Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through March 10.

Operation Epic Fury Timeline: March 2026 Conflict Updates

February 28, 2026 — Initial Strikes and Regional Retaliation

In parallel to these events, Flashpoint observed immediate system-level disruption: flight suspensions at Dubai airports following nearby strikes, and Iran’s move to blockade the Strait of Hormuz, elevating global energy and logistics risk.

March 1, 2026 — Air War Over Tehran, Soft Targets, and Hybrid Expansion

By March 1, the conflict had shifted from stand-off strikes to direct air operations over Tehran, signaling degradation of Iran’s integrated air defenses over the capital. Iranian state media described a transition to “offensive defense,” and retaliatory activity expanded across the region.

Notable developments included the reported strike on the Crowne Plaza Hotel in Manama, Bahrain, signaling increased risk to soft targets and commercial environments. Flashpoint also observed indicators of command-and-control friction on the Iranian side, including a reported friendly-fire incident involving the sanctioned “shadow fleet” tanker Skylight.

March 2, 2026 — Infrastructure and Economic Warfare Escalation

March 3, 2026 — Expansion of Infrastructure Warfare and Regional Combat

March 5, 2026 — Offensive Defense and Geographic Expansion

March 6, 2026 — Regime Fragmentation and Strategic Targeting

March 8–9, 2026 — Leadership Consolidation and Hybrid Warfare Expansion

March 10, 2026 — Decentralized Retaliation and Economic Pressure

March 1–10, 2026 — Infrastructure Targeting and Internationalization

Between March 1 and March 10, Flashpoint analysis indicates the conflict has evolved from broad regional exchanges into systematic targeting of energy, data, and command-and-control infrastructure with global downstream impact. Key reported incidents included a strike on Saudi Aramco’s facility at Ras Tanura and a disruption at an AWS data center in the UAE attributed to physical impact on the facility. The Israel–Lebanon front also intensified following Hezbollah missile launches and a broad Israeli response across Lebanon. March 2 also featured expanded strikes against Tehran’s state apparatus, including reported destruction of Iran’s national broadcasting headquarters and the Assembly of Experts’ building.

Flashpoint also tracked growing exposure for NATO-aligned assets, including reported damage at RAF Akrotiri (Cyprus). Meanwhile, the UK, France, and Germany signaled readiness to support action focused on Iran’s missile and drone capabilities — an indicator of potential further conflict expansion.

By March 3 and March 4, targeting patterns expanded further to include strategic communications infrastructure and hardened military facilities. Satellite analysis confirmed damage to US military communication nodes and early-warning radar infrastructure across multiple Gulf bases, while naval combat escalated with a US submarine sinking the Iranian frigate IRIS Dena in the Indian Ocean. These developments signal a shift toward degrading regional command-and-control networks alongside continued pressure on energy and logistics infrastructure.

Developments on March 5 further expanded the geographic scope of the conflict. Iranian drone strikes targeted infrastructure in Azerbaijan, drawing the country’s military onto high alert and raising the possibility of a northern expansion of the kinetic theater. At the same time, complex missile and drone attacks continued against US military facilities in the Gulf, including a major strike that caused significant damage at Ali Al Salem Air Base in Kuwait. These developments reflect a continued shift toward distributed regional engagements rather than isolated bilateral exchanges.

Developments on March 6 through March 9 indicate continued degradation of Iranian command infrastructure alongside widening regional impacts. Precision strikes reportedly targeted remaining Iranian leadership compounds and clandestine missile and nuclear facilities, while diplomatic evacuations and military mobilization along Iran’s northern border suggested the potential expansion of the conflict into new geographic theaters. At the same time, infrastructure targeting expanded beyond energy and communications to include water desalination facilities and additional cloud and data infrastructure, highlighting the growing risk to civilian survival systems and regional economic stability.

Developments on March 10 further underscored the economic dimension of the conflict. A drone strike on the Ruwais industrial complex in Abu Dhabi forced the shutdown of the region’s largest oil refinery, while global shipping giant MSC suspended exports from Gulf ports due to continued instability in the Strait of Hormuz. These disruptions highlight how the conflict is increasingly affecting global energy production and maritime supply chains beyond the immediate combat zone.

The Escalating Cyber and Information Front

From the opening hours, Flashpoint assessed that cyber activity in this conflict is not ancillary — it is being used as a synchronized force multiplier.

One of the most consequential developments has been the use of infrastructure compromise for psychological operations at national scale. Flashpoint observed the compromise of the BadeSaba prayer app ecosystem, enabling push notifications to be delivered to large user populations. Messaging included calls for mobilization and later content aimed at regime security forces and protest coordination. This reflects a shift from influence on social platforms toward platform-layer manipulation, where trusted everyday applications become vectors for narrative control during kinetic shock.

Flashpoint also observed disruption and interference affecting state-run Iranian outlets (including IRNA and ISNA), contributing to an information vacuum and driving users toward unverified channels for situational awareness.

As kinetic pressure increased, Flashpoint tracking indicated fluctuations in cyber tempo. Some updates suggested a temporary lull in broader Iranian cyber activity — potentially due to operational disruption from physical strikes — while other indicators pointed to a risk of renewed disruptive campaigns, including activity linked to personas associated with state-aligned hacktivist ecosystems.

On March 2, Flashpoint observed reporting on a coordinated campaign branded #OpIsrael, involving pro-Iranian and pro-Russian-aligned actors, with activity spanning DDoS, data exposure, and claimed intrusions.

• NoName057(16) + Cyber Islamic Resistance: Claimed large-scale DDoS activity targeting Israeli defense and municipal entities (including Elbit Systems).
  
• Cyber Islamic Resistance: Claimed breach of an Israeli health insurance provider and released internal CCTV footage as evidence of access.
  
• FAD Team (Iraq’s “Resistance Hub”): Claimed SQL injection activity and PII exposure across a wide set of targets, including US and non-US entities.
  
• Fatimion Cyber Team: Claimed disruption targeting Gulf states perceived as US-aligned, including Bahrain and Qatar-linked targets.
  
• Infrastructure claims: FAD Team claimed access to firewall monitoring dashboards in Mecca and Medina.
  

Additional activity observed March 3–4 includes:

• Handala Team: Claimed a breach of Saudi Aramco infrastructure and released internal documentation and schematics intended to validate the attack. Flashpoint has not verified these claims.
  
• PalachPro: Signaled coordination with Iranian hackers to amplify cyber campaigns targeting US and Israeli organizations.
  
• NoName057(16): Claimed access to an Israeli water management SCADA system under the ongoing #OpIsrael campaign. These claims remain unverified.
  
• Fatemiyoun Electronic Team: Conducted a denial-of-service attack against the Kuwaiti News Agency website.
  
• Targeting rhetoric shift: Pro-IRGC propaganda channels began framing major technology companies — including Google — as potential targets due to alleged support of US military operations.
  

Additional activity reported on March 5 indicates a renewed surge in coordinated cyber operations under the #OpIsrael banner:

• NoName057(16): Claimed administrative access to Israeli industrial control systems and SCADA interfaces, alleging the ability to manipulate pump activity and water flow. These claims remain unverified but represent a high-risk threat to essential services.
  
• Handala Group: Claimed the exfiltration and wiping of approximately 1.3 TB of data from Atlas Insurances Ltd., while simultaneously launching a doxxing campaign targeting individuals alleged to be connected to Israeli intelligence.
  
• Fatemiyoun Electronic Team: Claimed responsibility for taking multiple government ministry websites offline in Jordan and Kuwait and releasing personal data from a Kuwaiti government application.
  
• Cyber Islamic Resistance (Team 313): Claimed disruptions targeting Bahraini government infrastructure and published images allegedly taken from compromised surveillance camera networks.
  

Additional activity reported March 6–9 includes:

• MuddyWater (MOIS / Seedworm): Verified intrusions into US aerospace, defense, aviation, and financial networks using a newly identified backdoor known as “Dindoor.” These operations reportedly began prior to the kinetic phase of the conflict and have continued during the war.
• Telegram-Based Recruitment Networks: Iranian intelligence is reportedly using Telegram channels to recruit loosely affiliated operatives and criminal intermediaries across Europe for espionage and potential sabotage operations.
• Handala: Claimed to have wiped Israeli military weather servers and intercepted urban security feeds in Jerusalem (unverified).
• Cyber Islamic Resistance (Team 313): Claimed multiple website defacements targeting regional institutions, including Kurdish and Saudi organizations (unverified).
• NoName057(16): Continued distributed denial-of-service attacks under the #OpIsrael banner targeting Israeli political parties, telecommunications companies, and defense contractors.
  

Additional activity reported March 10 includes:

• Suspected banking-sector attacks: Multiple reports indicate that Iran’s largest banks, including Bank Melli Iran and Bank Sepah, experienced widespread service disruptions following suspected cyberattacks.
• NoName057(16): The pro-Russian group continued operations under the #OpIsrael banner, claiming distributed denial-of-service attacks targeting Israeli and Cypriot infrastructure, including Israel’s national water company Mekorot and UAV firm E.M.I.T. Aviation (unverified).
• BD Anonymous & MrSutrator Alliance: A newly formed pro-Palestinian cyber alliance announced “Operation Electronic Holocaust,” targeting Israeli defense contractor Rafael (unverified).
• DieNet: The group issued warnings of a potential large-scale cyber campaign targeting Israeli government infrastructure (unverified).

These developments indicate continued expansion of cyber activity across both offensive and retaliatory fronts, including financial infrastructure and public-facing services.

Strategic Chokepoints and Systemic Risk

Two chokepoints have emerged as persistent systemic risk drivers: maritime energy transit and regional air mobility.

Iran’s reported blockade of the Strait of Hormuz remains the primary near-term global economic concern. Flashpoint reporting also indicates an explicit escalation toward energy system disruption, with IRGC messaging framing a “war on energy supplies” and kinetic targeting expanding to oil and gas infrastructure. Even partial disruption introduces immediate volatility in energy markets and maritime logistics, increasing shipping costs, insurance premiums, and delivery delays well beyond the region.

Additional developments reported on March 3 indicate the IRGC has conducted strikes against multiple oil tankers operating in the Strait of Hormuz, further elevating risks to global energy transport. Iran has also declared the waterway effectively closed to most commercial shipping, introducing the possibility of sustained maritime disruption.

Infrastructure targeting has expanded to include desalination facilities and water supply systems in the Gulf. Because these plants provide essential potable water to large urban populations, attacks on desalination infrastructure represent a significant escalation that directly threatens civilian survival systems and urban stability across the region.

Global shipping disruption has also intensified. As of March 10, following continued instability and the effective closure of the Strait of Hormuz, major shipping firms including MSC have suspended exports from Gulf ports, introducing additional pressure on global logistics and energy markets.

Airspace disruption and interruptions to transit hubs — especially the reported suspensions affecting Dubai — compound that risk. Taken together, the maritime and aviation constraints create a reinforcing cycle: constrained routes increase congestion elsewhere, raise operational costs, and compress the time available for organizations to reroute people and goods.

With regional airports and Gulf maritime corridors under threat, organizations should plan for sustained degradation of commercial mobility and service availability rather than short-lived closures.

Business and Security Implications

As the conflict expands into commercial infrastructure and civilian logistics, enterprise exposure now extends well beyond traditional “high-risk” sectors. The targeting patterns observed throughout this conflict indicate that energy infrastructure, cloud assets, maritime corridors, and civilian-facing systems are all within scope.

Organizations should plan for volatility across personnel security, supply chains, cyber disruption, and regional service availability.

1. Personnel and Physical Security

Recent incidents including strikes near Gulf transit hubs, the targeting of a Western-branded hotel in Bahrain, and warnings regarding potential asymmetric attacks underscore that risk is no longer confined to military installations.

• The US State Department issued an expanded “DEPART NOW” advisory for Americans across 16 Middle Eastern countries, reflecting elevated risk to civilian and commercial environments.
  
• US Embassy in Amman reported active “duck and cover” alarms, signaling increased threat pressure on diplomatic facilities beyond core combat zones.
  
• Reporting indicates Iranian threats now extend to US bases in Europe, expanding the geographic risk envelope.
  
• Drone attacks targeting diplomatic facilities — including the US Consulate in Dubai and attempted strikes on the US Embassy in Riyadh — indicate expanding risk to diplomatic and government installations.
  
• Precautionary evacuations have also been implemented near US embassies across several Gulf states as regional tensions and retaliatory threats continue to rise.
  

Organizations with personnel in the Gulf region and surrounding areas should:

• Reassess travel posture to the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia.
  
• Elevate security protocols at commercial offices, hotels, and logistics facilities.
  
• Reinforce operational security practices (routine variation, avoidance of identifiable clothing tied to government or defense sectors).
  
• Coordinate closely with local authorities and diplomatic advisories regarding movement restrictions and emerging threat indicators.
  

2. Supply Chain and Energy Exposure

The reported blockade of the Strait of Hormuz, disruption to Dubai aviation, and the strike on Saudi Arabia’s Ras Tanura oil facility demonstrate that global energy and logistics systems are active pressure points. Iranian naval forces reportedly struck multiple oil tankers transiting the Strait of Hormuz on March 3, increasing the likelihood of extended maritime disruption and global energy price volatility.

IRGC statements framing a “war on energy supplies” increase the likelihood of sustained pressure on Gulf oil and gas infrastructure. Organizations must reassess exposure not only to energy price volatility, but also to infrastructure-driven availability shocks.

Organizations should:

• Model extended disruption to Gulf maritime routes rather than short-term interruption.
  
• Identify alternative shipping corridors and overland routing options.
  
• Stress-test supplier dependencies tied to Gulf ports or energy inputs.
  
• Prepare for price volatility and delivery delays impacting downstream operations.
  

3. Cloud and Technology Infrastructure

The reported physical impact to an AWS data center in the UAE reflects a significant escalation: commercial cloud infrastructure is no longer insulated from kinetic spillover. More recent reporting also indicates Iranian strikes targeting Microsoft Azure data infrastructure in the Gulf, expanding the threat profile to additional Western cloud platforms.

Iranian strikes against early-warning radars and satellite communication terminals across Gulf bases indicate a coordinated effort to degrade regional missile defense networks.

Enterprises should:

• Confirm geographic redundancy for critical workloads.
  
• Validate disaster recovery timelines (RTO/RPO) for Middle East–hosted environments.
  
• Review third-party dependencies tied to regional data centers.
  
• Ensure executive teams understand potential cascading impacts from localized physical disruption.
  
• Organizations operating near or dependent on US or allied military infrastructure in the region should monitor potential disruptions to air defense coverage and communications networks.
  

4. ICS / OT Environments

Claims of intrusion into industrial control systems — including grain silo logistics and remote control infrastructure — signal elevated risk to operational technology environments. March 2 cyber reporting also emphasized blended risk: cyber operations paired with physical disruption, increasing the chance of cascading outages and degraded visibility during response.

Organizations operating ICS/SCADA systems, particularly in energy, logistics, water, and manufacturing sectors, should:

• Audit all remote access pathways and eliminate unnecessary external exposure.
  
• Enforce phishing-resistant MFA for privileged and engineering accounts.
  
• Segment industrial networks from corporate IT and public internet access.
  
• Validate incident response plans for destructive malware or system manipulation scenarios.
  
• Conduct tabletop exercises assuming loss of visibility or control in critical systems.

What to Expect Next (48–72 Hours)

Flashpoint analysis indicates the conflict is entering a more decentralized phase characterized by hybrid warfare and expanding geographic scope.

Following the formal appointment of Mojtaba Khamenei as Supreme Leader, the Iranian state is expected to maintain a hardline military posture under strong IRGC influence. With conventional military capabilities increasingly degraded, Iranian strategy may rely more heavily on asymmetric tactics, including cyber operations, proxy mobilization, and attacks against economic and civilian infrastructure.

The fatwa issued by Grand Ayatollah Sistani introduces an additional destabilizing variable, potentially mobilizing Shiite militias across Iraq and the broader region. Combined with Kurdish mobilization along Iran’s western border and Azerbaijan’s heightened military posture in the north, the conflict may increasingly involve non-state and regional actors.

At the same time, cyber operations targeting Western defense, aviation, and infrastructure networks are likely to intensify as Iranian-linked actors attempt to expand the conflict’s impact beyond the immediate battlefield.

The activation of Iran’s decentralized “Mosaic Defense” protocol further complicates potential de-escalation. Because retaliatory authority is distributed across regional commanders, localized strike cycles may continue even if diplomatic negotiations emerge at higher political levels. This structure increases the likelihood of continued intermittent attacks across multiple theaters even as international pressure for conflict termination grows.

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

Blogs

Blog

Understanding the DarkCloud Infostealer

In this post, we analyze DarkCloud, a commercially available infostealer written in Visual Basic 6.0, examine its encryption and evasion techniques, and assess how this low-cost malware can provide threat actors with enterprise-wide access through harvested credentials.

Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape.

First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.

At the technical level, DarkCloud is written in Visual Basic 6.0 and compiled into a native C/C++ application. This legacy language choice is unusual in modern malware development — and likely deliberate. By leveraging outdated but still supported runtime components, DarkCloud appears to benefit from lower detection rates while maintaining full credential theft functionality.

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated. Flashpoint assesses it as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

The Commercialization of DarkCloud

DarkCloud represents a mature example of commodity malware-as-a-service.

It is openly sold through Telegram and a clearnet website, where it is misleadingly labeled as a keylogger. While it does include keylogging capabilities, this is only a minor component of a much broader infostealing toolkit.

Its real value proposition is credential harvesting across browsers, email clients, file transfer applications, VPN software, and more.

This dual positioning — public-facing “surveillance software” and underground stealer — provides plausible deniability while enabling large-scale credential operations.

Why Visual Basic 6.0 Matters

One of the most notable aspects of DarkCloud is its use of Visual Basic 6.0.

The payload is written in VB6 and compiled into a native C/C++ application. Microsoft no longer supports VB6 in its modern development environment, and VB6 applications rely on legacy components such as MSVBVM60.DLL for execution.

Flashpoint assesses this legacy language choice is deliberate, both for its simplicity and its potential to evade modern detection models.

In testing, Flashpoint analysts generated equivalent payloads in C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans.

The implication is clear: older languages are not necessarily obsolete in adversary tradecraft. In some cases, they may be strategically advantageous.

Encryption and String Obfuscation

DarkCloud employs a layered string encryption scheme that complicates static and dynamic analysis.

Most internal strings are encrypted and decrypted at runtime using Visual Basic’s Rnd() pseudo-random number generator, combined with a custom seed-generation algorithm.

The process involves:

• Hex-encoded encrypted strings
• Base64-encoded keys
• Seed calculation through a custom algorithm
• Resetting the VB pseudo-random number generator to a known state
• Iterative Rnd() calls to reconstruct plaintext strings

By resetting the PRNG with a known value before applying the calculated seed, the malware ensures deterministic output during decryption.

This approach does not rely on novel cryptography, but rather on abusing legacy language behavior to frustrate reverse engineering.

Credential Theft at Scale

DarkCloud’s primary objective is credential collection.

It targets:

Email clients:

• Outlook
• eM Client
• FoxMail
• Thunderbird
• 163Mail
• MailMaster

File transfer applications:

• FileZilla
• WinSCP
• CoreFTP

Browsers:

• Google Chrome
• Microsoft Edge
• Mozilla Firefox
• Brave
• Opera
• Yandex
• Vivaldi
• (and many additional Chromium- and Firefox-based browsers)

Other applications:

• Pidgin
• NordVPN

When extracting browser data, DarkCloud steals:

• Login credentials
• Cookies
• Credit card information

Email applications are additionally scraped for contact lists. This is likely intended to seed future phishing campaigns.

DarkCloud stores collected data locally in two directories under %APPDATA%\Microsoft\Windows\Templates. One directory (“DBS”) stores copied database files, while another (“_”) stores parsed data in unencrypted text format.

This local staging enables continuous exfiltration while maintaining structured log output.

Exfiltration Methods: Flexibility for Threat Actors

DarkCloud supports four exfiltration methods:

• SMTP
• FTP
• Telegram
• HTTP

SMTP and FTP require hardcoded credentials within each binary. Email subjects include the victim machine’s hostname and username, and stolen data is transmitted as attachments.

HTTP exfiltration appears less frequently used, though the capability is present.

This flexibility allows operators to tailor deployments depending on infrastructure preferences and operational security requirements.

From BluStealer to DarkCloud

Flashpoint analysts identified notable similarities between DarkCloud’s regular expressions for credit card parsing and those found in a publicly documented project known as “A310LoggerStealer,” also referred to as BluStealer.

The regex patterns appear in identical order and format.

Combined with the developer’s prior alias “BluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what became DarkCloud.

This evolution reflects a common pattern in commodity malware development: incremental refinement rather than radical innovation.

A Potent Entry-Level Threat

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated.

Its marketing as surveillance software attempts to normalize its presence while providing plausible deniability for buyers. Technically, however, its focus is clear: large-scale credential harvesting across browsers, email clients, financial data, and contact networks.

Flashpoint assesses DarkCloud as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

In a landscape where identity is the new perimeter, even a US$30 subscription can be operationally devastating.

Defending Against Commodity Infostealers

Commodity infostealers like DarkCloud may be commercially accessible, but defending against them requires enterprise-grade vigilance.

Organizations should:

• Treat phishing-delivered ZIP/RAR attachments as high-risk initial access vectors
• Monitor for abnormal data exfiltration over SMTP, FTP, and Telegram
• Audit credential reuse across browser and email applications
• Prioritize credential rotation and incident response playbooks following suspected compromise

Infostealers like DarkCloud are not breakthrough malware families. They do not rely on zero-days or advanced exploits.

Instead, they exploit scale, accessibility, and identity exposure.

To understand how credential harvesting campaigns are evolving and to embed real-time intelligence into your detection workflows, request a demo today and see how Flashpoint intelligence strengthens your defense posture.

Begin your free trial today.

Blogs

Blog

Cyber and Physical Risks Targeting the 2026 Winter Olympics

In this post we analyze the multi-vector threat landscape of the 2026 Winter Olympics, examining how the Games’ dispersed geographic footprint and high digital complexity create unique potential for cyber sabotage and physical disruptions.

The Milano-Cortina 2026 Winter Olympics represent a historic milestone as the first Games co-hosted by two major cities. However, the event’s expansive geographic footprint—covering 22,000 square kilometers across northern Italy—presents a complex security environment. From the metropolitan centers of Milan to the alpine peaks of Cortina d’Ampezzo, security forces are contending with a multi-vector threat landscape.

Kinetic and Physical Security Challenges

The geographically dispersed nature of the Milano-Cortina 2026 Winter Games also creates unique physical security challenges. Because venues are spread across thousands of square kilometers of the Alps, securing transit corridors and ensuring rapid emergency response across different Italian regions—including Lombardy, Veneto, and Trentino—is an incredible logistical hurdle. New tunnels, increased train services, and extended bus routes have been welcomed but create new potential targets for physical disruption by threat actors or protestors.

Terrorist and Extremist Threats

Flashpoint has not identified any terrorist or extremist threats to the Winter Olympic Games. However, lone threat actors in support of international terrorist organizations or domestic violence extremists remain a persistent threat due to the large number of attendees expected and the media attention that this event will attract.

Authorities in northern Italy are investigating a series of sabotage attacks on the national railway network that coincided with the opening of the 2026 Winter Olympic Games. The coordinated incidents—which included arson at a track switch, severed electrical cables, and the discovery of a rudimentary explosive device—caused delays of over two hours and temporarily disabled the vital transport hub of Bologna.

Protests

Flashpoint analysts identified several protests targeting the 2026 Winter Olympics:

• US Presence and ICE Backlash: Hundreds of demonstrators have participated in protests in central Milan to demand that US ICE agents withdraw from security roles at the upcoming Winter Olympics.
• Anti-Olympic and Environmental Activism: The most organized opposition comes from the Unsustainable Olympics Committee. They have already staged marches in Milan and Cortina, with more planned for February.
• Pro-Palestinian Groups: Organizations such as BDS Italia are actively campaigning to boycott the games, demanding that Israel not be permitted to participate. Other pro-Palestinian groups have attempted to disrupt the Torch Relay in several cities and are expected to hold flash mob-style demonstrations in Milan’s Piazza del Duomo during the Opening Ceremony.
• Labor Strikes: Italy frequently experiences transport strikes, which often fall on Fridays. Because the Opening Ceremony is on Friday, February 6, unions are leveraging this for maximum impact. An International Day of Protest has been coordinated by port and dock workers across the Mediterranean for February 6.
  

On February 7, a massive protest of approximately 10,000 people near the Olympic Village in Milan descended into violence as a peaceful march against the Winter Games ended in clashes with Italian police. While the majority of demonstrators initially focused on the environmental destruction caused by Olympic infrastructure, a smaller group of masked protestors engaged security forces with flares, stones, and firecrackers.

Cyber Threats Facing the 2026 Winter Olympics

The Milano-Cortina 2026 Winter Olympics will be among the most digitally complex global events, making it a prime target for cyberattacks. The greatest risks stem from familiar tactics such as phishing, spoofed websites, and business email compromise, which exploit human trust rather than technical flaws. With billions of viewers and a vast network of cloud services, vendors, and connected systems, the games create an expansive attack surface under intense operational pressure.

Italy blocked a series of cyberattacks targeting its foreign ministry offices, including one in Washington, as well as Winter Olympics websites and hotels in Cortina d’Ampezzo, with officials attributing the attempts to Russian sources. Foreign Minister Antonio Tajani confirmed the attacks were prevented just days before the Games’ official opening, which began with curling matches on February 4. 

Past Olympic Games show a clear pattern of heightened cyber activity, including phishing campaigns, distributed denial-of-service (DDoS) attacks, ransomware, and online scams targeting both organizers and the public. A mix of cybercriminals, advanced persistent threats, and hacktivists is expected to exploit the event for financial gain, espionage, or publicity. Experts emphasize that improving security awareness, verifying digital interactions, and strengthening supply chain defenses are critical, as the most damaging incidents often arise from ordinary threats amplified by scale and urgency.

Staying Safe at the 2026 Winter Games

The security success of Milano-Cortina 2026 relies on the integration of real-time intelligence, advanced technological safeguards, and public vigilance. As the Games proceed, the intersection of cyber-sabotage and physical protest remains the most likely source of operational disruption.

To stay safe at this year’s Games, participants should:

1. Download Official Apps: Install the Milano Cortina 2026 Ground Transportation App and the Atm Milano app for real-time updates on transit, road closures, and “guaranteed” travel windows during strikes.
2. Plan Around Friday Strikes: Be aware that transport strikes (Feb 6, 13, and 20) typically guarantee services only between 6:00 AM – 9:00 AM and 6:00 PM – 9:00 PM. Plan your venue transfers accordingly.
3. Secure Your Digital Footprint: Avoid public Wi-Fi at major venues. Use a VPN and ensure Multi-Factor Authentication (MFA) is active on all your ticketing and banking accounts.
4. Stay Clear of Protests: While most demonstrations are expected to be peaceful, they can cause sudden police cordons and transit delays.
5. Respect the Drone Ban: Unauthorized drones are strictly prohibited over Milan and venue clusters. Leave yours at home to avoid heavy fines or interception by security units.

Stay Safe Using Flashpoint

While there are no current indications of imminent threats of extreme violence targeting the Milano-Cortina 2026 Winter Olympics, the event’s vast geographic footprint and digital complexity demand constant vigilance. Securing an event that spans 22,000 square kilometers requires more than just a physical presence; it necessitates a multi-faceted approach that bridges the gap between digital and kinetic risks.

To effectively navigate the intersection of cyber-sabotage, civil unrest, and logistical challenges, organizations and attendees must adopt a comprehensive strategy that integrates real-time intelligence with proactive security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

Request a demo today.

Blogs

Blog

Protecting the Big Game: A Threat Assessment for Super Bowl LX

This threat assessment analyzes potential physical and cyber threats to Super Bowl LX.

Each year, the Super Bowl draws one of the largest live audiences of any global sporting event, with tens of thousands of spectators attending in person and more than 100 million viewers expected to watch worldwide. Super Bowl LX, taking place on February 8, 2026 at Levi’s Stadium, will feature the Seattle Seahawks and the New England Patriots, with Bad Bunny headlining the halftime show and Green Day performing during the opening ceremony.

Beyond the game itself, the Super Bowl represents one of the most influential commercial and media stages in the world, with major brands investing in some of the most expensive advertising time of the year. The scale, visibility, and economic significance of the event make it an attractive target for threat actors seeking attention, disruption, or financial gain, underscoring the need for heightened security awareness.

Cybersecurity Considerations

At this time, Flashpoint has not observed any specific cyber threats targeting Super Bowl LX. Despite the absence of overt threats, it remains possible that threat actors may attempt to obtain personal information—including financial and credit card details—through scams, malware, phishing campaigns, or other opportunistic cyber activity.

High-profile events such as the Super Bowl have historically been leveraged as bait for cyber campaigns targeting fans and attendees rather than league infrastructure. In October 2024, the online store of the Green Bay Packers was hacked, exposing customers’ financial details. Previous incidents also include the February 2022 “BlackByte” ransomware attack that targeted the San Francisco 49ers in the lead-up to Super Bowl LVI.

Although Flashpoint has not identified any credible calls for large-scale cyber campaigns against Super Bowl LX at this time, analysts assess that cyber activity—if it occurs—is more likely to focus on fraud, impersonation, and social engineering directed at ticket holders, travelers, and high-profile attendees.

Online Sentiment

Flashpoint is currently monitoring online sentiment ahead of Super Bowl LX. At the time of publishing, analysts have identified pockets of increasingly negative online chatter related primarily to allegations of federal immigration enforcement activity in and around the event, as well as broader political and social tensions surrounding the Super Bowl.

Online discussions include calls for protests and boycotts tied to perceived Immigration and Customs Enforcement (ICE) involvement, as well as controversy surrounding halftime and opening ceremony performers. While sentiment toward the game itself and associated events remains largely positive, Flashpoint continues to monitor for escalation in rhetoric that could translate into real-world activity.

Potential Physical Threats

Protests and Boycotts

Flashpoint analysts have identified online chatter promoting protests in the Bay Area in response to allegations that Immigration and Customs Enforcement (ICE) agents will conduct enforcement operations in and around Super Bowl LX. A planned protest is scheduled to take place near Levi’s Stadium on February 8, 2026, during game-day hours.

At this time, Flashpoint has not identified any calls for violence or physical confrontation associated with these actions. However, analysts cannot rule out the possibility that demonstrations could expand or relocate, potentially causing localized disruptions near the venue or surrounding infrastructure if protesters gain access to restricted areas.

In addition, Flashpoint has identified online calls to boycott the Super Bowl tied to both the alleged ICE presence and controversy surrounding the event’s halftime and opening ceremony performers. Flashpoint has not identified any chatter indicating that players, NFL personnel, or affiliated organizations plan to boycott or disrupt the game or related events.

Terrorist and Extremist Threats

Flashpoint has not identified any direct or credible threats to Super Bowl LX or its attendees from violent extremists or terrorist groups at this time. However, as with any high-profile sporting event, lone actors inspired by international terrorist organizations or domestic violent extremist ideologies remain a persistent risk due to the scale of attendance and global media attention.

Super Bowl LX is designated as a SEAR-1 event, necessitating extensive interagency coordination and heightened security measures. Law enforcement presence is expected to be significant, with layered security protocols, strict access control points, and comprehensive screening procedures in place throughout Levi’s Stadium and surrounding areas. Contingency planning for crowd management, emergency response, and evacuation scenarios is ongoing.

Mitigation Strategies and Executive Protection

Given the absence of specific, identified threats, mitigation strategies for key personnel attending Super Bowl LX focus on general best practices. Security teams tasked with executive protection should remove sensitive personal information from online sources, monitor open-source and social media channels, and establish targeted alerts for potential threats or emerging protest activity.

Physical security teams and protected individuals should also familiarize themselves with venue layouts, emergency exits, nearby medical facilities, and law enforcement presence, and remain alert to changes in crowd dynamics or protest activity in the vicinity of the event.

The nearest medical facilities are:

• O’Connor Hospital (Santa Clara Valley Healthcare)
  
• Kaiser Permanente Santa Clara Medical Center
  
• Santa Clara Valley Medical Center
  
• Valley Health Center Sunnyvale

Several of these facilities offer 24/7 emergency services and are located within a short driving distance of the stadium.

The primary law enforcement facility near the venue is:

• Santa Clara Police Department

As a SEAR-1 event, extensive coordination is expected among local, state, and federal law enforcement agencies throughout the Bay Area.

Stay Safe Using Flashpoint

Although there are no indications of any credible, immediate threats to Super Bowl LX or attendees at this time, it is imperative to be vigilant and prepared. Protecting key personnel in today’s threat environment requires a multi-faceted approach. To effectively bridge the gap between online and offline threats, organizations must adopt a comprehensive strategy that incorporates open source intelligence (OSINT) and physical security measures. Download Flashpoint’s Physical Safety Event Checklist to learn more.

Request a demo today.

Blogs

Blog

The Top Threat Actor Groups Targeting the Financial Sector

In this post, we identify and analyze the top threat actors that have been actively targeting the financial sector between 2024 and 2026.

Between 2024 and 2026, Flashpoint analysts have observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period.

However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud.

Why Finance?

The financial sector has long been one of the most attractive targets for threat actors, consistently ranking among the most targeted industries globally.

These institutions manage massive volumes of sensitive data—from high-value financial transactions and confidential customer information to vast sums of capital, making them especially lucrative for threat actors seeking financial gain. Additionally, the urgency and criticality of financial operations increases the chances that victim organizations will succumb to extortion and ransom demands.

Even beyond direct financial incentives, the financial sector remains an attractive target due to its deep interconnectivity with other industries.This means that malicious actors may simply target financial institutions to gain information about another target organization, as a single data breach can have far-reaching and cascading consequences for involved partners and third parties.

The Threat Actors Targeting the Financial Sector

To understand the complexities of the financial threat landscape, organizations need a comprehensive understanding of the key players involved. The following threat actors represent some of the most prominent and active groups targeting the financial sector between April 2024 and April 2025:

RansomHub

Despite being a relatively new Ransomware-as-a-Service (RaaS) group that emerged in February 2024, RansomHub quickly rose to prominence, becoming the second-most active ransomware group in 2024. Notably, they claimed 38 victims in the financial sector between April 2024 and April 2025. Their known TTPs include phishing and exploiting vulnerabilities. RansomHub is also known to heavily target the healthcare sector.

Akira

Active since March 2023, Akira has demonstrated increasingly sophisticated tactics and has targeted a significant number of victims across various sectors. Between April 2024 and April 2025, they targeted 34 organizations within the financial sector. Evidence suggests a potential link to the defunct Conti ransomware group. Akira commonly gains initial access through compromised credentials, Virtual Private Network (VPN) vulnerabilities, and Remote Desktop Protocol (RDP). They employ a double extortion model, exfiltrating data before encryption.

LockBit Ransomware

A long-standing and highly prolific RaaS group operating since at least September 2019, LockBit continued to be a major threat to the financial sector, claiming 29 publicly disclosed victims between April 2024 and April 2025. LockBit utilizes various initial access methods, including phishing, exploitation of known vulnerabilities, and compromised remote services.

Most notably, in June 2024, LockBit claimed it gained access to the US Federal Reserve, stating that they exfiltrated 33 TB of data. However, Flashpoint analysts found that the data posted on the Federal Reserve listing appears to belong to another victim, Evolve Bank & Trust.

FIN7

This financially motivated threat actor group, originating from Eastern Europe and active since at least 2015, focuses on stealing payment card data. They employ social engineering tactics and create elaborate infrastructure to achieve their goals, reportedly generating over $1 billion USD in revenue between 2015 and 2021. Their targets within the financial sector include interbank transfer systems (SWIFT, SAP), ATM infrastructure, and point-of-sale (POS) terminals. Initial access is often gained through phishing and exploiting public-facing applications.

Scattering Spider

Emerging in 2022, Scattered Spider has quickly become known for its rapid exploitation of compromised environments, particularly targeting financial services, cryptocurrency services, and more. They are notorious for using SMS phishing and fake Okta single sign-on pages to steal credentials and move laterally within networks. Their primary motivation is financial gain.

Lazarus Group

This advanced persistent threat (APT) group, backed by the North Korean government, has demonstrated a broad range of targets, including cryptocurrency exchanges and financial institutions. Their campaigns are driven by financial profit, cyberespionage, and sabotage. Lazarus Group employs sophisticated spear-phishing emails, malware disguised in image files, and watering-hole attacks to gain initial access.

Top Attack Vectors Facing the Financial Sector

Between April 2024 and April 2025, our analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections. How are these prolific threat actor groups gaining a foothold into financial data and systems? Examining Flashpoint intelligence, malicious actors are capitalizing on third-party compromises, initial access brokers, insider threats, amongst other attack vectors:

Third-Party Compromise

Ransomware attacks targeting third-party vendors can have a direct and significant impact on financial institutions through data exposure and compromised credentials. The Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024 serves as a stark reminder of this risk.

Initial Access Brokers (IABs)

Initial Access Brokers specialize in gaining initial access to networks and selling these access credentials to other threat groups, including ransomware operators. Their tactics include phishing, the use of information-stealing malware, and exploiting RDP credentials, posing a significant risk to financial entities. Between April 2024 and April 2025, analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections.

Insider Threat

Malicious insiders, whether recruited or acting independently, can provide direct access to sensitive data and systems within financial institutions. Telegram has emerged as a prominent platform for advertising and recruiting insider services targeting the financial sector.

Deepfake and Impersonation

The increasing sophistication and accessibility of AI tools are enabling new forms of fraud. Deepfakes can bypass traditional security measures by creating convincing audio and video impersonations. While still evolving, this threat vector, along with other impersonation tactics like BEC and vishing, presents a growing concern for the financial sector. Within the past year, analysts observed 1,238 posts across fraud-related Telegram channels discussing impersonation of individuals working for financial institutions.

Defend Against Financial Threats Using Flashpoint

The financial sector remains a high-value target, facing a persistent and evolving array of threats. Understanding the tactics, techniques, and procedures (TTPs) of these top threat actors, as well as the broader threat landscape, is crucial for financial institutions to develop and implement effective security strategies.

Flashpoint is proud to offer a dedicated threat intelligence solution for banks and financial institutions. Our platform combines comprehensive data collection, AI-powered analysis, and expert human insight to deliver actionable intelligence, safeguarding your critical assets and operations. Request a demo today to see how our intelligence can empower your security team.

Request a demo today.

Blogs

Blog

Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy

In this post, we break down the 91,321 instances of insider activity observed by Flashpoint in 2025, examine the top five cases that defined the year, and provide the technical and behavioral red flags your team needs to monitor in 2026.

Every organization houses sensitive assets that threat actors actively seek. Whether it is proprietary trade secrets, intellectual property, or the personally identifiable information (PII) of employees and customers, these datasets are the lifeblood of the modern enterprise—and highly lucrative commodities within the illicit underground.

In 2025, Flashpoint observed 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related illicit activity. This underscores a critical reality—it is far more efficient for threat actors to recruit an “insider” to circumvent multi-million dollar security stacks than it is to develop a complex exploit from the outside. 

An insider threat, any individual with authorized access, possesses the unique ability to bypass traditional security gates. Whether driven by financial gain, ideological grievances, or simple human error, insiders can potentially compromise a system with a single keystroke. To protect our customers from this internal risk, Flashpoint monitors the illicit forums and marketplaces where these threats are being solicited. 

In this post, we unpack the evolving insider threat landscape and what it means for your security strategy in 2026. By analyzing the volume of recruitment activity and the specific industries being targeted, organizations can move from a reactive posture to a proactive defense.

By the Numbers: Mapping the 2025 Insider Threat Landscape

Last year, Flashpoint collected and researched:

• 91,321 posts of insider solicitation and service advertising
• 10,475 channels containing insider-related illicit activity
• 17,612 total authors

On average, 1,162 insider-related posts were published per month, with Telegram continuing to be one of the most prominent mediums for insiders and threat actors to identify and collaborate with each other. Analysts also identified instances of extortionist groups targeting employees at organizations to financially motivate them to become insiders.

Insider Threat Landscape by Industry

The telecommunications industry observed the most insider-related activity in 2025. This is due to the industry’s central role in identity verification and its status as the primary target for SIM swapping—a fraudulent technique where threat actors convince employees of a mobile carrier to link a victim’s phone number to a SIM card controlled by the attacker. This allows the threat actor to receive all the victim’s calls and texts, allowing them to bypass SMS-based two-factor authentication.

Flashpoint analysts identified 12,783 notable posts where the level of detail or the specific target was particularly concerning.

Top Industries for Insiders Advertising Services (Supply):

1. Telecom
2. Financial
3. Retail
4. Technology

Top Industries for Threat Actors Soliciting Access (Demand):

1. Technology
2. Financial
3. Telecom
4. Retail

6 Notable Insider Threat Cases of 2025

The following cases highlight the variety of ways insiders impacted enterprise systems this year, ranging from intentional fraud to massive technical oversights.

Type of Incident	Description
Malicious	Approximately nine employees accessed the personal information of over 94,000 individuals, making illegal purchases using changed food stamp cards.
Nonmalicious	An unprotected database belonging to a Chinese IoT firm leaked 2.7 billion records, exposing 1.17 TB of sensitive data and plaintext passwords.
Malicious	An insider at a well-known cybersecurity organization was terminated after sharing screenshots of internal dashboards with the Scattered Lapsus$ Hunters threat actor group.
Malicious	An employee working for a foreign military contractor was bribed to pass confidential information to threat actors.
Malicious	A third-party contractor for a cryptocurrency firm sold customer data to threat actors and recruited colleagues into the scheme, leading to the termination of 300 employees and the compromise of 69,000 customers.
Malicious	Two contractors accessed and deleted sensitive documents and dozens of databases belonging to the Internal Revenue Service and US General Services Administration.

Catching the Warning Signs Early

Potential insiders often display technical and nontechnical behavior before initiating illicit activity. Although these actions may not directly implicate an employee, they can be monitored, which may lead to inquiries or additional investigations to better understand whether the employee poses an elevated risk to the organization.

Flashpoint has identified the following nontechnical warning signs associated with insiders:

• Behavioral indicators: Observable actions that deviate from a known baseline of behaviors. These can be observed by coworkers or management or through technical indicators. Behavioral indicators can include increasingly impulsive or erratic behavior, noncompliance with rules and policies, social withdrawal, and communications with competitors.
• Financial changes: Significant and overlapping changes in financial standing—such as significant debt, financial troubles, or sudden unexplained financial gain—could indicate a potential insider threat. In the case of financial distress, an employee can sell their services to other threat actors via forums or chat services, thus creating additional funding streams while seeming benign within their organization.
• Abnormal access behavior: Resistance to oversight, unjustified requests for sensitive information beyond the employee’s role, or the employee being overprotective of their access privileges might indicate malicious intent.
• Separation on bad terms: Employees who leave an organization under unfavorable circumstances pose an increased insider threat risk, as they might want to seek revenge by exploiting whatever access they had or might still possess after leaving.
• Odd working hours: Actors may leverage atypical after-hours work to pursue insider threat activity, as there is less monitoring. By sticking to an atypical schedule, threat actors maintain a cover of standard work activity while pursuing illicit activity simultaneously.
• Unusual overseas travel: Unusual and undocumented overseas travel may indicate an employee’s potential recruitment by a foreign state or state-sponsored actor. Travel might be initiated to establish contact and pass sensitive information while avoiding raising suspicions in the recruit’s home country.

The following are technical warning signs:

• Unauthorized devices: Employees using unauthorized devices for work pose an insider threat, whether they have malicious intent or are simply putting themselves at higher risk of human error. Devices that are not controlled and monitored by the organization fall outside of its scope of operational security, while still carrying all of the sensitive data and configuration of the organization.
• Abnormal network traffic: An unusual increase in network traffic or unexplained traffic patterns associated with the employee’s device that differ from their normal network activity could indicate malicious intent. This includes network traffic employing unusual protocols, using uncommon ports, or an overall increase in after-hours network activity.
• Irregular access pattern: Employees accessing data outside the scope of their job function may be testing and mapping the limits of their access privileges to restricted areas of information as they evaluate their exfiltration capabilities for their planned illicit actions.
• Irregular or mass data download: Unexpected changes in an employee’s data handling practices, such as irregular large-scale downloads, unusual data encryption, or uncharacteristic or unauthorized data destinations, are significant indicators of an insider threat.

Insider Threats: What to Expect in 2026

As 2026 unfolds, insider threat actors will continue to be a major threat to organizations. Ransomware groups and initial access threat actors will continue recruiting interested insiders and exploiting human vulnerabilities through social engineering tactics. Following Telegram’s recent bans on many illicit groups and channels, Flashpoint assesses that threat actors are likely to migrate to different platforms, such as Signal, where encrypted chats make their activity harder to monitor.

As AI technologies continue to advance, organizations will be better equipped to identify and mitigate insider risks. At the same time, threat actors will likely increasingly abuse AI and other tools to access sensitive information. 
Is your organization equipped to spot the warning signs? Request a demo to learn more and to mitigate potential risk from within your organization.

Request a demo today.

Blogs

Blog

Flashpoint Weekly Vulnerability Insights and Prioritization Report

Week of December 20 – December 26, 2025

Anticipate, contextualize, and prioritize vulnerabilities to effectively address threats to your organization.

Flashpoint’s VulnDB documents over 400,000 vulnerabilities and has over 6,000 entries in Flashpoint’s KEV database, making it a critical resource as vulnerability exploitation rises. However, if your organization is relying solely on CVE data, you may be missing critical vulnerability metadata and insights that hinder timely remediation. That’s why we created this weekly series—where we surface and analyze the most high priority vulnerabilities security teams need to know about.

Key Vulnerabilities:
Week of December 20 – December 26, 2025

Foundational Prioritization

Of the vulnerabilities Flashpoint published this week, there are 34 that you can take immediate action on. They each have a solution, a public exploit exists, and are remotely exploitable. As such, these vulnerabilities are a great place to begin your prioritization efforts.

Diving Deeper – Urgent Vulnerabilities

Of the vulnerabilities Flashpoint published last week, four are highlighted in this week’s Vulnerability Insights and Prioritization Report because they contain one or more of the following criteria:

• Are in widely used products and are potentially enterprise-affecting
• Are exploited in the wild or have exploits available
• Allow full system compromise
• Can be exploited via the network alone or in combination with other vulnerabilities
• Have a solution to take action on

In addition, all of these vulnerabilities are easily discoverable and therefore should be investigated and fixed immediately.

To proactively address these vulnerabilities and ensure comprehensive coverage beyond publicly available sources on an ongoing basis, organizations can leverage Flashpoint Vulnerability Intelligence. Flashpoint provides comprehensive coverage encompassing IT, OT, IoT, CoTs, and open-source libraries and dependencies. It catalogs over 100,000 vulnerabilities that are not included in the NVD or lack a CVE ID, ensuring thorough coverage beyond publicly available sources. The vulnerabilities that are not covered by the NVD do not yet have CVE ID assigned and will be noted with a VulnDB ID.

CVE ID	Title	CVSS Scores (v2, v3, v4)	Exploit Status	Exploit Consequence	Ransomware Likelihood Score	Social Risk Score	Solution Availability
CVE-2025-33222	NVIDIA Isaac Launchable Unspecified Hardcoded Credentials	5.0 9.8 9.3	Private	Credential Disclosure	High	Low	Yes
CVE-2025-33223	NVIDIA Isaac Launchable Unspecified Improper Execution Privileges Remote Code Execution	10.0 9.8 9.3	Private	Remote Code Execution	High	Low	Yes
CVE-2025-68613	n8n Package for Node.js packages/workflow/src/expression-evaluator-proxy.ts Workflow Expression Evaluation Remote Code Execution	9.0 9.9 9.4	Public	Remote Code Execution	High	High	Yes
CVE-2025-14847	MongoDB transport/message_compressor_zlib.cpp ZlibMessageCompressor::decompressData() Function Zlib Compressed Protocol Header Handling Remote Uninitialized Memory Disclosure (Mongobleed)	10.0 9.8 9.3	Public	Uninitialized Memory Disclosure	High	High	Yes

Flashpoint Ignite lays all of these components out. Below is an example of what this vulnerability record for CVE-2025-33223 looks like.

Analyst Comments on the Notable Vulnerabilities

Below, Flashpoint analysts describe the five vulnerabilities highlighted above as vulnerabilities that should be of focus for remediation if your organization is exposed.

CVE-2025-33222

NVIDIA Isaac Launchable contains a flaw that is triggered by the use of unspecified hardcoded credentials. This may allow a remote attacker to trivially gain privileged access to the program.

CVE-2025-33223

NVIDIA Isaac Launchable contains an unspecified flaw that is triggered as certain activities are executed with unnecessary privileges. This may allow a remote attacker to potentially execute arbitrary code.

CVE-2025-68613

n8n Package for Node.js contains a flaw in packages/workflow/src/expression-evaluator-proxy.ts that is triggered as workflow expressions are evaluated in an improperly isolated execution context. This may allow an authenticated, remote attacker to execute arbitrary code with the privileges of the n8n process.

CVE-2025-14847

MongoDB contains a flaw in the ZlibMessageCompressor::decompressData() function in mongo/transport/message_compressor_zlib.cpp that is triggered when handling mismatched length fields in Zlib compressed protocol headers. This may allow a remote attacker to disclose uninitialized memory contents on the heap.

Previously Highlighted Vulnerabilities

CVE/VulnDB ID	Flashpoint Published Date
CVE-2025-21218	Week of January 15, 2025
CVE-2024-57811	Week of January 15, 2025
CVE-2024-55591	Week of January 15, 2025
CVE-2025-23006	Week of January 22, 2025
CVE-2025-20156	Week of January 22, 2025
CVE-2024-50664	Week of January 22, 2025
CVE-2025-24085	Week of January 29, 2025
CVE-2024-40890	Week of January 29, 2025
CVE-2024-40891	Week of January 29, 2025
VulnDB ID: 389414	Week of January 29, 2025
CVE-2025-25181	Week of February 5, 2025
CVE-2024-40890	Week of February 5, 2025
CVE-2024-40891	Week of February 5, 2025
CVE-2024-8266	Week of February 12, 2025
CVE-2025-0108	Week of February 12, 2025
CVE-2025-24472	Week of February 12, 2025
CVE-2025-21355	Week of February 24, 2025
CVE-2025-26613	Week of February 24, 2025
CVE-2024-13789	Week of February 24, 2025
CVE-2025-1539	Week of February 24, 2025
CVE-2025-27364	Week of March 3, 2025
CVE-2025-27140	Week of March 3, 2025
CVE-2025-27135	Week of March 3, 2025
CVE-2024-8420	Week of March 3, 2025
CVE-2024-56196	Week of March 10, 2025
CVE-2025-27554	Week of March 10, 2025
CVE-2025-22224	Week of March 10, 2025
CVE-2025-1393	Week of March 10, 2025
CVE-2025-24201	Week of March 17, 2025
CVE-2025-27363	Week of March 17, 2025
CVE-2025-2000	Week of March 17, 2025
CVE-2025-27636 CVE-2025-29891	Week of March 17, 2025
CVE-2025-1496	Week of March 24, 2025
CVE-2025-27781	Week of March 24, 2025
CVE-2025-29913	Week of March 24, 2025
CVE-2025-2746	Week of March 24, 2025
CVE-2025-29927	Week of March 24, 2025
CVE-2025-1974 CVE-2025-2787	Week of March 31, 2025
CVE-2025-30259	Week of March 31, 2025
CVE-2025-2783	Week of March 31, 2025
CVE-2025-30216	Week of March 31, 2025
CVE-2025-22457	Week of April 2, 2025
CVE-2025-2071	Week of April 2, 2025
CVE-2025-30356	Week of April 2, 2025
CVE-2025-3015	Week of April 2, 2025
CVE-2025-31129	Week of April 2, 2025
CVE-2025-3248	Week of April 7, 2025
CVE-2025-27797	Week of April 7, 2025
CVE-2025-27690	Week of April 7, 2025
CVE-2025-32375	Week of April 7, 2025
VulnDB ID: 398725	Week of April 7, 2025
CVE-2025-32433	Week of April 12, 2025
CVE-2025-1980	Week of April 12, 2025
CVE-2025-32068	Week of April 12, 2025
CVE-2025-31201	Week of April 12, 2025
CVE-2025-3495	Week of April 12, 2025
CVE-2025-31324	Week of April 17, 2025
CVE-2025-42599	Week of April 17, 2025
CVE-2025-32445	Week of April 17, 2025
VulnDB ID: 400516	Week of April 17, 2025
CVE-2025-22372	Week of April 17, 2025
CVE-2025-32432	Week of April 29, 2025
CVE-2025-24522	Week of April 29, 2025
CVE-2025-46348	Week of April 29, 2025
CVE-2025-43858	Week of April 29, 2025
CVE-2025-32444	Week of April 29, 2025
CVE-2025-20188	Week of May 3, 2025
CVE-2025-29972	Week of May 3, 2025
CVE-2025-32819	Week of May 3, 2025
CVE-2025-27007	Week of May 3, 2025
VulnDB ID: 402907	Week of May 3, 2025
VulnDB ID: 405228	Week of May 17, 2025
CVE-2025-47277	Week of May 17, 2025
CVE-2025-34027	Week of May 17, 2025
CVE-2025-47646	Week of May 17, 2025
VulnDB ID: 405269	Week of May 17, 2025
VulnDB ID: 406046	Week of May 19, 2025
CVE-2025-48926	Week of May 19, 2025
CVE-2025-47282	Week of May 19, 2025
CVE-2025-48054	Week of May 19, 2025
CVE-2025-41651	Week of May 19, 2025
CVE-2025-20289	Week of June 3, 2025
CVE-2025-5597	Week of June 3, 2025
CVE-2025-20674	Week of June 3, 2025
CVE-2025-5622	Week of June 3, 2025
CVE-2025-5419	Week of June 3, 2025
CVE-2025-33053	Week of June 7, 2025
CVE-2025-5353	Week of June 7, 2025
CVE-2025-22455	Week of June 7, 2025
CVE-2025-43200	Week of June 7, 2025
CVE-2025-27819	Week of June 7, 2025
CVE-2025-49132	Week of June 13, 2025
CVE-2025-49136	Week of June 13, 2025
CVE-2025-50201	Week of June 13, 2025
CVE-2025-49125	Week of June 13, 2025
CVE-2025-24288	Week of June 13, 2025
CVE-2025-6543	Week of June 21, 2025
CVE-2025-3699	Week of June 21, 2025
CVE-2025-34046	Week of June 21, 2025
CVE-2025-34036	Week of June 21, 2025
CVE-2025-34044	Week of June 21, 2025
CVE-2025-7503	Week of July 12, 2025
CVE-2025-6558	Week of July 12, 2025
VulnDB ID: 411705	Week of July 12, 2025
VulnDB ID: 411704	Week of July 12, 2025
CVE-2025-6222	Week of July 12, 2025
CVE-2025-54309	Week of July 18, 2025
CVE-2025-53771	Week of July 18, 2025
CVE-2025-53770	Week of July 18, 2025
CVE-2025-54122	Week of July 18, 2025
CVE-2025-52166	Week of July 18, 2025
CVE-2025-53942	Week of July 25, 2025
CVE-2025-46811	Week of July 25, 2025
CVE-2025-52452	Week of July 25, 2025
CVE-2025-41680	Week of July 25, 2025
CVE-2025-34143	Week of July 25, 2025
CVE-2025-50454	Week of August 1, 2025
CVE-2025-8875	Week of August 1, 2025
CVE-2025-8876	Week of August 1, 2025
CVE-2025-55150	Week of August 1, 2025
CVE-2025-25256	Week of August 1, 2025
CVE-2025-43300	Week of August 16, 2025
CVE-2025-34153	Week of August 16, 2025
CVE-2025-48148	Week of August 16, 2025
VulnDB ID: 416058	Week of August 16, 2025
CVE-2025-32992	Week of August 16, 2025
CVE-2025-7775	Week of August 24, 2025
CVE-2025-8424	Week of August 24, 2025
CVE-2025-34159	Week of August 24, 2025
CVE-2025-57819	Week of August 24, 2025
CVE-2025-7426	Week of August 24, 2025
CVE-2025-58367	Week of September 1, 2025
CVE-2025-58159	Week of September 1, 2025
CVE-2025-58048	Week of September 1, 2025
CVE-2025-39247	Week of September 1, 2025
CVE-2025-8857	Week of September 1, 2025
CVE-2025-58321	Week of September 8, 2025
CVE-2025-58366	Week of September 8, 2025
CVE-2025-58371	Week of September 8, 2025
CVE-2025-55728	Week of September 8, 2025
CVE-2025-55190	Week of September 8, 2025
VulnDB ID: 419253	Week of September 13, 2025
CVE-2025-10035	Week of September 13, 2025
CVE-2025-59346	Week of September 13, 2025
CVE-2025-55727	Week of September 13, 2025
CVE-2025-10159	Week of September 13, 2025
CVE-2025-20363	Week of September 20, 2025
CVE-2025-20333	Week of September 20, 2025
CVE-2022-4980	Week of September 20, 2025
VulnDB ID: 420451	Week of September 20, 2025
CVE-2025-9900	Week of September 20, 2025
CVE-2025-52906	Week of September 27, 2025
CVE-2025-51495	Week of September 27, 2025
CVE-2025-27224	Week of September 27, 2025
CVE-2025-27223	Week of September 27, 2025
CVE-2025-54875	Week of September 27, 2025
CVE-2025-41244	Week of September 27, 2025
CVE-2025-61928	Week of October 6, 2025
CVE-2025-61882	Week of October 6, 2025
CVE-2025-49844	Week of October 6 2025
CVE-2025-57870	Week of October 6, 2025
CVE-2025-34224	Week of October 6, 2025
CVE-2025-34222	Week of October 6, 2025
CVE-2025-40765	Week of October 11, 2025
CVE-2025-59230	Week of October 11, 2025
CVE-2025-24990	Week of October 11, 2025
CVE-2025-61884	Week of October 11, 2025
CVE-2025-41430	Week of October 11, 2025
VulnDB ID: 424051	Week of October 18, 2025
CVE-2025-62645	Week of October 18, 2025
CVE-2025-61932	Week of October 18, 2025
CVE-2025-59503	Week of October 18, 2025
CVE-2025-43995	Week of October 18, 2025
CVE-2025-62168	Week of October 18, 2025
VulnDB ID: 425182	Week of October 25, 2025
CVE-2025-62713	Week of October 25, 2025
CVE-2025-54964	Week of October 25, 2025
CVE-2024-58274	Week of October 25, 2025
CVE-2025-41723	Week of October 25, 2025
CVE-2025-20354	Week of November 1, 2025
CVE-2025-11953	Week of November 1, 2025
CVE-2025-60854	Week of November 1, 2025
CVE-2025-64095	Week of November 1, 2025
CVE-2025-11833	Week of November 1, 2025
CVE-2025-64446	Week of November 8, 2025
CVE-2025-36250	Week of November 8, 2025
CVE-2025-64400	Week of November 8, 2025
CVE-2025-12686	Week of November 8, 2025
CVE-2025-59118	Week of November 8, 2025
VulnDB ID: 426231	Week of November 8, 2025
VulnDB ID: 427979	Week of November 22, 2025
CVE-2025-55796	Week of November 22, 2025
CVE-2025-64428	Week of November 22, 2025
CVE-2025-62703	Week of November 22, 2025
VulnDB ID: 428193	Week of November 22, 2025
CVE-2025-65018	Week of November 22, 2025
CVE-2025-54347	Week of November 22, 2025
CVE-2025-55182	Week of November 29, 2025
CVE-2024-14007	Week of November 29, 2025
CVE-2025-66399	Week of November 29, 2025
CVE-2022-35420	Week of November 29, 2025
CVE-2025-66516	Week of November 29, 2025
CVE-2025-59366	Week of November 29, 2025
CVE-2025-14174	Week of December 6, 2026
CVE-2025-43529	Week of December 6, 2026
CVE-2025-8110	Week of December 6, 2026
CVE-2025-59719	Week of December 6, 2026
CVE-2025-59718	Week of December 6, 2026
CVE-2025-14087	Week of December 6, 2026
CVE-2025-62221	Week of December 6, 2026

Transform Vulnerability Management with Flashpoint

Request a demo today to see how Flashpoint can transform your vulnerability intelligence, vulnerability management, and exposure identification program.

Request a demo today.

Blogs

Blog

The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion

In this post, we analyze the evolving bypass tactics threat actors are using to neutralize traditional security perimeters and fuel the global surge in infostealer infections.

Infostealer-driven credential theft in 2025 has surged, with Flashpoint observing a staggering 800% increase since the start of the year. With over 1.8 billion corporate and personal accounts compromised, the threat landscape finds itself in a paradox: while technical defenses have never been more advanced, the human attack surface has never been more vulnerable.

Information-stealing malware has become the most scalable entry point for enterprise breaches, but to truly defend against them, organizations must look beyond the malware itself. As teams move into 2026 security planning, it is critical to understand the deceptive initial access vectors—the latest tactics Flashpoint is seeing in the wild—that threat actors are using to manipulate users and bypass modern security perimeters.

Here are the latest methods threat actors are leveraging to facilitate infections:

1. Neutralizing Mark of the Web (MotW) via Drag-and-Drop Lures

Mark of the Web (MotW) is a critical Windows defense feature that tags files downloaded from the internet as “untrusted” by adding a hidden NTFS Alternate Data Stream (ADS) to the file. This tag triggers “Protected View” in Microsoft Office programs and prompts Windows SmartScreen warnings when a user attempts to execute an unknown file.

Flashpoint has observed a new social engineering method to bypass these protections through a simple drag-and-drop lure. Instead of asking a user to open a suspicious attachment directly, which would trigger an immediate MotW warning, threat actors are instead instructing the victim to drag the malicious image or file from a document onto their desktop to view it. This manual interaction is highly effective for two reasons:

1. Contextual Evasion: By dragging the file out of the document and onto the desktop, the file is executed outside the scope of the Protected View sandbox.
2. Metadata Stripping: In many instances, the act of dragging and dropping an embedded object from a parent document can cause the operating system to treat the newly created file as a local creation, rather than an internet download. This effectively strips the MotW tag and allows malicious code to run without any security alerts.

2. Executing Payloads via Vulnerabilities and Trusted Processes

Flashpoint analysts uncovered an illicit thread detailing a proof of concept for a client-side remote code execution (RCE) in the Google Web Designer for Windows, which was first discovered by security researcher Bálint Magyar.

Google Web Designer is an application used for creating dynamic ads for the Google Ads platform. Leveraging this vulnerability, attackers would be able to perform remote code execution through an internal API using CSS injection by targeting a configuration file related to ads documents.

Within this thread, threat actors were specifically interested in the execution of the payload using the chrome.exe process. This is because using chrome.exe to fetch and execute a file is likely to bypass several security restrictions as Chrome is already a trusted process. By utilizing specific command-line arguments, such as the –headless flag, threat actors showed how to force a browser to initiate a remote connection in the background without spawning a visible window. This can be used in conjunction with other malicious scripts to silently download additional payloads onto a victim’s systems.

3. Targeting Alternative Softwares as a Path of Least Resistance

As widely-used software becomes more hardened and secure, threat actors are instead pivoting to targeting lesser-known alternatives. These tools often lack robust macro-protections. By targeting vulnerabilities in secondary PDF viewers or Office alternatives, attackers are seeking to trick users into making remote server connections that would otherwise be flagged as suspicious.

Understanding the Identity Attack Surface

Social engineering is one of the driving factors behind the infostealer lifecycle. Once an initial access vector is successful, the malware immediately begins harvesting the logs that fuel today’s identity-based digital attacks.

As detailed in The Proactive Defender’s Guide to Infostealers, the end goal is not just a password. Instead, attackers are prioritizing session cookies, which allow them to perform session hijacking. By importing these stolen cookies into anti-detect browsers, they bypass Multi-Factor Authentication and step directly into corporate environments, appearing as a legitimate, authenticated user.

Understanding how threat actors weaponize stolen data is the first step toward a proactive defense. For a deep dive into the most prolific stealer strains and strategies for managing the identity attack surface, download The Proactive Defender’s Guide to Infostealers today.

Request a demo today.

Blogs

Blog

Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

In this post Flashpoint reveals how an infostealer infection on a North Korean threat actor’s machine exposed their digital operational security failures and reliance on AI. Leveraging Flashpoint intelligence, we pivot from a single persona to a network of fake identities and companies targeting the Web3 and crypto industry.

Last week, Hudson Rock published a blog on “Trevor Greer,” a persona tied to a North Korean IT Worker. Flashpoint shared additional insights with our clients back in July, and we’re now making those findings public.

Trevor Greer, a North Korean operative, was identified via an infostealer infection on their own machine. Information-stealing malware, also known as Infostealers or stealers, are malware designed to scrape passwords and cookies from unsuspecting victims. Stealers (like LummaC2 or RedLine) are typically used by cybercriminals to steal login credentials from everyday users to sell on the Dark Web. It is rare to see them infect the machines of a state-sponsored advanced persistent threat group (APT).

However, when adversaries unknowingly infect themselves, they can expose valuable insights into the inner workings of their campaigns. Leveraging Flashpoint intelligence sourced from the leaked logs of “Trevor Greer,” our analysts uncovered a myriad of fake identities and companies used by DPRK APTs.

Finding Trevor Greer

Flashpoint analysts have been tracking the Trevor Greer email address since December 2024 in relation to the “Contagious Interview” campaign, in which threat actors operated as LinkedIn recruiters to target Web3 developers, resulting in the deployment of multiple stealers compromising developer Web3 wallets. Flashpoint also identified the specific persona’s involvement in a campaign in which North Korean threat actors posed as IT freelance workers and applied for jobs at legitimate companies before compromising the organizations internally.

ByBit Compromise

The ByBit compromise in late February 2025 further fueled Flashpoint’s investigations into the Trevor Greer email address. Bybit, a cryptocurrency exchange, suffered a critical incident resulting in North Korean actors extorting US $1.5 billion worth of cryptocurrency. In the aftermath, Silent Push researchers identified the persona “Trevor Greer” associated with the email address trevorgreer9312@gmail[.]com, which registered the domain “Bybit-assessment[.]com” prior to the Bybit compromise.

A later report claimed that the domain “getstockprice[.]com” was involved in the compromise. Despite these domain discrepancies, both investigations attributed the attack to North Korean advanced persistent threat (APT) nexus groups.

Tracing the Infection

Using Flashpoint’s vast intelligence collections, we performed a full investigation of compromised virtual private servers (VPS), revealing the actor’s potential involvement in several other operations, including remote IT work, several self-made blockchain and cryptocurrency exchange companies, and a potential crypto scam dating back to 2022.

Flashpoint analysts also discovered that the Trevor Greer email address was linked to domains infected with information-stealing malware.

What the Logs Revealed

Analysts extracted information about the associated infected host from Trevor Greer, revealing possible tradecraft and tools used. Analysts further identified specific indicators of compromise (IOCs) used in the campaigns mentioned above, as well as email addresses used by the actor for remote work.

The data painted a vivid picture of how these threat actors operate:

Preparation for “Contagious Interviews”

The browser history revealed the actor logging into Willo, a legitimate video interview platform. This suggests the actor was conducting reconnaissance to clone the site for the “Contagious Interview” campaign, where they lured Web3 developers into fake job interviews to deploy malware.

Reliance on AI Tools

The logs exposed the actor’s reliance on AI to bridge the language gap. The operator frequently accessed ChatGPT and Quillbot, likely using them to write convincing emails, build resumes, and generate code for their malware.

Pivoting: One Node to a Network

By analyzing the “Trevor Greer” logs, we were able to pivot to other personas and campaigns involved in the operation.

• Fake Employment: The logs contained credentials for freelance platforms, such as Upwork and Freelancer, associated with other aliases, including “Kenneth Debolt” and “Fabian Klein.” This confirmed the actor was part of a broader scheme to infiltrate Western companies as remote IT workers.
• Fake Companies: The data linked the actor to fake corporate entities, such as Block Bounce (blockbounce[.]xyz), a sham crypto trading firm set up to appear legitimate to potential victims. 
• Developer Personas: The infection data linked the actor to the GitHub account svillalobosdev, which had been active in open source projects to build credibility before the attack.
• Legitimate Platforms & Tools: Analysts observed the actor using job boards such as Dice and HRapply[.]com, freelance platforms such as Upwork and Freelancer, and direct applications through company Workday sites. To improve their resume, the actor used resumeworded[.]com or cakeresume[.]com. For conversing, the threat actor likely relies on a mix of both GPT and Quilbot, as found in infected host logins, to ensure they sound human. During interviews, analysts determined that they potentially used Speechify. 
• Deep & Dark Web Resources: The actor also likely purchased Social Security numbers (SSNs) from SSNDOB24[.]com, a site for acquiring Social Security data.

Disrupt Threat Actors Using Flashpoint

The “Trevor Greer” case study illustrates a critical shift in modern threat intelligence. We are no longer limited to analyzing the malware adversaries deploy; sometimes, we can analyze the adversaries themselves.

Using their own tools against them, Flashpoint transformed a faceless state-sponsored entity into a tangible user with bad habits, sloppy OPSEC, and a trail of digital breadcrumbs. Behind every sophisticated APT campaign is a human operator, and sometimes, they click the wrong link too. 

Request a demo today to delve deeper into the tactics, techniques, and procedures of advanced persistent threats and learn how Flashpoint’s intelligence strengthens your defenses.

Request a demo today.

Blogs

Blog

Digital Supply Chain Risk: Critical Vulnerability Affecting React Allows for Unauthorized Remote Code Execution

CVE-2025-55182 (VulnDB ID: 428930), is a severe, unauthenticated RCE impacting a major component of React and its ecosystem, putting global applications at immediate, high-fidelity risk.

The React team disclosed a critical vulnerability impacting three products in the React Server Components (RSC) that allows for unauthenticated remote code execution. 

Flashpoint’s vulnerability research team assesses significant enterprise and supply chain risk given React’s ubiquity: the impacted JavaScript library underpins modern UIs, with 168,640 dependents and more than 51 million weekly downloads.

How CVE-2025-55182 Works

CVE-2025-55182 (VulnDB ID: 428930) impacts all React versions since 19.0.0, meaning that this issue has been potentially exploitable since November 14, 2024. This vulnerability stems from how React handles payloads sent to React Server Function endpoints and deserializes them.

Depending on the implementation of this library, a remote, unauthenticated threat actor could send a crafted payload that would be deserialized in a way that causes remote code execution. This would lead to a total compromise of the system hosting the application, allowing for malware such as infostealers, ransomware, or cryptojackers (cryptocurrency mining) to be downloaded.

A working exploit for CVE-2025-55182 has already been published that is effective against some installations. In addition, Amazon has reported that two threat actors, attributed to Chinese Advanced Persistent Threat Groups (APTs), have begun to exploit this vulnerability. Those groups are:

• Earth Lamia (STAC6451, REF0657, CL-STA-0048)
• Jackpot Panda (iSoon, DRAGNET PANDA, Anxun Information, deepclif, Poison Carp, Houndstooth Typhoon)

Understanding the Impact and Scope of CVE-2025-55182

It is critical that security teams fully understand the potential downstream scope and impact so that they can fully focus on mitigation, rather than time-consuming research. While the vendor has provided a full disclosure, there are several important caveats to understand about CVE-2025-55182:

1. Applications not implementing any React Server Function endpoints may still be vulnerable as long as it supports React Server Components.
2. If an application’s React code does not use a server, it is not affected by this vulnerability.
3. Applications that do not use a framework, bundler, or bundler plugins that support React Server Components are unaffected by this vulnerability.

Additionally, several React frameworks and bundlers have been discovered to leverage vulnerable React packages in various ways. The following frameworks and bundlers are known to be affected:

• next
• react-router
• waku
• @parcel/rsc
• @vitejs/plugin-rsc
• rwsdk

NPMJS.com currently shows that the react-dom package, which is effectively part of React, has 168,640 dependents. This means that an incredible number of enterprise applications are likely to be affected. Nearly every commercial application is built on hundreds, sometimes thousands of components and dependencies. Furthermore, applications coded via Vibe and similar technology are also likely to leverage React: potentially amplifying the downstream risk this vulnerability poses.

How to Mitigate CVE-2025-55182

For mitigation, the React library has released versions 19.0.1, 19.1.2, and 19.2.1 that resolve the issue. Flashpoint advises organizations to upgrade their respective libraries urgently. Security teams leveraging dynamic SBOMs (Software Bill of Materials) can drastically increase risk mapping and triage for deployed React versions.

CloudFlare has upgraded their web-application firewall (WAF) to protect against CVE-2025-55182. It is available for both free and paid plans but requires that React application traffic is proxied through the CloudFlare WAF.

To avoid confusion, security teams should ignore CVE-2025-66478. It has been rejected for being a duplicate of the preferred CVE-2025-55182.

Mitigate Critical Vulnerabilities Using Flashpoint

Flashpoint strongly recommends security teams treat this vulnerability with utmost urgency. Our vulnerability research team will continue to monitor this vulnerability and its downstream impacts. All updates will be provided via Flashpoint’s VulnDB. 

Request a demo today and gain access to quality vulnerability intelligence that helps address critical threats in a timely manner.

Request a demo today.

Blogs

Blog

Beyond Hamas: Militant and Terrorist Groups Involved in the October 7 Attack on Israel

Examining current and potential involvement of militant terrorist groups in the Israel-Hamas conflict, beginning with the October 7 attacks

October 7: Hamas attacks Israel

In the midst of the Israel-Hamas War, which erupted with a surprising and devastating attack on October 7, 2023 that resulted in the deaths of more than 1,300 Israelis, it is becoming increasingly apparent that the dynamics of this complex conflict extend beyond the actions of Hamas alone. While Hamas took the lead in launching the initial assault, there is evidence, outlined in this article, that numerous other militant and terrorist groups worked in concert with Hamas, which continues to shape the trajectory of the ongoing conflict.

Based on frontline reportage, open-source intelligence, including social media and message platforms, and Flashpoint collections surrounding the events on October 7, we explore the roles and actions of additional militant and terrorist factions, shedding light on their collective impact in the evolving Israel-Hamas War. 

We will update this article as the situation in Israel, Gaza, and the Middle East develops.

Militant and Terrorist Groups Involved in October 7 Attack on Israel

Izz al-Din al-Qassam Brigades (كتائب الشهيد عز الدين القسام)

Operation Al-Aqsa Tufan (Flood) involved coordinated attacks from the Gaza Strip into bordering areas in Israel on October 7, coinciding with a major Jewish holiday and marking the beginning of the 2023 Israel–Hamas war. The attack included a rocket barrage of thousands of missiles, vehicle-transported incursions into Israeli territory, kidnappings, including at a music festival, and significant civilian casualties. It has been described as one of the bloodiest days in Israel’s history and the deadliest for Jews since the Holocaust. Founded in the late 1980s, Izz al-Din al-Qassam Brigades is the militant wing of the terrorist organization Hamas. It has been designated as a terrorist organization by several countries, including the United States, Israel, and the European Union. 

The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram

Palestinian Islamic Jihad (الجهاد الإسلامي الفلسطيني)

As we previously reported, Hamas and PIJ communicate often with followers via Telegram. On the day after the October 7 attacks, PIJ, in one of its main channels, posted that “the elite of Al-Quds Brigades is entering the border to support al-Qassam Brigades fighters (Hamas) and supply them with weapons.” It has also been reported that PIJ took part in the October 7 attacks alongside Hamas.

On October 17, a rocket hit the Al Ahli Arab Hospital in Gaza, killing hundreds of Palestinian civilians. In a statement, Israeli Defense Forces said that “[Palestinian] Islamic Jihad is responsible for the failed rocket launch which hit the hospital in Gaza.” PIJ has denied the allegation in a statement, reportedly calling it “false and baseless.”

Palestinian Islamic Jihad (PIJ) is a Palestinian terrorist organization that is designated by several countries, including the United States, Israel, and the European Union. It was founded in the late 1970s with the goal of establishing an Islamic Palestinian state and has carried out attacks against Israel.

Al-Aqsa Martyrs Brigade (كتائب شهداء الأقصى)

The Al-Aqsa Martyrs Brigade is a Palestinian militant organization affiliated with Fatah, a major Palestinian political party, that has carried out attacks and other activities against Israel. One of the key players in Palestinian politics today, Al-Aqsa Martyrs brigade was founded in the late 1950s and has historically been associated with the Palestine Liberation Organization (PLO). The group was designated a Foreign Terrorist Organization by the US Department of State in 2002.

Above: Screengrab from October 7 showing a video of a man wearing a headband with the Al-Aqsa Martyrs Brigade emblem. The video, posted in an official Al-Aqsa Martys Brigade Telegram channel, shows the man speaking alongside a gravely injured Israeli soldier. The message hashtag translates to “#Scenes_of_enemy_soldiers_capture” (Image: Flashpoint)

Democratic Front for the Liberation of Palestine (الجبهة الديمقراطية لتحرير فلسطين)

The Democratic Front for the Liberation of Palestine (DFLP) is a Palestinian political and militant organization founded in 1969, known for its left-wing and Marxist ideologies. It has historically aimed for the liberation of Palestine and the establishment of an independent Palestinian state through both militaristic and political means. While a member of the Palestine Liberation Organization (PLO), it has not been as prominent as other Palestinian factions like Fatah or Hamas in recent years.

Above: Pictures posted by an official Democratic Front for the Liberation of Palestine showing armed militants reportedly inside Israeli territory on October 7. (Image: Flashpoint)

Palestinian Mujahideen Movement (حركة المجاهدين الفلسطينيين)

The Palestinian Mujahideen Movement is a Palestinian militant organization that emerged in the early 1970s with the goal of resisting Israeli occupation and achieving Palestinian self-determination through various armed activities and operations against Israeli forces. However, it is not as widely recognized or prominent as Palestinian terrorist groups like Hamas or the Palestinian Islamic Jihad (PIJ).

Above: Screengrab of an official Palestinian Mujahideen Movement channel showing an image of Dr. Asaad Abu Sharia, the General of the Palestinian Mujahideen Movement, congratulating the “heroes…who stormed the positions and settlements of [Israel].”

We have shared this Telegram message in lieu of the many messages shared in the same channel the day prior, October 7, that showed graphically violent images of what appears to be soldiers in IDF uniforms. (Image: Flashpoint)

Popular Resistance Committees (لجان المقاومة الشعبية)

The Popular Resistance Committees (PRC), whose military wing is referred to as Al-Nasser Salah al-Deen Brigades (ألوية الناصر صلاح الدين), are a coalition of various Palestinian factions and armed groups in the Gaza Strip. They were formed in the early 2000s during the Second Intifada, a period of intense Palestinian-Israeli conflict. The PRC includes members from different political and militant backgrounds and has carried out attacks against Israel. While not as prominent as terrorist organizations like Hamas or the Palestinian Islamic Jihad (PIJ), the PRC has played a role in the ongoing Israeli-Palestinian conflict, as evidenced by the events of October 7, 2023.

Above: Screengrab of communications within the official Al-Nasser Salah al-Din Brigades Telegram channel from October 7, alongside photos of allegedly confiscated military equipment and IDs belonging to captured Israeli soldiers. (Image: Flashpoint)

Those who could join the fight

Lebanese Hezbollah (حزب الله اللبناني)

Though not directly involved in the October 7 attacks, Lebanese Hezbollah and Israel have exchanged assaults in connection with the ongoing Israel-Hamas War since October 8.

The Israel-Hamas War: Insights Through an Intelligence Lens

Also known as Hezbollah, Lebanese Hezbollah is a Shiite Islamist political and militant organization based in Lebanon. It was founded in the early 1980s with support from Iran, following the Israeli invasion of Lebanon. Hezbollah’s primary goal is to resist Israel and promote Shiite interests in Lebanon and the wider region. The group was designated a Foreign Terrorist Organization by the US Department of State in 1997, the same year as Hamas and PIJ.

Lions’ Den (عرين الأسود)

Saraya al-Quds Military spokesman Abu Hamza has called for Lions’ Den and Jenin Brigade, another Palestinian militant group, to join the fight.

The Lions’ Den is a Palestinian militant group in the Israeli-occupied West Bank, formed in August 2022. Comprising members from various Palestinian militant and terrorist organizations, including Hamas and Palestinian Islamic Jihad, along with disaffected Fatah members, it resonates with some young Palestinians frustrated by the Israeli occupation, settlements, settler violence, and the perceived ineffectiveness of the Palestinian Authority. They have engaged in various West Bank attacks, funded in part by Hamas.

These profiles represent the most meaningful actors on the digital and physical frontlines of the Israel-Hamas War at the moment. Flashpoint has seen an expansion of participants as the conflict unfolds and expands into new physical and digital theaters. We will therefore update this article as the situation continues to develop.

Request a demo today.

Blogs

Blog

The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram

Analyzing Telegram’s role in facilitating communication and strategy for Hamas and PIJ during the initial days of the Israel-Hamas War

Telegram: A crucial modern warfare channel

Telegram, with its 700 million-plus-strong user base, has evolved into a pivotal communication hub for Hamas and Palestinian Islamic Jihad (PIJ). Its robust privacy and encryption protocols safeguard communications while also providing a covert operational space for militant groups and cybercriminals. The platform’s role in open-source intelligence (OSINT) is vital, offering real-time insights into unfolding global events, such as the ongoing military conflict between Hamas and Israel, and becoming an essential tool for intelligence professionals navigating the multifaceted landscape of contemporary warfare. Organizations with regional interests should perceive Telegram as a crucial asset in understanding their risk apertures and navigating through conflict complexities.

In the context of recent global conflicts, including the Russia-Ukraine war and the Hamas-Israel conflict, platforms like Telegram have demonstrated their significance by providing real-time updates, documenting potential war crimes, and offering a platform for anti-war narratives amidst governmental censorship. Both scenarios underscore Telegram’s evolving role in modern warfare, influencing narratives and strategies, and providing a digital battlefield for organizations and intelligence professionals to navigate and anticipate conflict dynamics.

The Israel-Hamas War: Insights Through an Intelligence Lens

October 7: Surprise Hamas attack

This digital battlefield, while shaping the narratives and strategies in contemporary conflicts, abruptly collided with reality on October 7, when the virtual orchestrations of Hamas transformed into a tangible, devastating surprise attack on Israel.

Hamas militants launched an unexpected, devastating attack on Israel on October 7, resulting in hundreds of casualties and numerous hostages. Over 2,000 rockets were fired into Israel, causing significant casualties and prompting Prime Minister Benjamin Netanyahu to declare war on Hamas, mobilizing the military and reserves. The assault, occurring on the fiftieth anniversary of the 1973 Egypt and Syria attack and during the Jewish holiday, Shemini Atzeret, took Israel by surprise. 

Reports state that the attack resulted in hundreds dead and more than 500 injuries, the kidnappings of Israeli soldiers, and vehicle takeovers, while Hezbollah celebrated the assault. The US Embassy in Jerusalem issued an alert and initiated shelter-in-place protocols for its personnel. Militants breached the Gaza-Israel barrier using various methods, and Hamas commander Mohammed Deif urged Palestinians and Arabs to join the operation, raising fears of a wider conflict.

At around 5:30 a.m. UTC, Hamas posted in one of its main Telegram channels, that the Commander-in-Chief of Al-Qassam Brigades announced the beginning of Hamas’s Al-Aqsa Tufan (Flood) and the firing of over 5,000 rockets aimed at Israel. Shortly thereafter, reports show that air raid sirens sounded in Jerusalem around 6:30 a.m. local time, signaling an attack and instructing citizens to take cover.

Hamas Telegram post announcing the start of Al-Aqsa Tufan (Image: Flashpoint)

This message represents one of 1,145 messages sent over Hamas’s main Telegram channel on October 7. For context, the day prior, 373 messages were sent over the same channels, showing more than a 3X spike in chatter from October 6.

October 8: Violence escalates

The conflict intensifies with continued assaults and counter-assaults from both Israel and Hamas. The death toll rises sharply on both sides, and the situation garners international attention and condemnation. Hamas issues a threat to execute Israeli hostages, prompting further international outrage. The U.S. confirms that several American citizens have been killed in the attacks and expresses its unwavering support for Israel. Various nations and international leaders continue to condemn the violence and express solidarity with Israel.

On October 8, Palestinian Islamic Jihad posted that “the elite of Al-Quds Brigades is entering the border to support Al-Qassam Brigades fighters and supply them with weapons.” (Image: Flashpoint)

On Sunday, 1,129 posts were sent between PIJ and its followers on Telegram, with messages such as above sharing updates of the assault.

October 9: Broadening battlefields

The conflict takes a new turn as rockets are fired from Lebanon toward Israel, prompting Israeli forces to retaliate against Lebanese territories. The U.S. updates the number of American citizens killed in the attacks and acknowledges that Americans are among those taken hostage by Hamas. Israeli Defense Minister Yoav Gallant orders a “complete siege” on Gaza and promises a robust and unrestrained response to the ongoing attacks, vowing to eliminate any threats against Israel.

Telegram post from a major Hamas channel linking to a video of Abu Obaida, the spokesperson for the al-Qassam Brigades, in which he signals further violence to Israelis, particularly hostages (Image: Flashpoint).

Throughout Monday, Telegram activity from Hamas and PIJ fell by almost half compared to the day prior. Within the first 72 hours of the Israeli-Hamas War, Flashpoint observed a total of 5,472 Telegram posts shared by both Hamas and PIJ across their main channels.

Blogs

Blog

Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums

The legacy of Raid, Breach, and their ‘successors’ provides an important lens into how data breach communities function and the real-life implications of the information they traffic

Race to the bottom

Starting June 24, 2023, visitors to the former domain of Raid Forums were greeted by the avatar of arrested administrator “pompompurin” in tiny handcuffs—an unprecedented trolling of sorts by authorities. 

Pompompurin, whose real name is Conor Brian Fitzpatrick, became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums and upon its shutdown, founded Breach Forums. Breach Forums continued the legacy of Raid Forums, both as a fixture among the data breach communities and as a law enforcement target. 

The founder and administrator of Raid Forums, Diogo Santos Coelho (aka “omnipotent), was arrested on January 31, 2022. Fitzpatrick, who has been operating on English- and Russian-language forums under the pompompurin moniker since at least October 2020, was arrested by federal agents on March 15, 2023.

Now, both Raid Forums and Breach Forums are no more. And ever since their seizures, other threat actors, some of whom were involved in the Breach and Raid, have attempted to continue their legacies in the purpose and services they provide. But it has thus far been a race to the bottom. 

Insight into the illicit spaces where cyber threat actors operate is vital to any threat intelligence operation. The legacy of Raid, Breach, and their “successors” provides an important lens into how data breach communities function and the real-life implications of the information they traffic. 

Timeline

Here is a summary of the recent events that we have observed within cybercriminal communities related, in some way, to Breach Forums and its legacy as a popular home for threat actors. 

• March 17, 2023: Breach Forums administrator “baphomet” decides to shut down the forum following the March 15 arrest of administrator pompompurin. The Washington Post included Flashpoint analysis in its March 22 coverage on the end of Breach Forums.

• March 29, 2023: PwnedForum, an identically formatted clone of Breach Forums, launches and quickly gains users and shares compromised data. The forum’s creator, “Sinistery,” solicited forum administrators and developers to volunteer to operate the site. 
• However, the forum was quickly shut down on April 4, 2023, following a disagreement between Sinistery and forum administrators. A message attempting to sell PwnedForum was briefly advertised on the website before closing. One of the forum’s former main administrators, “Frost,” stated that they were working on a new forum separate from PwnedForum, though they did not provide a timeline.

• May 29, 2023: “Impotent,” the forum administrator Exposed, leaks the database of 478,870 Raid Forums users.

• June 4, 2023: PwnedForums posted on Telegram that the notorious leak collective, ShinyHunters, is launching a forum with former Breach Forums admins.
• Also on June 4, a user posted an advertisement for the Exposed forum, calling it the “new” Breach Forums and inviting the Russian hacktivist collective Killnet to join the forum.

• June 12, 2023: ShinyHunters launches a new forum called Breach Forums—eponymous by name only.

• That very same day, Exposed Forums shut down. Its founders, “Impotent” and “Purism,” share that they will no longer support the development of Exposed Forums while cautioning against using the new Breach Forums due to operational security concerns.

• June 18, 2023: Breach Forums is hacked, and the data breach exposes the personal information of over 4,000 registered members.
• OnniForums, which appears to have launched in April 2023, took responsibility for the attack. It also claimed to have breached the forum Exposed, using a zero-day vulnerability in the open source forum software MyBB. The data leak included login keys, usernames, email addresses, IP addresses, password hashes, registration dates, members’ last visits and posts, number of posts, last activity, and social media handles with profile links.

• June 24, 2023: The user database of DarkForums, a relatively new and unknown forum, is breached and leaked, joining the ranks of Raid Forums and the new Breach Forums. 

Though it is difficult to assess if any of these forums will sufficiently fill the void of the data breach communities that Raid Forums provided, threat actors continue to start new darknet venues—a perpetual cycle that shows the resiliency of illicit communities and forums, despite law enforcement, in-fighting, and the adversarial nature of these communities that lends itself to, well, data breaches. Though there may not be a centralized venue for data breaches, it will not be for a lack of trying … even if it means leaking the databases of their competitors.

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism

Social media and messaging platforms like Telegram continue to play a key role in understanding events, rumors, and ideas as they unfold in the Russia-Ukraine war

Putin Vs. Prigozhin

The once-cordial relationship between Vladimir Putin and Yevgeny Prigozhin, commonly known as “Putin’s chef,” has soured completely, marking one of the most compelling storylines in Russia’s now 16-month-long invasion of Ukraine. This particular conflict, however, played out in Russia on June 23 and lasted a scintillating ~36 hours, ending in a schism whose implications continue to reverberate across the world, especially in Russia.

Social media and messaging platforms like Telegram continues to play a key role in helping individuals and organizations alike understand events, rumors, and ideas as they unfolded, often in real time. As we describe in this article, and as we highlighted in our popular report on the role of open-source intelligence (OSINT) in the Russia-Ukraine War, organizations are rightfully viewing OSINT as a key element of their intelligence and security operations and leveraging it to understand organizational risk as it relates to the cyber, physical, and informational battlefields of this war.

Let’s zoom in on two crucial days—June 23 and June 24—of the conflict between Putin and Prigozhin and examine the importance of OSINT in understanding the events, then and now.

June 23: Wagner Accuses MOD of Missile Strike, Potential Military Coup Brews

On June 23, Yevgeny Prigozhin, the founder of the paramilitary company Wagner Group, accused Russia’s Ministry of Defence (MOD) and its leader, Sergei Shoigu, of conducting a missile strike on his mercenaries. Prigozhin claimed that the strike resulted in numerous fatalities. He characterized the MOD as “evil” and called for those responsible to be held accountable. It was unclear whether this move should be classified as a coup, insurrection, mutiny, or hardline bargaining tactic at the time.

In retaliation, Prigozhin has appeared to openly advocate for armed resistance against the MOD, adding fuel to an already tense stand-off. Prigozhin warned that “the next move will be ours,” and that those who are responsible for the deaths of the Wagner troops killed today, as well as the deaths of many tens of thousands of Russian soldiers, will be “punished” and “justice” will be “returned,” both to Russia’s armed forces and all of Russia. The MOD has rejected these accusations, claiming that they “do not correspond to reality” and labeling them as an “informational provocation.”

Round 2: #Shoigu hits back.

"All the video frames distributed on social networks on behalf of Yevgeny #Prigozhin about the alleged 'strike by the Russian Defense Ministry on the rear camps of the PMC Wagner” do not correspond to reality and are an informational provocation. pic.twitter.com/pBIPdFEdLc

— Jason Corcoran (@jason_corcoran) June 23, 2023

The current events, particularly the Wagner Group turning on Putin, can be traced back to the devastating fighting at Bakhmut, where the Wagner Group suffered heavy losses. This battle resulted in significant costs and losses for Russia.

June 24: Prigozhin’s March To Moscow

On June 24, Prigozhin announced that Wagner Group, the private military company (PMC) he leads, would cease its march on Moscow, ending what has been widely regarded as an armed insurrection and potential coup attempt targeting Russia’s military and government leadership.

In an interesting twist, Belarusian President Lukashenko stepped in, providing a means for Wagner to continue operating in a “legal” manner. This intervention prompted the move of Wagner Group and Prigozhin to Belarus. This is particularly noteworthy as PMCs are technically illegal under Article 359 of the 1996 Russian Criminal Code. As a result of the negotiations, the sides agreed that a “bloodbath” on Russian territory should be averted and de-escalatory steps should be taken. Prigozhin agreed that Wagner would halt its advance on Moscow, which Prigozhin claims Wagner got within 200 kilometers of, and turn back to “go in the opposite direction to [their] field camps.” In return, Wagner personnel would be granted “security guarantees.” 

Prigozhin claims that Wagner had not spilled “a single drop of blood of our fighters” since the start of their march on Russia the day prior. However, Prigozhin claims that Russia’s military had attempted to fire at the PMC during their march, reportedly downing at least one and potentially multiple Russian military helicopters. There are also reports of a fire at a fuel depot in Voronezh, which may have been hit by a Russian helicopter.

Wagner troops seized control of multiple military and administrative buildings in the Russian city of Rostov-on-Don early on Saturday morning and had since reportedly reached Voronezh, which lies 500 kilometers north of the city and on the way to Moscow. On June 24, Russian media reported that Wagner was preparing to leave Rostov-on-Don.

Since then, the Kremlin has said that Prigozhin would not have to face charges in Russia, but he has been dubbed a “traitor” by Putin. As of this publishing, Prigozhin is allegedly in Belarus, according to the country’s President, Lukashenko, who brokered the deal on Prigozhin behalf.

Concluding thoughts

In today’s dynamic geopolitical climate, staying ahead of the curve necessitates more than just monitoring mainstream media. Open-source intelligence collections have emerged as a game-changing tool for keeping abreast of the latest events in Ukraine and Russia, which can help various organizations and sectors sift through vast amounts of information, quickly filter out the noise, and deliver the most salient insights in real-time. The recent events in Russia showcase the value of this intelligence resource in offering a multifaceted perspective on ground realities. 

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Risk Intelligence Index: Cyber Threat Landscape by the Numbers

Flashpoint’s monthly look at the cyber risk ecosystem affecting organizations around the world, including intelligence, news, data, and analysis about ransomware, vulnerabilities, insider threats, and takedowns of illicit forums and shops.

Ransomware

Flashpoint’s latest ransomware infographic paints a sobering picture of the evolving threat landscape, as cybercriminals employ increasingly sophisticated—and effective—tactics. Last month, our analysts observed a total of 397 ransomware attacks.

Key takeaways for the state of ransomware

• Organizations in the United States bore the brunt of ransomware attacks, accounting for a staggering 211 incidents—a 66 percent increase compared to last month.
• The top three industries targeted by ransomware were Professional Services, Internet Software & Services, and Construction & Engineering.
• Clop ransomware has emerged as one of the most active ransomware groups, securing the second spot in March’s top 10 ranking. Last month, Clop garnered attention by exploiting a remote code execution vulnerability—allegedly enabling them to acquire data from over 100 organizations, although they only disclosed a few victim names on their blog.

Vulnerabilities

According to our intelligence, 2,245 new vulnerabilities were reported in March, with 379 of them being missed by the Common Vulnerabilities and Exposures (CVE) and National Vulnerability Database (NVD).

Key takeaways for the state of vulnerability intelligence

• Approximately 34 percent of March’s disclosed vulnerabilities are rated as high-to-critical in severity, which if exploited, could pose a significant risk to an organization’s security posture.
• Over 78 percent of March’s vulnerabilities are remotely exploitable, meaning that if threat actors are able to leverage these issues, they can execute malicious code no matter where the device is located.
• Nearly 29 percent of March’s vulnerabilities already have a documented public exploit, which drastically lessens the difficulty to exploit.
• Vulnerability Management teams can potentially lessen workloads by nearly 88 percent by first focusing on actionable, high severity vulnerabilities—i.e., vulnerabilities that are remotely exploitable, that have a public exploit, and a viable solution; 253 of March’s vulnerabilities meet this criteria.

Insider Threat

The tactic of recruiting insiders has become immensely popular amongst threat actors aiming to breach systems and/or commit ransomware attacks.

In March, our analysts collected 5,586 posts advertising insider services—both from threat actors seeking insiders and malicious employees offering their services. Of those, 1,127 were unique posts from individuals in illicit and underground communities.

Key takeaways for the state of insider threat intelligence

• In March, Flashpoint tracked 5,586 posts related to insider threats activity—both from threat actors attempting to solicit insider-facilitated access and from disgruntled employees offering their services. Of the total, 1,127 were unique postings.

• At this time, the Telecom industry is the most targeted sector, followed by Financial and Retail.

• Looking into the state of insider threats further, Flashpoint found that the majority of insider threat related postings originated from inside the organization with malicious insiders offering their services. Most of this activity came from the Telecom sector. 

Takedowns

In March 2023, there were numerous takedowns, voluntary shutdowns, and arrests affecting ransomware, markets, account shops, card shops, and individual cybercriminals. Here are the high-profile takedowns.

Breach Forums

On March 21, 2023, mid-tier hacking forum Breach Forums was shut down following the arrest of its administrator, Conor Brian Fitzpatrick (aka “pompompurin”), six days prior.

Read the court doc here.

Worldwiredlabs

On March 3, a US Magistrate Judge issued a seizure warrant for Worldwiredlabs[.]com, a domain used by cybercriminals to sell malware, including remote access trojan (RAT) “NetWire,” which is capable of targeting and infecting major computer operating systems.

On March 7, an international law enforcement effort led to the seizure of Worldwiredlabs. The FBI had begun its investigation in 2020, and uncovered that it was the only known online distributor of NetWire.

Read the court doc here.

Get best-in-class intel

The following data is derived from the Flashpoint Intelligence Platform and VulnDB, the most comprehensive and timely source of vulnerability intelligence available. Sign up for a free trial today.

Request a demo today.

Blogs

Blog

Card Shop Threat Landscape: BidenCash Dumps 2.1M Stolen Credit Cards

What we know about the most recent BidenCash dump, and what it means in the context of the greater card shop threat landscape

What BidenCash has shared

On February 28, 2023, card shop BidenCash announced its one-year anniversary. To commemorate the event, the administrators of BidenCash shared a text file of 2.1 million compromised credit cards for free on a top-tier Russian-speaking darknet forum XSS. Here’s what we know about the most recent BidenCash dump, and what this means in the context of the greater card shop threat landscape.

Initial findings

Our initial findings indicate that the text file with the credit card numbers contains a host of personally identifiable information (PII), including the cardholder’s name and address as well as private financial data such as the  full card number, expiration date, CVV number, and bank name.

Additionally, about 70% of the cards have expiration dates in 2023; 50% of the cards belong to US-based people or entities; while fewer than 5% of them are based in China and the UK.

While BidenCash currently ranks in the top-5 card shops by total volume (above), quality (the viability of the cards) always trumps the quantity (total number of cards). BidenCash’s release is one of the largest observed in the last year, where a typical release is somewhere in the ballpark of 40,000 stolen credit cards. Like any offering of free samples, the goal is to attract new customers to the storefront. The actual mileage on those credit cards may be limited, as they are approaching expiration, or have likely been already flagged for fraud by financial institutions. 

Not the first BidenCash release

BidenCash has previously released large compromised card dumps to gauge interest in its card shop. For example, on June 16, 2022, BidenCash card shop released a database with information of 7.9 million individuals on the top-tier Russian-language forum XSS.

On August 2, 2021, another card shop AllWorldCards announced on XSS the release of 1,000,000 credit cards for free. The data contained in these records included full credit card numbers, expiration dates, CVVs, and in some cases other PII, including country, state, city, address, zip code, email, phone number).

BidenCash vs. The competition

Since the official closure of Joker’s Stash on February 15, 2021, several card shops have attempted to earn the title of “top card shop,” with Telegram-based shops increasingly conquering market share from more traditional web-based shops. BidenCash is currently a mid- to-top-tier card shop in terms of volume and popularity with threat actors. The shop has managed to steadily increase the volume of cards sold through its platform throughout 2022 and the shop’s giveaway of free credit cards likely constitutes a push to increase its popularity in a still-malleable market. 

BidenCash launched on April 27, 2022, shortly after Russian authorities seized a number of illicit card shops, including Forum, Trump Dumps, and UniCC, along with the carding forum Sky-Fraud and Remote Desktop Protocol access shop UAS. These cybercrime-related takedowns—which represent one of the last actions of Russian authorities in the cybercrime realm before its military 2022 invasion of Ukraine—launched significant movements in the market of credit card shops, as new or emergent card shops breathed fresh competition into the illicit landscape.

Fight card fraud with Flashpoint

With more than 2 billion stolen credit cards in our collections, Flashpoint’s Card Fraud Mitigation helps fraud teams detect compromised credit cards from illicit communities and data breaches, and identify high-risk merchants before fraudulent transactions occur or multiply. Card Fraud Mitigation unlocks visibility into attacker techniques, emerging trends, and new fraud schemes to help teams quickly take action.

Flashpoint cyber threat intelligence tools provide teams with access to illicit online communities including closed sources across forums, the open web and chat services platforms, as well as indicators of compromise (IOCs), and technical data as analyzed by Flashpoint intelligence analysts. Sign up for a demo today.

Request a demo today.