโve re-imagined Recorded Future is delivered:
โFour Solutions. Three Packages. One Intelligence Foundation.โ
A unified approach designed to scale with your organization, accelerate time to value, and embed intelligence into every decision that matters.
Four Solutions for Four Critical Risk Domains
Your threats span your infrastructure, your brand, your vendors, and your payment networks. Your intelligence should too. Weโve re-organized our platform into four purpose-built solutions tied to distinct domains of enterprise risk.
Cyber Operations gives your security team the intelligence, workflows, and autonomous actions to detect, investigate, and respond to threats targeting your infrastructure. Alert triage, real-world vulnerability prioritization, malware analysis, proactive hunting: this is where reactive firefighting becomes predictive, intelligence-led defense.
Digital Risk Protection helps detect and disrupt threats that never touch your network but directly damage your business: brand impersonation, domain abuse, credential leaks, and phishing infrastructure across the open, deep, and dark web. With access to active infostealer logs and automated IAM remediation, your team can act on exposures within hours, not weeks.
Third-Party Risk delivers continuous, intelligence-driven monitoring of your vendor ecosystem. Security ratings combined with real-time threat intelligence surface breaches, ransomware activity, and dark web exposure days or weeks before formal vendor notification, giving your security and GRC teams evidence they can act on and defend to stakeholders.
Payment Fraud Intelligence identifies stolen payment cards, compromised checks, scam merchants, and web-skimming activity earlier in the fraud lifecycle, so financial institutions can stop losses before they materialize.
Each solution delivers complete, end-to-end capability for its risk domain. And because all four run on the same Intelligence Graphยฎ, a signal detected in one domain immediately enriches context across the others.
Three Packages That Scale With Your Program
Modern organizations operate across multiple risk domains. We are introducing three packages that reflect that reality, meeting customers where they are and scale as their programs mature.
Core is the foundation for intelligence-led security. It enables organizations to tackle essential use cases on day one - threat detection and alert triage, vulnerability monitoring, credential exposure detection, domain abuse monitoring, and executive impersonation protection. The package combines capabilities across Cyber Operations and Digital Risk Protection solutions, providing immediate, high-impact coverage.
Professional is built for organizations ready to mature their program and operationalize intelligence at scale. Building on Core, it introduces deeper insights and automation to extend team capacity - enabling autonomous threat hunting, multi-source correlation, and external asset discovery. The result is broader coverage, faster response, and more leverage for security teams without adding headcount.
Elite delivers the most comprehensive intelligence coverage available. By unifying Cyber Operations, Digital Risk Protection, and Third-Party Risk, it provides a complete view of risk across infrastructure, brand, and supply chain. With a single pane of glass, Elite operationalizes intelligence across workflows and teamsโfrom CTI to SOC to Riskโdriving smarter and faster risk-enabled decision making and response.
Across all packages, customers get full access to the Intelligence Graphยฎ, Recorded Future AI, all compatible integrations, APIs, and Collective Insights. No hidden costs or barriers to connect to your existing security stack.
Built for Everyone Who Needs Intelligence, Not Just Analysts
Intelligence only creates value when the right people can act on it. That's why our platform packages include unlimited users. Every analyst, every engineer, every stakeholder who needs intelligence gets it, with no seat limits and no trade-offs about who gets access.
For smaller teams building early-stage programs, we still offer flexible user-based licensing so you can start where it makes sense and expand as your program matures. Either way, pricing is predictable. You know what you're paying, and you can scale with confidence.
Every package also includes unlimited integrations from Recorded Futureโs hundreds of supported applications at no additional cost. Your SIEMs, EDRs, SOAR platforms, and ticketing systems all get equipped with real-time intelligence, so every analyst and engineer working in those tools benefits from enriched context without switching screens. Add Autonomous Threat Operations, and those same integrations become the foundation for autonomous hunting, detection, and prevention across your entire stack. Connected tools become an intelligence-led defense system that acts continuously, with minimal human intervention.
One Intelligence Foundation Across Every Domain
What makes this approach powerful isn't just simpler packaging. All four solutions and all three packages run on the same intelligence foundation: the Intelligence Graphยฎ, correlating over 1.2 million sources and 26 billion entities across cyber, digital, third-party, and fraud domains.
A credential leak detected in Digital Risk Protection immediately informs a Cyber Operations investigation. A vulnerability under active exploitation triggers prioritized patching in your workflow. A third-party vendor breach surfaces before the vendor discloses it. Intelligence flows across your entire risk surface, giving you the correlated, high-confidence context that point solutions can't deliver.
That's what it means to be intelligence-led. Not consuming more data. Connecting signals across domains so you can act earlier, with greater confidence, at machine speed.
The Path Forward
Adversaries in 2026 are faster, more coordinated, and more resourceful than they've ever been. They operate across every attack surface simultaneously, and they're accelerating.
Whether you're a team of three building your first intelligence program or a global enterprise running intelligence-led autonomous operations, there's a clear path. Start with the solution or package that matches your priorities today. Grow into deeper automation and broader coverage as your program matures. And at every step, you're backed by the most comprehensive and independent intelligence platform in the industry.
We built this for the threats you're facing right now, and the ones coming next.
In March 2026, Insikt Groupยฎ identified 31 high-impact vulnerabilities that should be prioritized for remediation, 29 of which had a Very Critical Recorded Future Risk Score.
These vulnerabilities affected products from the following vendors: Cisco, Microsoft, Google, ConnectWise, Langflow, Citrix, Aquasecurity, Nginx UI, Qualcomm, F5, Craft CMS, Laravel, Apple, Synacor, Wing FTP Server, n8n, Omnissa, SolarWinds, Ivanti, Hikvision, Rockwell, and Broadcom. This monthโs most affected vendors were Microsoft and Apple, together accounting for approximately 32% of the 31 vulnerabilities.
One vulnerability (CVE-2017-7921 affecting Hikvision) is approximately nine years old, reinforcing how attackers continue to exploit long-known weaknesses in environments where patching has lagged. Legacy and unpatched systems remain attractive targets. Defenders should not discount older CVEs; instead, they should prioritize based on observed activity, maintain strong asset visibility, and apply compensating controls where remediation is not possible.
In March, Insikt Groupยฎ created Nuclei templates for a high-severity path traversal vulnerability in MindsDB (CVE-2026-27483) and a critical missing authentication vulnerability in Nginx UI (CVE-2026-27944). Additionally, Insikt Groupยฎ had already published a Nuclei template for CVE-2025-68613 (n8n) in December, prior to its exploitation this month. We also identified public proof-of-concept (PoC) exploits for 10 of the 31 vulnerabilities.
Quick Reference: March 2026 Vulnerability Table
All 31 vulnerabilities below were actively exploited in March 2026. The table below also provides examples of public PoCs identified by Insikt Groupยฎ. These PoCs were not tested for accuracy or efficacy. Vulnerability management teams should exercise caution and verify the validity of PoCs before testing.
Table 1:List of vulnerabilities that were actively exploited in March based on Recorded Future data.
Key Trends: March 2026
Most commonly observed weaknesses: CWE-502 (Deserialization of Untrusted Data) and CWE-94 (Code Injection).
Two vulnerabilities and one exploit kit (consisting of 23 exploits, 12 of which are currently associated with specific CVEs) were linked to malware campaigns.
Interlock Ransomware Group exploited a zero-day in Cisco Secure Firewall Management Center to compromise enterprise networks, deploy custom remote access trojans (RATs), and facilitate ransomware operations.
Separately, the DarkSword iOS full-chain exploit enabled Safari-based remote code execution (RCE), sandbox escape, and kernel-level access, leading to deployment of the GHOSTKNIFE, GHOSTSABER, and GHOSTBLADE payloads.
The Coruna exploit kit similarly compromised iOS devices to deliver the PlasmaLoader (PLASMAGRID) malware.
These 9 vulnerabilities affected Google, Langflow, Craft CMS, Laravel, Microsoft, n8n, SolarWinds, and Apple.
Exploitation Analysis
This section analyzes two of the highest-impact, actively exploited vulnerabilities this month. Where applicable, it also highlights the availability of Nuclei templates created by Insikt Groupยฎ. The full list of reports and detection rules from March is available to customers in the Recorded Future Intelligence Operations Platform.
Interlock Ransomware Group Exploits Cisco FMC Zero-Day (CVE-2026-20131)
On March 18, 2026, Amazon Threat Intelligence published an analysis detailing an ongoing Interlock ransomware campaign exploiting CVE-2026-20131. CVE-2026-20131 is a critical vulnerability affecting Ciscoโs Secure Firewall Management Center (FMC) software that allows unauthenticated threat actors to execute arbitrary Java code as root on vulnerable devices. Cisco Secure FMC is a centralized management platform that allows administrators to configure, monitor, and control Cisco firewall devices and network security policies across an enterprise environment. According to Amazon Threat Intelligence, Interlock Ransomware Group exploited CVE-2026-20131 as a zero-day vulnerability beginning January 26, 2026, indicating active exploitation prior to its public disclosure and enabling early compromise of enterprise networks.
The Interlock Ransomware Group exploits vulnerable Cisco FMC instances via crafted HTTP requests exploiting CVE-2026-20131 to execute arbitrary Java code as root. After gaining access, the threat actors deploy a malicious ELF binary from a staging server at 37[.]27[.]244[.]222 (Intelligence Card) to support follow-on operations.
They then use custom Java- and JavaScript-based RATs, a memory-resident web shell, and proxy infrastructure to maintain access, enable lateral movement, and evade detection. Post-compromise activity includes reconnaissance, data collection and staging, and the use of legitimate tools such as ConnectWise ScreenConnect, Volatility, and Certify for remote access, credential theft, and privilege escalation.
Changes the machineโs desktop wallpaper that displays a pornographic image
Delays execution using the Sleep API function for evasion
Detects debuggers using the GetTickCount API function to compare timing
Figure 1:Risk Rules History from Hash Intelligence Cardยฎ for 6c8efbcef3af80a574cb2aa2224c145bb2e37c2f3d3f091571708288ceb22d5f in Recorded Future (Source: Recorded Future)
There's a category of employee credentials where standard monitoring often falls short: executives, finance leaders, IT administrators, and those with privileged access have a large target on their back.
VIP Credential Monitoring in Recorded Future is built to solve this problem. It continuously monitors for credential exposures tied to your most sensitive individuals across both work and personal accounts, and alerts your team fast enough to act before an account takeover occurs.
The Challenge with Protecting Your Most Targeted People
According to Verizon's 2025 Data Breach Investigations Report, credential abuse was the most prominent initial access vector observed across breaches. Attackers don't need to find a technical vulnerability to get inside your organization. Stolen credentials are widely available across criminal forums and dark web marketplaces, and buying access is often faster and cheaper than building an exploit.
What makes this particularly calculated is how threat actors decide which credentials to buy. Infostealer malware logs don't just capture usernames and passwords โ they capture the authorization URLs where those credentials were entered. According to Recorded Futureโs 2025 Identity Threat Landscape Report, 7 million credentials were indexed with identifiable authorization URLs, with 63.2% of those having been linked to authentication systems.
Figure 1: Top authorization URL categories, 2025 (Source: Recorded Future)
That means attackers can usually identify the access endpoints credentials unlock and they will prioritize accordingly. Executives and anyone with broad access to systems and data sit at the top of that list.
The 2025 cyber attack on University of Pennsylvania illustrates exactly how this plays out. A threat actor compromised a single employee's SSO credential and used it to move laterally across corporate systems, ultimately exposing data on approximately 1.2 million donors, alumni, and students. One credential, one login, and an organizational crisis.
The threat doesn't stop at corporate accounts. When attackers can't get hold of an executive's work credentials, they target personal accounts for these high-value targets. A personal email or social account can expose sensitive communications, private information, or material an attacker can use for extortion.
Corporate security controls don't extend to personal accounts. When those credentials are stolen, most security teams have no line of sight.
That gap between exposure and discovery is where the risk lives. Credentials stolen by infostealer malware are often purchased and weaponized within 48 hours of the compromise, potentially days or weeks before a security team has any indication something is wrong. For standard employee accounts, that window is serious. For your CEO or Head of Engineering, it's critical.
Monitoring Built for High-Value Targets
VIP Credential Monitoring provides continuous monitoring and alerting on compromised credentials for your high-value targets. Security teams can add personal or work email addresses for their executives and others with widespread access.
From that point forward, Recorded Future continuously monitors for those accounts across its full source coverage: infostealer malware logs from 30+ malware families, dark web forums, criminal marketplaces, paste sites, and breach dumps. When a VIP credential surfaces in that data, the team receives an alert with full contextual detail (malware family, authorization URL, compromised host information, etc.) so they can act with confidence.
Many executive monitoring solutions surface credential data that is days or weeks old by the time it reaches an analyst. By then, the window to get ahead of an attacker has often closed. For all stolen credentials indexed in 2025, Recorded future detected 36.4% within 24 hours of exfiltration, and 52.9% within one week.
The gap between when credentials are stolen and when a security team finds out is where breaches happen. Recorded Future closes that gap.
When a VIP credential appears in exposure data, teams can initiate a password reset, review active sessions, or reach out directly to the individual โ all before the credential is exploited. For identities that carry this level of organizational risk, getting ahead of the exposure isn't just operationally valuable; it can be the difference between a resolved alert and a significant incident.
A Complete Picture of Identity Exposure
VIP Credential Monitoring is built on the same intelligence infrastructure that powers Recorded Future Identity Intelligence broadly: the same source coverage, the same detection engine, the same alert and triage workflow. It applies that capability to a category of identities that warrant closer attention, without requiring a separate tool, process, or integration. That's the logic behind Identity Intelligence as a whole: a unified view of credential exposure across every category of identity your organization needs to protect, covering employees, customers, and your highest-risk individuals.
For teams already using Identity Intelligence to monitor employee and customer credentials, VIP Monitoring is a targeted extension of coverage that fits into what they've already built. Any VIP credentials identified will benefit from the same core features of Identity Intelligence.
This includes Incident Reports, which surfaces any other credentials that may have been compromised from the same machine, and Customizable Alerting, which streamlines prioritization of these detections and can trigger response workflows through existing integrations with Okta, Microsoft Entra ID, XSOAR, Splunk, and others.
Attackers don't limit their targets to one type of account, and your monitoring shouldn't either. To see where you stand today, request a free Identity Exposure Assessment Report and get a concrete, evidence-based picture of your organization's credential exposure over the past year. Contact us to learn more about how Recorded Future can help your organization protect its identities and to see a demo of the platform in action.
For years, the cybersecurity industry has treated third-party risk management as a compliance exercise. Assess your vendors. Assign a score. File the report. Move on. That model was built for a different era. One where supply chains were smaller, threat actors were less sophisticated, and a quarterly questionnaire could reasonably approximate a vendor's security posture. That era is over.
Today, the average enterprise works with hundreds of third parties. Threat actors actively target the weakest links across those supply chains, not because the vendors themselves are the prize, but because they're the path of least resistance into larger, more valuable targets.
Ransomware groups list vendors on extortion sites before those vendors even know they've been compromised. Stolen employee credentials surface on dark web forums undetected. Critical vulnerabilities are weaponized in hours, not months. In this environment, a security rating is necessary. But it is nowhere near sufficient.
Recognized in the 2026 Forrester Waveโข
Recorded Future was recently included in The Forrester Waveโข: Cybersecurity Risk Ratings Platforms, Q2 2026. (The report is available online to Forrester customers or for purchasehere).
We see this recognition as a reflection of the market's evolution โ and as an acknowledgement of the direction we've been building toward.
We believe the cybersecurity risk ratings market is at an inflection point. Analysts and practitioners alike recognize that the category is moving beyond standalone ratings toward integrated intelligence and actionable insights. We see our inclusion in this evaluation as confirmation that the convergence of hygiene data and threat intelligence isn't a niche play โ it's where the market is heading. In light of where the ratings market is today, letโs dive into where Recorded Future is going and how Recorded Future envisions the future of securing the third-party ecosystem.
The Gap Between Hygiene and Intelligence
Cyber risk ratings have earned their place in the security stack. They provide a standardized, scalable way to evaluate a vendor's external security posture โ patching cadence, encryption practices, DNS configuration, exposed services. That hygiene baseline matters. It's a correlative signal for breach potential, and it gives risk teams a common language for comparing vendors and benchmarking against industry peers.
But hygiene ratings only answer part of the problem: How well is this vendor maintaining their defenses?
They don't tell you whether anyone is actively trying to breach those defenses. They don't surface the dark web chatter on a specific vendor. They don't alert you when a vendor's credentials are leaked or has an active malware infection. This is the gap that has left third-party risk programs perpetually reactive. Teams learn about vendor compromises from news headlines or from the vendors themselves โ often days or weeks after the initial breach. By then, the window for proactive response may have closed.
From our own customer conversations, we hear that security and risk teams have shifted from wanting ratings and accuracy alone to demanding intelligence that reveals real cybersecurity risk, with prioritized findings and actionable remediation guidance. Ratings are increasingly commoditized. The differentiation now lies in what you do with the data, and what additional signals you bring to the table.
Third-Party Risk Management Is an Intelligence Operation
If you accept that ratings alone aren't enough, the logical next step is clear: third-party risk management must be treated as an intelligence operation.
That means combining the hygiene baseline โ the outside-in view of a vendor's security posture โ with real-time threat intelligence that tells you who is being targeted, how, and what you should do about it. It means shifting from periodic assessments to continuous monitoring. It means equipping risk teams with the context to distinguish between a low-priority configuration issue and a vendor whose infrastructure is actively under attack. This is the problem Recorded Future Third-Party Risk was built to solve.
We've brought together two distinct capabilities that, until now, existed in separate worlds.
RiskRecon โ built over a decade as one of the industry's leading cyber risk ratings platforms, trusted by 21,500+ users across 30+ industries, provides the hygiene foundation: transparent, evidence-backed security ratings evaluated across 40+ criteria in 9 security domains, with 99% audited data accuracy.
Recorded Future's threat intelligence capabilities, powered by collection and analysis across more than 1 million sources, adds the threat dimension: real-time alerting on ransomware extortion activity, dark web exposures, credential leaks, and active vulnerability exploitation โ often before the affected vendor is even aware.
Together, these capabilities create something the market hasn't had before: a single solution that covers the full lifecycle of third-party risk, from initial assessment and onboarding through continuous monitoring and incident response.
What This Looks Like in Practice
The value of combining hygiene ratings with threat intelligence isn't theoretical. Our customers are already seeing it play out.
When a vendor appears on a ransomware extortion site, Third-Party Risk customers can receive alerts in hours โ not the days or weeks it takes for vendor self-disclosure.
When credentials associated with a monitored vendor surface on dark web markets, risk teams can initiate outreach and remediation before those credentials are weaponized.
When a critical vulnerability is disclosed, intelligence context helps analysts determine which vendors are actually exposed and at risk of exploitation, rather than treating every vendor with the affected software as equally urgent.
Customers consistently report a roughly 33% increase in visibility into third-party risks after adopting the platform (UserEvidence). Teams save an average of 7 hours per week that was previously spent on manual research and monitoring (UserEvidence). And customers routinely detect vendor incidents before the vendor itself has disclosed โ turning what used to be a reactive scramble into a controlled, proactive response.
These aren't incremental improvements. They represent a fundamental shift from reactive compliance to proactive risk management.
Where We're Going
We're not done. Bringing RiskRecon and Recorded Future together was the first step in a broader vision for what third-party risk management should become.
Our roadmap is focused on deepening the integration between these two platforms into a unified experience. One where hygiene ratings, threat intelligence, and risk workflows operate seamlessly together. We're investing in AI-driven capabilities that will help risk analysts cut through noise faster, automate routine assessment workflows, and surface the insights that matter most. And we're building toward predictive intelligence that doesn't just tell you what's happening now, but helps you anticipate where risk is headed.
The goal is straightforward: make third-party risk management as data-driven, automated, and intelligence-led as the best security operations programs already are.
Join the Shift to Intelligence-Driven Third-Party Risk
Third-party risk programs that rely exclusively on hygiene ratings will continue to be caught off guard. The vendors who score well on a Tuesday can be breached by Wednesday. The questionnaire response you received last quarter may not reflect today's reality.
The organizations that are getting ahead of this are the ones treating third-party risk as what it actually is: an intelligence operation that requires continuous monitoring, real-time alerting, and the context to act decisively when something changes.
That's the future we're building. And we believe we're the only ones building it with the depth of intelligence and the strength of ratings data required to get it right.
Recorded Future is the Worldโs Largest Intelligence Company. Our team works to build products that customers love. In this video, Kyle Kohler interviewed with VentureFizz about his day-to-day as a Senior Product Manager for Integrations. He describes the job as truly multifaceted, encompassing starting new strategic initiatives, turning customers feedback into improvements, and enabling other team members to do the same. Full video and transcript available below.
Iโm Kyle Kohler. Iโm a product manager over the integration strategy at Recorded Future.
Recorded Future is the worldโs largest threat intelligence provider. We are covering all sorts of domains of intelligence. Itโs geopolitical intelligence, cyber intelligence, payment fraud intelligence. And essentially intelligence is this data that an organization uses to take action and make a better decision. So the more that you understand a subject or topic, a current event, the better that you can define what actions you take to either defend your organization or proactively increase your competitive edge.
As a product manager, itโs funny. I see it as this arson firefighter educator role. And I think that definitely needs to be unpacked a bit. As an arson, youโre starting fires. So, very strategically, which fire do I put under which team, under which initiative, which fire do I stoke and one do I burn hotter? And as a firefighter, youโve got maybe fires coming in being reported to you from a customer, from an organization, from another product team who needs this other product team to make something happen. And so, youโre very strategically figuring out what to stamp out, what to stoke. And as an educator, youโre also teaching others how to start fires and put out fires. So, youโre constantly going from one thing to the next and keeping all of these moving pieces going. Thereโs no one project that you just shepherd along and thatโs the only thing you work on. Youโre constantly context switching and a good product manager has that multi-domain knowledge to think laterally, but also track how this thing affects that thing and how it might affect the other thing in the future.
At Recorded Future, weโre a global organization and Iโm based on the west coast of California. So I wake up in the morning and the first thing Iโve got are 10 to 12 Slack messages from across the globe that come in from different geographies. Other people are ending their day and theyโve got some questions that maybe I can answer or theyโre looking for how to direct on who might have the right answer. So the first thing generally starts with voraciously checking Slack and Iโm answering notifications as I mentioned questions and the next thing is okay well from the answers to those questions are there new initiatives that need to get spun up or are there existing initiatives that need to get nudged along or are there certain fires that need to get stamped out and thatโs the whole day is youโre really tracking where things are in their current state what needs to get responded to and what needs to get pushed along.
Recorded Future really was attractive to me because it was a pretty new field within cyber security and within technology but also as a company was not just related to IT and cyber had this geopolitical and payment fraud type of angle looking at the world. So it was really taking a big data problem how do you track everything that happens everywhere but then how do you break that down into these bite-sized pieces that ultimately help an organizationโs current mission. So I really was attracted by the fact that we are helping organizations secure the world. Weโre able to do that by securing the world with intelligence, but itโs so multi-domain that youโre just never going to get bored. Thereโs always something new. Thereโs always something to track. Thereโs always some new threat. Thereโs always some new initiative, some new innovation. And Recorded Future has really been at that cutting edge of innovation. Always coming up with whatโs next in the market, whatโs next in the threat landscape and how will we as a company address supercharging the existing missions of our organizations that we help today.
Payment fraud no longer operates as a collection of discrete schemes run by individual threat actors.
It is increasingly sustained by an industrial support ecosystem: purpose-built infrastructure, packaged toolkits, and professionalized services that allow threat actors to maximize fraud output while minimizing the skill and effort required to execute attacks.
According to Recorded Future's Annual Payment Fraud Intelligence Report: 2025, this industrialization was driven by technical advances and increasingly professionalized support services.
The Magecart e-skimmer supply chain is the clearest example. Full-stack e-skimmer kits and Malware-as-a-Service (MaaS) offerings have made large-scale compromise of ecommerce websites accessible to less technically capable threat actors.
The "Sniffer by Fleras" kit, responsible for 26% of all e-skimmer infections observed in 2025, includes a web-based portal for generating malicious scripts and a management server for stolen data. The result was more than 10,500 unique Magecart infections active at some point during the year, likely compromising more than 23 million transactions.
Additionally, the "AcceptCar" e-skimmer, discovered in H2 2025, illustrates how far the service model has matured. Operators handle installation and operation on compromised e-commerce sites; in return, threat actors pay 50% of proceeds from card data sales or 70% of raw data intake. Using services like AcceptCar, fraud threat actors can participate in large-scale compromise operations without owning or managing any underlying infrastructure.
Figure 1: Line graph showing Magecart e-skimmer infections in 2025, by different groups, kits, and techniques. (Source: Recorded Future)
Recurring patterns in merchant registration data indicate that scam operators have standardized their merchant acquisition workflows, standing up fraudulent payment infrastructure at scale through repeatable, low-friction processes.
Card testing operates on the same service-economy logic. Telegram-based card testing services validated at least 27 million card records in 2025 through public-facing card generation and testing channels that any threat actor can access.
Among dark web checker services, over 1,350 legitimate merchant accounts were abused for card testing, with 94% not observed prior to 2025, suggesting systematic rotation to stay ahead of detection.
Figure 2: Graphic illustrating the purchase scam attack chain. (Source: Recorded Future)
The Ecosystem Is Concentrated Upstream
Notably, each of these industrialized attack vectors sits upstream of the fraudulent transaction. E-skimmer infections and scam merchants compromise card data during online purchases. Card testing validates that stolen data before itโs monetized.
Fraud outcomes are visible, but the pathways that enable them are often not.
"Fraud outcomes are visible, but the pathways that enable them are often not."
This industrialized scale across these attack vectors requires standardization, and standardization produces detectable patterns.
When 26% of e-skimmer infections trace back to a single kit, when scam operators reuse merchant registration patterns across hundreds of acquirers, when card testers rotate through predictable BIN attack workflows, the convergence that makes fraud scalable also makes it mappable. As that standardization deepens, a single indicator of compromise reaches further across the threat landscape.
That standardization creates something concrete: a window.
Magecart infections are active and identifiable before stolen card data is harvested. Scam merchants often display detectable signals, including recent domain registration, merchant rotation, and merchant category code mismatches.
Card testing activity reveals when a monetization attempt is likely to occur.
Each stage represents an opportunity to act before fraud registers as a financial loss.
Transaction Monitoring Looks at the Wrong End of the Lifecycle
Transaction monitoring and behavioral fraud models are built to detect anomalies at the point of payment, like unusual spend patterns, velocity, and geographic inconsistencies. They do what they were designed to, but provide no visibility into the increasingly industrialized, pre-monetization stages that were built to avoid detection by these traditional processes.
Purchase scams are explicitly designed to circumvent transaction-based controls by manipulating cardholders into authorizing the fraudulent transaction themselves, making the payment appear legitimate by design.
Card testers cycle through new merchants specifically because historical tester merchants get flagged (94% of tester merchants identified in 2025 were not previously observed). A detection approach built around transaction signals will always be working with information that arrives after the upstream infrastructure has already done its job.
As the upstream ecosystem industrializes, the volume of activity that transaction monitoring cannot see has grown. With purchase scam detections more than quadrupling year-over-year and Magecart infections having likely compromised more than 23 million transactions in 2025 alone, the cost of that blind spot compounds.
Maintaining an effective fraud posture will increasingly require financial institutions to complement reactive account monitoring with proactive, intelligence-informed defenses.
How Recorded Future Payment Fraud Intelligence Addresses This
With daily monitoring of Magecart-infected sites and enriched merchant data that integrates with transaction monitoring, Payment Fraud Intelligence can enable detection of high-risk merchants months before stolen card data appears for sale.
Additionally, the Scam Merchants dataset can identify fraudulent merchant accounts and their associated domains before customers are defrauded and before downstream card data reaches criminal markets.
Tester merchant monitoring surfaces card testing activity as an early signal of which portfolios are being targeted ahead of any monetization attempt.
Because Payment Fraud Intelligence monitors the sources, kits, and infrastructure that threat actors have increasingly standardized around, a single identified indicator can surface exposure across a portfolio at scale.
According to Recorded Future data, 75% of compromised cards are identified before fraud occurs, and 90% of compromised card assets are identified within hours of a breach.
The pre-monetization window will not narrow as the fraud ecosystem matures โ if anything, the report's data suggests it will widen as standardization deepens. Financial institutions with visibility into that window can act before losses occur. Those without it will continue to respond after the fact.
The expanding conflict around Iran signals a deeper shift. We have entered an era of quantum geopolitics, where the old rules of the international order no longer apply. What began as a regional confrontation is already reshaping global markets, supply chains, and corporate security planning. Leaders must adapt how they think, spend, and communicate in a system where uncertainty is not a risk to manageโit is the operating environment itself.
What is Quantum Geopolitics?
A useful analogy comes from physics.
Classical systems produce predictable outcomes. Quantum systems behave probabilistically, where interactions in one place can produce distant effects.
International politics increasingly resembles the latter.
The assumptions that shaped corporate strategy for decadesโdurable alliances, expanding globalization, and broadly coherent regulationโare weakening. Geopolitical shocks now move rapidly through tightly interconnected systems.
Four dynamics define how this system now behaves.
๐ Superposition: Friends, Rivals, and Everything in Between
Countries can no longer be neatly categorised โallyโ or โadversary.โ They exist in overlapping states, with true alignment revealed only in moments of crisis.
States balance security partnerships with the West while maintaining economic ties with rivals. Turkey supports Ukraine diplomatically while sustaining trade flows that benefit Russia. India deepens defence ties with the United States even as it increases purchases of Russian oil.
Public statements offer limited guidance. Trade flows, enforcement patterns, and technology controls are more reliable indicators of intent.
For multinational firms, geopolitical positioning is no longer fixed. It is fluid.
๐ The End of Guarantees: Promises Now Come with Caveats
Security commitments, trade access, and regulatory stability have shifted from certainties to probabilities.
Export controls can reroute supply chains within months. Sanctions regimes expand or unwind quickly. Even long-standing alliances depend on political will at the moment they are tested.
For businesses, this means long-term investments now carry elevated policy risk.
Leaders must plan for variance.
๐งฌ Quantum Entanglement: Local Conflicts Are Not Local
Global systemsโfinancial, technological, logisticalโare tightly coupled. Regional conflicts now generate immediate global effects.
Threats to Gulf commercial hubs disrupt international banking. Instability in the Strait of Hormuz drives energy price volatility and strains global shipping insurance. Cyber campaigns tied to the conflict target companies far beyond the region.
Disruption is rarely contained. Risk can no longer be managed by geography or function alone.
๐ฌ The Observer Effect: Whoever Sets the Rules First Wins
Influence increasingly derives from shaping rules rather than operating within them.
States that move early to establish standards in artificial intelligence, semiconductors, digital infrastructure, and financial regulation compel others to adapt.
Waiting for clarity can therefore be a strategic liability in itself. If you do not shape the agenda, you become subject to it.
Why This Moment Feels Different
These dynamics are most visible in cyberspace, where geopolitical competition unfolds continuously below the threshold of open conflict.
State-sponsored actors operate inside corporate networks without triggering overt confrontation. Criminal groups, proxies, and intelligence services overlap, complicating attribution and response.
The boundary between geopolitical conflict and corporate exposure is now thin. A single breach can trigger regulatory scrutiny, customer loss, market volatility, and diplomatic tension at once.
Cybersecurity is no longer a technical function. It is a core enterprise risk.
How Security Leaders Should Respond
In a system governed by probabilities rather than predictability, security leaders must adapt how they think, allocate resources, and position their organizations.
1. Mindset Shift: Scenarios, Not Forecasts
Replace long planning horizons and static risk assessments with continuous scenario planning. Tools such as the Cone of Plausibility can stress-test responses to sanctions escalation, maritime disruption, regulatory fragmentation, or supply chain shocks.
Evaluate decision speed, cross-functional coordination, and response thresholds under pressure. Adaptability matters more than accuracy.
2. Spending Shift: Invest in Resilience, Not Just Efficiency
Systems optimized solely for efficiency often lack resilience.
Diversifying suppliers, strengthening sanctions compliance, improving cybersecurity, and increasing visibility into third-party exposure can reduce vulnerability to geopolitical shocks.
Resilience is not a defensive expense; it is operational insurance.
3. Communication Shift: From Reporting to Action
Security leaders must translate geopolitical developments into clear decision frameworks before crises materialize.
This requires close coordination across legal, finance, and operations, as well as proactive engagement with regulators and industry partners.
Speed and clarity determine whether the organization shapes outcomes or reacts to them.
Final Thoughts
The Iran conflict offers a preview of what comes next. Alliances are conditional. Economic pressure, cyber activity, and regulatory responses unfold simultaneously.
Quantum geopolitics does not eliminate strategy. It demands a different kindโone built on scenario readiness, structural resilience, and faster decision cycles.
Leaders who wait for clarity will move too late.
Those who organize for uncertainty will operate ahead of it.
To access the latest InsiktGroupยฎresearchclick here.
Insikt Groupยฎhelps Recorded Future secure our world with threat intelligence. With deep experience in government, law enforcement, military, and intelligence agencies, we power the Recorded Future Platform with analyst-validated data, analytics, along with cyber and geopolitical intelligence. This enables our customers to reduce risk and prevent disruption.
Credential theft is the dominant initial access vector for enterprise breaches. In 2025, Recorded Future detected:
1.95 billion malware combo list credential exposures
36 million database combo list credential exposures
24 million database dump credential exposures
892 million malware log credential exposures
Five findings stand out from the data:
Credential theft accelerated as the year progressed. Recorded Future identified 50% more credentials in the second half of 2025 than in the first half of the year. 90% more credentials were identified in the last three months of the year than in the first three months
Stolen credentials are targeted, not random. Of the 7 million credentials indexed with identifiable authorization URLs, 63.2% were tied to authentication systems. VPNs, RMM tools, cloud platforms, and detection software also featured prominently โ meaning attackers are often going directly for the systems that provide the broadest access and, in some cases, the ability to blind security teams entirely.
Infostealer malware is outpacing traditional breach detection. Each compromised device yielded an average of 87 stolen credentials. The scale and precision of modern infostealers means a single infected endpoint โ including a personal device used to access corporate systems โ can expose an entire organization.
MFA alone is no longer sufficient protection. 276 million of the credentials indexed in 2025 included active session cookies, meaning attackers can bypass multi-factor authentication entirely. This represents 31% of all malware-sourced credentials.
Detection speed is the decisive advantage. Over half of all credentials (53%) were indexed within one week of exfiltration, and 36.4% within 24 hours. Organizations that act on intelligence quickly can intervene before stolen credentials are exploited.
The Scale of the Problem: Compromised Credentials in 2025
Volume Grew Throughout the Year
Credential compromise from malware logs was not a static risk in 2025 โ it compounded. Recorded Future observed a consistent upward trend throughout the year, with the second half producing 50% more indexed credentials than the first.
The final three months of the year were particularly active: They saw 90% more volume than the first three months, reflecting both the continued proliferation of infostealer malware-as-a-service (MaaS) and the disruption and reformation of major malware families mid-year (covered in detail in the malware section below).
CHART 1: Monthly credential volume from malware logs, full year 2025 (Source: Recorded Future)
What this means for security teams: Seasonal or quarterly threat reviews are insufficient. The volume and pace of credential exposure in 2025 demands continuous monitoring โ not periodic audits.
What do Those Credentials Actually Unlock?
CHART 2: Top authorization URL categories, 2025 (Source: Recorded Future)
More credentials exposed means more doors open to attackers. The authorization URL data from 2025 reveals exactly which doors they're targeting โ and the picture is stark.
Of the 7 million credentials with high-risk authorization URLs indexed in 2025, 63.2% were tied to authentication systems. The next largest categories were web content management (9.95%) and cloud computing (7.58%), followed by remote monitoring and management tools (6.19%) and email infrastructure (3.87%).
This is not a random distribution. Authentication systems, cloud platforms, and remote access tools โ VPNs at 2.4% and RMM tools at 6.19% โ are precisely the systems that give attackers the broadest foothold inside an organization. A single stolen credential for an authentication portal or VPN can serve as the entry point for lateral movement, privilege escalation, and ultimately a full breach.
The presence of detection and response software (1.17%) and SIEM platforms (0.06%) in this list is particularly notable. Credentials for the tools organizations rely on to detect attacks are themselves being stolen โ giving attackers the ability to blind security teams before they strike.
What this means for security teams: The value of a stolen credential is determined by what it unlocks. Prioritize monitoring and rapid response for credentials tied to authentication systems, remote access tools, cloud infrastructure, and security platforms โ these can represent the highest-leverage targets for attackers operating with stolen credentials.
A Global Problem With Regional Concentration
Compromised credentials were indexed from organizations across the globe. The ten countries with the highest credential volume in 2025 were:
Table 1: Credentials indexed by country (Source: Recorded Future)
MAP 1: Credentials indexed by country (Source: Recorded Future)
The breadth of this data underscores that credential theft is not concentrated in a single region or industry โ it is a universal risk. Organizations with global workforces, multinational supply chains, or international customer bases face exposure across multiple geographies simultaneously.
The Anatomy of a Compromise: What Attackers Actually Steal
87 Credentials Per Device
When an employee's device is infected with infostealer malware, the damage rarely stops at one account. In 2025, the average compromised device yielded 87 stolen credentials โ spanning corporate applications, personal accounts, and cloud services accessed from the same machine.
Recorded Future's Compromised Host Incident Reports surface the full scope of each device-level infection, including the malware family responsible, file paths, IP addresses, and infection timelines. This context is what separates actionable intelligence from a list of leaked passwords.
What this means for security teams: A single alert should trigger a device-level incident response, not just a password reset. Understanding what else was on that machine โ and what else may have been exfiltrated โ is essential to containing the full extent of the exposure.
The Cookie Problem: Why MFA Isn't Enough
One of the most significant findings from 2025 is the volume of credentials that included active session cookies alongside stolen passwords. Recorded Future indexed 276 million credentials with cookies โ 31% of all malware-sourced credentials โ a figure that grew 30% from the first half of the year to the second half.
Session cookies allow attackers to authenticate as a user without entering a password or completing an MFA challenge. They effectively render secondary authentication controls irrelevant for as long as the session remains active.
December was the single highest month for cookie-bearing credential exposure, indexing 18% more than the next highest month (November).
CHART 3: Monthly volume of credentials with cookies, 2025 (Source: Recorded Future)
What this means for security teams: MFA enrollment is necessary but not sufficient. Organizations should monitor for session cookie theft specifically, enforce shorter session token lifespans for high-risk applications, and treat any credential exposure from an infostealer log as a potential authentication bypass โ not just a password reset trigger.
The Infostealer Ecosystem: How the Malware Landscape Shifted in 2025
LummaC2: The Year's Dominant Threat
LummaStealer emerged as the most widely deployed infostealer of 2025. Operating under a malware-as-a-service model since late 2022, it matured significantly over the past year, targeting Windows systems to harvest browser credentials, session cookies, cryptocurrency wallets, and two-factor authentication tokens.
Its distribution relied heavily on social engineering โ fake software downloads and "ClickFix" techniques that trick users into executing malicious commands disguised as CAPTCHA challenges. Recent campaigns used CastleLoader for delivery, running obfuscated payloads in memory to evade detection.
In May 2025, a coordinated law enforcement action neutralized more than 2,300 LummaC2 command-and-control domains. The disruption was significant โ but not fatal. LummaStealer operators migrated to bulletproof hosting services and employed sophisticated sandbox evasion techniques, including trigonometric analysis of mouse movements to avoid automated detection environments. Activity continued under private, select-affiliate operations through the remainder of the year.
How the Rest of the Ecosystem Responded
The 2025 infostealer landscape was shaped as much by law enforcement disruption as by attacker innovation. Each takedown created a vacuum that other malware families quickly filled.
Early 2025: The late-2024 law enforcement actions against RedLine and META pushed users toward emerging MaaS alternatives, consolidating volume around LummaC2 and accelerating its dominance through Q2.
Mid-2025: Following the LummaC2 disruption in May, established families โ Rhadamanthys, Vidar, and StealC โ absorbed the displaced activity. Rhadamanthys led through the summer until its own infrastructure was taken down by law enforcement in November 2025. Vidar stepped into the lead position thereafter.
Rebranding as a survival strategy: Disruption prompted reinvention. StealC relaunched as StealC v2. Vidar operators attempted a similar rebrand. These moves reflect a deliberate effort by malware developers to obscure continuity and frustrate attribution.
macOS: Atomic macOS Stealer (AMOS) dominated the macOS market through most of 2025, disappearing in October before returning in February 2026. MacSync (formerly Mac.C) emerged as the primary commodity macOS infostealer by year end.
Private operations grew: Increased law enforcement pressure on publicly accessible MaaS tools pushed sophisticated threat actors toward private infostealers with restricted affiliate access. Acreed (also known as ACR Stealer) and Odyssey Stealer represented the most significant private-operation families of 2025. Private Lumma operations also continued post-disruption.
What this means for security teams: Malware family names change. Takedowns create temporary disruption, not permanent resolution. Organizations that track exposure by malware family rather than only by leaked credential volume will be better positioned to understand the true source and scope of each incident.
Recommendations for Security Teams
The 2025 data points to four areas where security teams can meaningfully reduce their exposure to credential-based attacks.
1. Extend monitoring to personal devices. The majority of infostealer infections occur on personal devices used to access corporate systems โ a risk that endpoint detection tools and traditional perimeter controls cannot address. Monitoring infostealer malware logs directly provides visibility into these exposures before they are weaponized.
One large automotive parts distributor found that Recorded Future surfaced stolen credentials tied to an employee's personal device โ an exposure their existing tools had no visibility into and would likely never have caught.
2. Treat session cookie exposure as a critical-severity event. With 276 million credentials carrying active cookies in 2025, any infostealer-sourced credential exposure should trigger immediate session invalidation in addition to a password reset. MFA bypass via stolen cookies is not a theoretical threat โ it is an observed, frequent attack pattern.
3. Automate response workflows to close the detection-to-remediation gap. The data shows that most credentials are indexed within days of theft. Organizations that have pre-built response playbooks โ automatically checking Active Directory, clearing sessions, forcing resets, and notifying managers โ respond in minutes rather than hours.
"We created a custom SOAR playbook using the Identity Intelligence module. This playbook takes the information of compromised corporate user accounts, runs an Active Directory check for the credentials, clears user sessions and resets the password if the account is found to be compromised. It also notifies the user's manager for email response. To date, we have processed over 330 different identity alerts. " โ Bryan Cassidy, Lead Cyber Defense Engineer, 7-Eleven (UserEvidence)
4. Monitor your entire domain footprint โ including subsidiaries and third parties. Some of the most consequential exposures in 2025 involved obscure subsidiaries and supply chain partners, not core corporate domains. Attackers do not limit themselves to obvious targets. Security teams shouldn't limit their monitoring to obvious domains either.
One large international financial services firm detected an infostealer on a third-party service provider's machine through Recorded Future โ surfacing a supply chain exposure that would have been invisible through traditional monitoring alone.
The Recorded Future Advantage: Detection Speed โ From Exfiltration to Alert in Hours
The gap between when credentials are stolen and when a security team finds out is where breaches happen. Most organizations discover compromised credentials days or weeks after the fact โ through a public breach disclosure, a tip from law enforcement, or an incident that's already underway.
Recorded Future closes that gap. In 2025, 36.4% of all indexed credentials were detected within 24 hours of exfiltration, and 52.9% within one week. By the time stolen credentials are being traded or weaponized, Recorded Future customers have already been alerted.
Credential Exfiltration Breakdown
Within 24 hours
36%
Within 1 week
53%
Within 1 month
85%
Within 1 year
99%
Over 1 year
1%
Table 2: Exfiltration freshness breakdown (Source: Recorded Future)
Speed matters because attackers move fast. Infostealer logs are often listed for sale within hours of collection. Every day between exfiltration and detection is a day an attacker may already have access. The 15.3% of credentials not detected within a month illustrate what happens when that window stays open โ extended attacker dwell time, lateral movement, and incidents that escalate into major breaches.
For Recorded Future customers, early detection is only half the equation. Pre-built integrations with Okta, Microsoft Entra ID, and SOAR platforms like XSOAR mean that when a credential alert fires, automated workflows can clear sessions, force password resets, and notify managers โ without waiting for an analyst to pick up the ticket.
A large international financial services firm's Team Lead described a recent credential leak: identified and escalated in under 24 hours, triggering immediate automated remediation โ exactly the outcome their team had built toward.
Appendix: Notable Passwords from 2025 Credential Exposures
The following passwords appeared most frequently across credentials indexed by Recorded Future in 2025. Their prevalence reflects the continued gap between password policies and actual user behavior โ and the reason why credential monitoring cannot rely on password complexity alone as a proxy for risk.
About This Report
This report is based on data indexed by Recorded Future's Identity Intelligence Module across the full calendar year 2025. Recorded Future monitors credentials across open web, dark web, paste sites, Telegram channels, and infostealer malware logs sourced from 30+ malware families. All credential data can be processed and analyzed without storing plaintext passwords in customer-facing systems.
Find out Whatโs Already Exposed in Your Environment
The data in this report reflects the broader threat landscape. The question is how much of it applies to your organization specifically.
Recorded Future's complimentary Identity Exposure Assessment pulls directly from the Recorded Future Intelligence Graph to show you the volume, recency, and severity of your organization's credential exposure over the past year โ including compromised employee credentials, infostealer-sourced data, and how your exposure has trended over time.
There's no commitment required. Just a clear picture of where your organization stands.
February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Groupยฎ identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. All 13 carried a โVery Criticalโ Recorded Future Risk Score.
What security teams need to know:
Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day
Supply-chain attack on Notepad++: Lotus Blossom, a suspected China state-sponsored threat actor, exploited CVE-2025-15556 to hijack Notepad++'s update channel and deliver a Cobalt Strike Beacon and the Chrysalis backdoor
APT28 exploits MSHTML flaw: The Russian state-sponsored group leveraged CVE-2026-21513 via malicious Windows Shortcut files for multi-stage payload delivery
Public exploits available: Four of 13 vulnerabilities have publicly available proof-of-concept code; an alleged exploit for a fifth is being advertised for sale
Bottom line: Despite a 43% drop in volume, February's vulnerabilities include named threat actor exploitation and five RCE-enabling flaws, making prioritized, intelligence-driven remediation as important as ever.
Quick Reference: February 2026 Vulnerability Table
All 13 vulnerabilities below were actively exploited in February 2026.
Table 1:List of vulnerabilities that were actively exploited in February based on Recorded Future data. *An alleged exploit forCVE-2026-21533is being advertised for sale across Github. Recorded Future Triage was used to browse the website advertising the exploit, which can beviewed herevia the Replay Monitor. (Source: Recorded Future)
Key Trends: February 2026
Vendors Most Affected
Microsoft led with six vulnerabilities across Windows, Windows Server, Office, and Microsoft 365 products
BeyondTrust faced a critical OS command injection flaw in Remote Support (RS) versions 25.3.1 and earlier, and Privileged Remote Access (PRA) versions 24.3.4 and earlier
Cisco saw active exploitation of an authentication bypass in Catalyst SD-WAN infrastructure
Additional affected vendors: Notepad++, Apple, Soliton Systems K.K., Google, and Dell
Most Common Weakness Types
CWE-78 โ OS Command Injection (tied for most common)
CWE-693 โ Protection Mechanism Failure (tied for most common)
CWE-476 โ NULL Pointer Dereference
CWE-843 โ Type Confusion
CWE-807 โ Reliance on Untrusted Inputs in a Security Decision
Exploitation Activity
Vulnerabilities associated with malware campaigns:
Lotus Blossom (suspected China state-sponsored) exploited CVE-2025-15556 to hijack Notepad++ update traffic between June and December 2025. The campaign rotated C2 servers across three attack chains to deliver a Metasploit loader, Cobalt Strike Beacon, and a custom backdoor called Chrysalis.
APT28 (Russian state-sponsored) exploited CVE-2026-21513 using malicious Windows Shortcut (.lnk) files with embedded HTML payloads for multi-stage payload delivery, with observed network communication to infrastructure associated with the threat group.
UNC6201 (suspected China-nexus) exploited CVE-2026-22769 to compromise Dell RecoverPoint for VMs appliances, deploying the SLAYSTYLE web shell, BRICKSTORM backdoor, and GRIMBOLT, a C#-based backdoor with native AOT compilation to complicate detection.
Long-running exploitation activity:
UAT-8616 exploited CVE-2026-20127, chaining it with CVE-2022-20775 to achieve root-level access on Cisco Catalyst SD-WAN systems, with Cisco Talos attributing the activity to a sophisticated threat actor and assessing that the activity dates back to at least 2023.
Priority Alert: Active Exploitation
These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.
Why this matters: Lotus Blossom exploited this flaw to replace legitimate Notepad++ update packages with malicious installers, deploying Cobalt Strike and the Chrysalis backdoor to targeted users over a six-month period. The vulnerability affects the WinGUp updater used by Notepad++ versions prior to 8.8.9, which fails to cryptographically verify downloaded update metadata and installers.
Affected versions: Notepad++ versions prior to 8.8.9 (version 8.9.1 recommended)
Immediate actions:
Update to Notepad++ version 8.9.1, released January 26, 2026
Hunt for the malicious update.exe sample (SHA256: 4d4aec6120290e21778c1b14c94aa6ebff3b0816fb6798495dc2eae165db4566) in your environment
Monitor for GUP.exe spawning unexpected child processes
Review network connections for traffic to 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, 45[.]32[.]144[.]255, or 95[.]179[.]213[.]0
Check for directories named ProShow under %APPDATA% or unexpected files in %APPDATA%\Adobe\Scripts\
Block or alert on curl.exe uploading files to temp[.]sh
Known C2 infrastructure: 45[.]76[.]155[.]202, 45[.]77[.]31[.]210, cdncheck[.]it[.]com, safe-dns[.]it[.]com, 95[.]179[.]213[.]0
Detection resources: Insikt Group created Sigma rules to detect update.exe's execution of reconnaissance commands (whoami, tasklist, systeminfo, and netstat -ano) and curl commands for system information exfiltration, available to Recorded Future customers.
Figure 1:Risk Rules History fromVulnerability IntelligenceCardยฎ for CVE-2025-15556 in Recorded Future (Source: Recorded Future)
New from Insikt Group: Iran War โ Future Scenarios and Business Implications
Insikt Group has published a dedicated Cone of Plausibility analysis examining how the Iran conflict could evolve over the next 6โ12 months โ from a fragile ceasefire baseline to regional war, regime collapse, and nuclear crisis. Each scenario includes business implications and 0โ90 day priority actions.
This report is updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escalation.
The Latest Updates
Geopolitical Landscape
Iranโs hardliners are driving strategic deadlock, blockade resilience, and Strait closure. Insikt Group assesses Iranโs calculus is very likely shaped by IRGC influence and hardliner dominance: Supreme Leader Khameneiโs Aprilย 30 statement frames Iranian control of the Strait of Hormuz as a post-American regional order, chief negotiator Ghalibaf has reportedly resigned after a reprimand for raising nuclear issues in talks, and Iranโs public position has converged on a single precondition โ the US must lift its naval blockade before negotiations can resume.
The US blockade has cut Iranian oil exports by ~70% but has not achieved its strategic objectives. Iran faces critical oil storage constraints โ Bloomberg reported 22 days or less of unused capacity as of Aprilย 27 โ yet Insikt Group assesses Iran can very likely survive the current pressure level, and the full financial blow will lag three to four months as ~130 million barrels already loaded before the blockade remain in transit.
Maritime standoff deepens as Iran seizes vessels, lays additional mines, and ceasefire talks stall. Following the US seizure of the Touska, the IRGC seized the MSC Francesca and Epaminondes and fired on a third vessel transiting the Strait; the IRGC reportedly dropped additional mines during the final week of April, and the Pentagon assesses mine-clearing could take up to six months after a formal end to hostilities.
Latin America faces a distinct and evolving cyber threat landscape, from PIX payment fraud to ransomware hitting critical infrastructure.
Most LATAM security teams are still reactive by necessity, and that posture is costing organizations in downtime, data, and trust.
Recorded Future offers LATAM-specific threat intelligence, automation, and 100+ integrations to help stretched teams get ahead of attacks before they land.
Meet us at RSA Booth N-6090 to see how intelligence-led security can transform your team's posture, from response to prevention.
Join our upcoming webinar to learn what proactive intelligence looks like for your region. Understanding the Dark Covenant, Its Evolution, and Impact
Recorded Future is expanding its payment fraud prevention capabilities through a partnership with CYBERA, the industry leader in detecting and verifying data on scam-linked bank accounts.
Available for purchase now via the Recorded Future Platform, Money Mule Intelligence helps fraud teams identify the accounts criminals use to extract and move stolen fundsโaddressing a critical gap as scams increasingly become banks' most pressing fraud challenge.
The Growing Threat of Authorized Push Payment Fraud
Authorized Push Payment (APP) fraud is accelerating. In the U.S., APP fraud losses are projected to reach nearly $15B by 2028, up from $8.3B in 2024, according to Deloitte. While traditional card fraud continues to decline, APP fraud is climbing, fueled by AI-generated deepfakes, personalized scam scripts, and instant payment systems like FedNow and Zelle that move money faster than conventional fraud controls can intercept it.
Mule accounts, or money mules, are part of the critical infrastructure that makes these scams possible. They provide the bridge that converts stolen payments into untraceable cash or cryptocurrency. Without them, most APP fraud would collapse because criminals cannot risk receiving funds directly into their own accounts. By the time victims realize they've been scammed, mule accounts have already moved the money through multiple layers, typically ending in cash withdrawals or crypto conversions.
Additionally, the sophistication of mule operations is increasing. Criminal organizations now employ "mule herders" who manage hundreds of accounts at once, using AI to simulate normal transaction behavior (grocery purchases, streaming subscriptions, etc.) so accounts don't appear dormant or suspicious. This makes detection through traditional pattern analysis increasingly difficult.
Regulators are responding by shifting liability to banks, often viewing those allowing mule accounts to operate as part of the criminal infrastructure itself. For example, the UK now requires banks to reimburse scam victims and allows them to delay suspicious payments for investigation, while U.S. regulators are signaling that banks may be held liable for failing to detect mule accounts.
Detecting mule accounts is fundamentally difficult. Theyโre designed to blend in with legitimate activity, and traditional fraud controls can struggle to distinguish between a genuine customer payment and a scam transfer until it's too late.
CYBERA's Approach to Mule Intelligence
The challenge of detecting and disrupting mule account networks is what led CYBERA's founders to build their solution. Coming from legal practice and law enforcement, CYBERA's leadership team worked scam cases where they witnessed how recovery becomes impossible once funds move through the financial system. They realized that money mule networks represent a central vulnerability in the scam economy, one that banks had limited visibility into.
Today, CYBERA helps banks and payment networks disrupt scams at the point where funds are extracted. CYBERA's AI-powered Scam Engagement System generates intelligence on bank accounts and payment endpoints actively used by scam networks.
Unlike probabilistic risk scoring, CYBERA verifies each account, providing evidence and contextual metadata to enable proactive prevention across both internal accounts and outbound payments while minimizing false positives.
CYBERA supports two core use cases:
On-Us Mule Detection, which helps identify mule accounts held at your institution that are already linked to confirmed scam activity. This enables early detection and disruption of high-risk accounts, reducing downstream fraud, repeat victimization, and regulatory exposure within a bankโs accountholders.
Off-Us Screening, which screens outbound payments to external beneficiary accounts before execution, helping to prevent customers from sending funds to scammer-controlled accounts. This is particularly valuable for high-value transfers, social engineering attacks, and customer-initiated payments where traditional controls are limited.
Large financial institutions have already prevented multiple six-figure losses by embedding CYBERAโs intelligence into their transaction monitoring workflows. CYBERA has also been accepted as a member of the Mastercard Start Path program, making it the first Recorded Future partner to achieve this distinction and further validating its role in the payments ecosystem.
How Money Mule Intelligence Expands Payment Fraud Intelligence
Payment Fraud Intelligence (PFI) correlates the widest set of disparate, pre-monetization indicators of fraud to help teams act before their customers are impacted. Money Mule Intelligence extends that capability, giving fraud teams the verified intelligence needed to make high-confidence decisions that disrupt scams by flagging accounts that have been confirmed as mule infrastructure through direct investigation. Together, they provide coverage from initial compromise through attempted cash-out, helping fraud teams prevent losses at multiple intervention points.
โSecuring payments requires more than reacting to fraud โ it requires anticipating it. Integrating Money Mule Intelligence strengthens our ability to illuminate the infrastructure behind financial crime, which is fully aligned with our strategy of securing payments with intelligence.โ
Jamie Zajac
Chief Product Officer at Recorded Future
As regulators increasingly expect banks to prevent scam-enabled transfers, Money Mule Intelligence provides the verified data needed to comply with emerging reimbursement requirements while reducing the operational burden of post-incident investigation and remediation.
PFI users that purchase this capability, can now act on both sides of the transactionโcompromised payment instruments and scam-linked receiving accountsโwith evidence-backed intelligence that minimizes false positives and aligns with the industry's shift toward proactive fraud prevention.
January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Groupยฎ identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure.
Microsoft and SmarterTools lead concerns: These vendors accounted for 30% of January's vulnerabilities, with multiple critical authentication bypass and RCE flaws
Public exploits proliferate: Fourteen of the 23 vulnerabilities reported have public proof-of-concept exploit code available
Code Injection dominates: CWE-94 (Code Injection) was the most common weakness type, followed by CWE-288 (Authentication Bypass Using an Alternate Path or Channel) and CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor)
Bottom line: The slight increase masks significant threats. APT28's zero-day exploitation and multiple critical authentication bypass flaws demonstrate that threat actors continue targeting enterprise communication and management platforms for initial access and persistence.
Quick Reference Table
All 23 vulnerabilities below were actively exploited in January 2026.
CWE-288 โ Authentication Bypass Using an Alternate Path or Channel
CWE-200 โ Exposure of Sensitive Information to an Unauthorized Actor
Threat Actor Activity
APT28's Operation Neusploitmarked January's most sophisticated campaign:
Exploited CVE-2026-21509 (Microsoft Office) via weaponized RTF files
Deployed MiniDoor, a malicious Outlook VBA project designed to collect and forward victim emails to hardcoded addresses
Deployed PixyNetLoader, which staged additional components and culminated in a Covenant Grunt implant
Abused Filen API as a C2 bridge between the implant and actor-controlled Covenant listener
Priority Alert: Active Exploitation
These vulnerabilities demand immediate attention due to confirmed exploitation in the wild.
CVE-2026-21509 | Microsoft Office
Risk Score: 99 (Very Critical) | Active exploitation by APT28
Why this matters: Zero-day exploitation by Russian state-sponsored actors bypasses Office security features, enabling delivery of email collection implants and backdoors. The vulnerability stems from reliance on untrusted inputs in security decisions, allowing unauthorized attackers to bypass OLE mitigations.
Affected versions: Microsoft 365 and Microsoft Office (versions not specified in advisory)
Immediate actions:
Install Microsoft's out-of-band update released January 26, 2026
Search email systems for RTF attachments with embedded malicious droppers
Check for modifications to %appdata%\Microsoft\Outlook\VbaProject.OTM
Review registry keys: HKCU\Software\Microsoft\Office\16.0\Outlook\Security\Level, Software\Microsoft\Office\16.0\Outlook\Options\General\PONT_STRING, and Software\Microsoft\Office\16.0\Outlook\LoadMacroProviderOnBoot
Monitor for connections to 213[.]155[.]157[.]123:443 and remote connectivity to Microsoft Office CDN endpoints
Hunt for scheduled tasks named "OneDriveHealth" and suspicious files in %programdata%\Microsoft\OneDrive\setup\Cache\SplashScreen.png
Block email addresses: ahmeclaw2002@outlook[.]com and ahmeclaw@proton[.]me
Figure 1:Vulnerability IntelligenceCardยฎ for CVE-2026-21509 in Recorded Future (Source: Recorded Future)
Why this matters: Unauthenticated attackers can reset system administrator passwords without any credentials or prior access, enabling complete administrative takeover and potential RCE through volume mount command injection.
Affected versions: SmarterTools SmarterMail prior to build 9511
Immediate actions:
Upgrade to build 9511 or later immediately
Review administrator account activity logs for unauthorized password resets
Check Volume Mounts configuration for suspicious command entries (this one IS correct for SmarterMail)
Review administrator access patterns and session logs
Audit system for unauthorized changes made with compromised admin access
CVE-2026-1281 & CVE-2026-1340 | Ivanti Endpoint Manager Mobile
Why this matters: Pre-authentication RCE vulnerabilities in EPMM enable unauthenticated attackers to execute arbitrary code by exploiting Apache RewriteMap helper scripts that pass attacker-controlled strings to Bash.
Affected versions: Ivanti EPMM 12.5.0.0 and earlier, 12.5.1.0 and earlier, 12.6.0.0 and earlier, 12.6.1.0 and earlier, and 12.7.0.0 and earlier
Immediate actions:
Install temporary fixes via RPM packages: EPMM_RPM_12.x.0 - Security Update - 1761642-1.0.0S-5.noarch.rpm and EPMM_RPM_12.x.1 - Security Update - 1761642-1.0.0L-5.noarch.rpm
Plan migration to EPMM 12.8.0.0 (scheduled for Q1 2026 release)
Monitor for unusual Apache RewriteMap activity
Review logs for crafted HTTP parameters to app store retrieval routes
Check for unauthorized code execution attempts via RewriteRule handling
Exposure: EPMM instances accessible over corporate networks or VPN connections
Figure 2:Risk Rules History fromVulnerability IntelligenceCardยฎ for CVE-2026-1340 in Recorded Future (Source: Recorded Future)
Technical Deep Dive: Exploitation Analysis
APT28's Operation Neusploit (CVE-2026-21509)
The multi-stage attack chain: CVE-2026-21509 enables bypass of Office OLE mitigations through weaponized RTF files:
Server-side evasionโ Malicious DLL returned only for requests from targeted geographies with an expected HTTP User-Agent
Dropper variantsโ Two distinct infection paths deployed based on targeting:
Variant 1 (MiniDoor): Writes VBA project to Outlook, modifies registry settings to enable macro execution, forwards emails to hardcoded recipient addresses
Variant 2 (PixyNetLoader): Creates mutex asagdugughi41, decrypts embedded payloads using rolling XOR key, establishes persistence via COM hijacking
Why this matters: APT28 demonstrates sophisticated exploitation combining zero-day vulnerabilities with anti-analysis techniques, targeting government and business users for email collection and persistent access.
The authentication bypass chain: CVE-2026-23550 enables administrator-level access without authentication:
Plugin treats requests as trusted based on request-supplied indicators rather than cryptographic verification
/api/modular-connector/login flow grants access based on site connector enrollment state
If no user identifier is supplied, the code selects an existing administrative user and establishes a privileged session
CVE-2026-23800 represents the second exploitation path via REST API user creation: /?rest_route=/wp/v2/users&origin=mo&type=x
Known IoCs associated with CVE-2026-23550:
45[.]11[.]89[.]19
185[.]196[.]0[.]11
64[.]188[.]91[.]37
Known IoCs associated with CVE-2026-23800:
62[.]60[.]131[.]161
185[.]102[.]115[.]27
backup[@]wordpress[.]com
backup1[@]wordpress[.]com
Why this matters: WordPress plugin vulnerabilities enable threat actors to compromise multiple sites from a single centralized management platform, amplifying attack impact.
Backend ForcePasswordReset routine branches on client-supplied IsSysAdmin boolean rather than deriving account type from server-side context
System administrator branch performs basic checks, then sets Password directly from the supplied NewPassword
Logic fails to validate OldPassword, lacks an authenticated session requirement, and omits authorization controls
Why this matters: Complete administrative takeover without credentials enables threat actors to deploy web shells, modify configurations, and establish persistent access to mail server infrastructure.
Detection & Remediation Resources
Nuclei Templates from Insikt Groupยฎ
Recorded Future customers can access Nuclei templates for:
CVE-2025-8110 (Gogs) - Version detection and fingerprinting check
State-sponsored zero-days return. APT28's exploitation of CVE-2026-21509 demonstrates continued Russian interest in email collection and persistent access through Office vulnerabilities.
Authentication bypass dominates enterprise risk. Multiple critical flaws in SmarterMail, Modular DS, and Cisco products enable complete administrative takeover without credentials.
Legacy vulnerabilities persist. CVE-2009-0556 (Microsoft Office) highlights how threat actors continue targeting unretired systems where patching has lagged for over a decade.
Take Action
Ready to see how Recorded Future can help your team detect state-sponsored exploitation, prioritize authentication bypass fixes, and reduce enterprise attack surface? Explore our demo center for live examples, or dive deeper with Insikt Group research for technical threat intelligence.
About Insikt Groupยฎ:
Recorded Future's Insikt Groupยฎ is a team of elite analysts, linguists, and security researchers providing actionable intelligence to protect organizations worldwide. Our research combines human expertise with AI-powered analytics to deliver timely, relevant threat intelligence on emerging vulnerabilities and threat actor campaigns.
Security teams are drowning in threat intelligence feeds. Hundreds of vendors promise comprehensive coverage, real-time alerts, and actionable insights. Yet sophisticated adversaries continue to operate undetected, incidents take weeks to scope, and attribution remains elusive.
The fundamental issue isn't quality but control. Traditional network visibility solutions force passive consumption: their alerts, their priorities, their timeline. This one-size-fits-all approach assumes threats targeting financial services match those facing critical infrastructure, or that yesterday's patterns predict tomorrow's campaigns.
Network intelligence flips this model. With global visibility spanning billions of connections across 150+ sensors in 35+ countries, you can investigate what matters to your organization using your own selectors, questions, and mission requirements.
What Network Intelligence Actually Means
Effective network intelligence requires global visibility at scale: distributed sensors across dozens of countries processing billions of packets daily, generating tens of millions of network flow records. But collection methodology matters equally. Metadata-only approaches capture source and destination IPs, ports, protocols, flow counts, and timestamps without payloads or deep packet inspection. This enables operation at internet scale while better maintaining ethical boundaries and data minimization standards.
At Recorded Future, our network intelligence capabilities provide this access to such global network traffic observations for specific IP addresses of interest. Our Insikt Group uses this same infrastructure to research 500+ malware families and threat actors. Government CERTs use these capabilities to analyze adversary infrastructure at national scale.
What This Means in Practice
Consider what changes when your security operations can query global network intelligence.
Faster SOC Triage
Your team flags a suspicious IP at 2 AM. Instead of guessing whether it's noise or the start of something worse, query the network intelligence platform. See its global communication patterns instantly. Understand whether you're looking at commodity scanning or infrastructure that's been quietly staging against targets for weeks. Internet scanner detection capabilities automatically classify the behavior and reveal specific ports targeted, web requests made, and geographic distribution. Triage in minutes, not hours.
Targeted or Opportunistic? Now You'll Know
When threats hit your industry, the first question is always: are we specifically in the crosshairs, or is this spray-and-pray? Network intelligence lets you track adversary infrastructure across your sector before it reaches your perimeter. See the pattern. Understand the targeting. Brief leadership with confidence because you're no longer guessing. You're showing them the actual traffic patterns that prove whether your organization is in the crosshairs or caught in the spray.
Fraud Infrastructure Exposed
Fraud campaigns depend on infrastructure that moves fast but leaves traces. Your selectors, run against global network intelligence, can reveal the networks behind credential stuffing, account takeover, and payment fraud before the campaign fully scales.
Attribution That Actually Holds Up
Mapping adversary infrastructure is hard. Connecting it to broader campaigns and ultimate operators is harder. Network intelligence gives you the longitudinal visibility to trace how infrastructure evolves, clusters, and connects. Administrative traffic analysis reveals patterns operators use to manage C2 infrastructure. When you identify admin flows from a common source connecting to multiple C2 servers, you're mapping the operator's pattern based on observed behavior across hundreds of global vantage points. You're turning indicators into intelligence.
Integration Into Security Workflows
Network intelligence integrates directly into existing security workflows through API access to SIEMs, SOAR platforms, and custom analysis tools. When your SIEM flags suspicious traffic, automated queries reveal global context: Is this IP conducting C2 communications? Scanning your sector specifically? Connected to infrastructure from last month's campaign? Curated threat lists reduce noise from legitimate security research while enabling early blocking of targeted reconnaissance, turning your existing tools into instruments for active investigation rather than passive alerting.
When Expertise Becomes Essential
For organizations facing persistent, sophisticated adversaries, network intelligence capabilities alone aren't sufficient. The difference between having access to global network visibility and operationalizing it effectively comes down to tradecraft.
Recorded Future's Global Network Intelligence Advisory program addresses this by pairing technical capabilities with forward-deployed analysts and embedded engineers who work directly inside your SOC or intelligence fusion center. This becomes especially critical when nation-states are mapping your critical infrastructure, when advanced persistent threats are staging for long-term access, or when attribution could influence strategic decision-making. You need the ability to investigate specific questions with global visibility and the expertise to interpret what you find.
The Compliance Framework That Enables Trust
Network intelligence operates under strict ethical and legal guidelines. All use is subject to our Acceptable Use Policy and surveillance, profiling of individuals, or political targeting is prohibited. Access is invitation-only, requiring vetting and agreement to specific terms of use.
These aren't just policies but foundational to how this capability operates. The metadata-only collection model, the data minimization approach, and the geographic distribution that prevents any single point of visibility into user communications are design choices. These constraints aren't obstacles to effectiveness but enablers of trust. They allow powerful intelligence capabilities to exist while promoting appropriate boundaries.
Moving Forward
The gap between what most security programs need and what traditional threat intelligence provides continues to widen. Adversaries operate at scale, evolving infrastructure faster than feeds can update. Internal telemetry shows only what touches your perimeter. Point-in-time observations lack the context to distinguish targeted attacks from noise.
Network intelligence addresses this gap with the ability to query global visibility using your own selectors. At Recorded Future, we've developed capabilities that operate at this scale, with the compliance framework and operational expertise to make them effective. For organizations ready to move beyond pre-packaged feeds, we're offering these capabilities to select customers through an invitation-only program.
What matters now is recognizing that your questions matter more than their answers and building security programs that reflect that reality.
Uncertainty has become the operating environment for business. And this year, fragmentation is driving it.
The global threat landscape didn't simplify in 2025; it shattered. Geopolitical alliances strained. Criminal enterprises splintered under law enforcement pressure, then regrouped into smaller, faster, and harder-to-track operations. State-sponsored cyber actors shifted from dramatic disruptions to quiet pre-positioning, embedding themselves in networks and waiting. Hacktivist groups and influence networks amplified conflicts, blurring the line between genuine intrusions and perception warfare.
But here's what makes this moment dangerous: as long-established norms unwind, fragmentation is paradoxically enabling greater interoperability across domains that were once distinct. State objectives, criminal capability, and private-sector technology increasingly reinforce one another. That convergence creates uncertainty, compresses warning time, and expands plausible deniability.
Today, Recorded Future's Insikt Group releases the 2026 State of Security report, our most comprehensive annual analysis of the forces shaping global security.
Drawing on proprietary intelligence, network telemetry, and deep geopolitical analysis, this report examines how 2025's fractures are reshaping the threat environment โ and what security leaders must prepare for in the year ahead.
The End of Stability as a Baseline Assumption
Figure 1:2025 redefined international relations (Source: Recorded Future)