Blogs

Blog

How China’s “Walled Garden” is Redefining the Cyber Threat Landscape

In our latest webinar, Flashpoint unpacks the architecture of the Chinese threat actor cyber ecosystem—a parallel offensive stack fueled by government mandates and commercialized hacker-for-hire industry.

For years, the global cybersecurity community has operated under the assumption that technical information was a matter of public record. Security research has always been openly discussed and shared through a culture of global transparency. Today, that reality has fundamentally shifted. Flashpoint is witnessing a growing opacity—a “Walled Garden”—around Chinese data. As a result, the competence of Chinese threat actors and APTs has reached an industrialized scale.

In Flashpoint’s recent on-demand webinar, “Mapping the Adversary: Inside the Chinese Pentesting Ecosystem,” our analysts explain how China’s state policies surrounding zero-day vulnerability research have effectively shut out the cyber communities that once provided a window into Chinese tradecraft. However, they haven’t disappeared. Rather, they have been absorbed by the state to develop a mature, self-sustaining offensive stack capable of targeting global infrastructure.

Understanding the Walled Garden: The Shift from Disclosure to Nationalization

The “Walled Garden” is a direct result of a Chinese regulatory turning point in 2021: the Regulations on the Management of Security Vulnerabilities (RMSV). While the gradual walling off of China’s data is the cumulative result of years of implementing regulatory and policy strategies, the 2021 RMSV marks a critical turning point that effectively nationalized China’s vulnerability research capabilities. Under the RMSV, any individual or organization in China that discovers a new flaw must report it to the Ministry of Industry and Information Technology (MIIT) within 48 hours. Crucially, researchers are prohibited from sharing technical details with third parties—especially foreign entities—or selling them before a patch is issued.

It is important to note that this mandate is not limited to Chinese-based software or hardware; it applies to any vulnerability discovered, as long as the discoverer is a Chinese-based organization or national. This effectively treats software vulnerabilities as a national strategic resource for China. By centralizing this data, the Chinese government ensures it has an early window into zero-day exploits before the global defensive community. 

For defenders, this means that by the time a vulnerability is public, there is a high probability it has already been analyzed and potentially weaponized within China’s state-aligned apparatus.

The Indigenous Kill Chain: Reconnaissance Beyond Shodan

Flashpoint analysts have observed that within this Walled Garden, traditional Western reconnaissance tools are losing their effectiveness. Chinese threat actors are utilizing an indigenous suite of cyberspace search engines that create a dangerous information asymmetry, allowing them to peer at defender infrastructure while shielding their own domestic base from Western scrutiny.

While Shodan remains the go-to resource for security teams, Flashpoint has seen Chinese threat actors favor three IoT search engines that offer them a massive home-field advantage:

• FOFA: Specializes in deep fingerprinting for middleware and Chinese-specific signatures, often indexing dorks for new vulnerabilities weeks before they appear in the West.
• Zoomai: Built for high-speed automation, offering APIs that integrate with AI systems to move from discovery to verified target in minutes.
• 360 Quake: Provides granular, real-time mapping through a CLI with an AI engine for complex asset portraits.

In the full session, we demonstrate exactly how Chinese operators use these tools to fuse reconnaissance and exploitation into a single, automated step—a capability most Western EDRs aren’t yet tuned to detect.

Building a State-Aligned Offensive Stack

Leveraging their knowledge of vulnerabilities and zero-day exploits, the illicit Chinese ecosystem is building tools designed to dismantle the specific technologies that power global corporate data centers and business hubs.

In the webinar, our analysts explain purpose-built cyber weapons designed to hunt VMware vCenter servers that support one-click shell uploads via vulnerabilities like Log4Shell. Beyond the initial exploit, Flashpoint highlights the rising use of Behinder (Ice Scorpion)—a sophisticated web shell management tool. Behinder has become a staple for Chinese operators because it encrypts command-and-control (C2) traffic, allowing attackers to evade conventional inspection and deep packet analytics.

Strengthen Your Defenses Against the Chinese Offensive Stack with Flashpoint

By understanding this “Walled Garden” architecture, defenders can move beyond generic signatures and begin to hunt for the specific TTPs—such as high-entropy C2 traffic and proprietary Chinese scanning patterns—that define the modern Chinese threat actor.

How can Flashpoint help? Flashpoint’s cyber threat intelligence platform cuts through the generic feed overload and delivers unrivaled primary-source data, AI-powered analysis, and expert human context.

Watch the on-demand webinar to learn more, or request a demo today.

Request a demo today.

Blogs

Blog

The Five Phases of the Threat Intelligence Lifecycle: A Strategic Guide

The threat intelligence lifecycle is a fundamental framework for all fraud, physical, and cybersecurity programs. It is useful whether a program is mature and sophisticated or just starting out.

What is the Core Purpose of the Threat Intelligence Lifecycle?

The threat intelligence lifecycle is a foundational framework for all fraud, physical security, and cybersecurity programs at every stage of maturity. It provides a structured way to understand how intelligence is defined, built, and applied to support real-world decisions.

At a high level, the lifecycle outlines how organizations move from questions to insight to action. Rather than focusing on tools or outputs alone, it emphasizes the practices required to produce intelligence that is relevant, timely, and trusted. This iterative, adaptable methodology consists of five stages that guide how intelligence requirements are set, how information is collected and analyzed, how insight reaches decision-makers, and how priorities are continuously refined based on feedback and changing risk conditions.

The Five Phases of the Threat Intelligence Lifecycle

Key Objectives at Each Phase of the Threat Intelligence Lifecycle

PHASE 1: Requirements & Tasking

The first phase of the threat intelligence lifecycle is arguably the most important because it defines the purpose and direction of every activity that follows. This phase focuses on clearly articulating what intelligence needs to answer and why.

As an initial step, organizations should define their intelligence requirements, often referred to as Priority Intelligence Requirements (PIRs). In public sector contexts, these may also be called Essential Elements of Information (EEIs). Regardless of terminology, the goal is the same: establish clear, stakeholder-driven questions that intelligence is expected to support.

Effective requirements are tied directly to business risk and operational outcomes. They should reflect what the organization is trying to protect, the threats of greatest concern, and the decisions intelligence is meant to inform, such as reducing operational risk, improving efficiency, or accelerating detection and response.

This process often resembles building a business case, and that’s intentional. Clearly defined requirements make it easier to align intelligence efforts with organizational priorities, establish meaningful key performance indicators (KPIs), and demonstrate the value of intelligence over time.

In many organizations, senior leadership, such as the Chief Information Security Officer (CISO or CSO), plays a key role in shaping requirements by identifying critical assets, defining risk tolerance, and setting expectations for how intelligence should support decision-making.

Key Considerations in Phase 1

PHASE 2: Collection & Discovery

The Collection & Discovery phase focuses on building visibility into the threat environments most relevant to your organization. Both the breadth and depth of collection matter. Too little visibility creates blind spots; too much unfocused data overwhelms teams with noise and false positives.

At this stage, organizations determine where and how intelligence is collected, including the types of sources monitored and the mechanisms used to adapt coverage as threats evolve. This can include visibility into phishing activity, compromised credentials, vulnerabilities and exploits, malware tooling, fraud schemes, and other adversary behaviors across open, deep, and closed environments.

Effective programs increasingly rely on Primary Source Collection, or the ability to collect intelligence directly from original sources based on defined requirements, rather than consuming static, vendor-defined feeds. This approach enables teams to monitor the environments where threats originate, coordinate, and evolve—and to adjust collection dynamically as priorities shift.

Discovery extends collection beyond static source lists. Rather than relying solely on predefined feeds, effective programs continuously identify new sources, communities, and channels as threat actors shift tactics, platforms, and coordination methods. This adaptability is critical for surfacing early indicators and upstream activity before threats materialize internally.

The processing component of this phase ensures collected data is usable. Raw inputs are normalized, structured, translated, deduplicated, and enriched so analysts can quickly assess relevance and move into analysis. Common processing activities include language translation, metadata extraction, entity normalization, and reduction of low-signal content.

Key Considerations in Phase 2

PHASE 3: Analysis & Prioritization

The Analysis & Prioritization phase focuses on transforming processed data into meaningful intelligence that supports real decisions. This is where analysts connect signals across sources, enrich raw findings with context, assess credibility and relevance, and determine why a threat matters to the organization.

Effective analysis evaluates activity, likelihood, impact, and business relevance. Analysts correlate threat actor behavior, infrastructure, vulnerabilities, and targeting patterns to understand exposure and prioritize response. This step is critical for moving from information awareness to actionable insight.

As artificial intelligence and machine learning continue to mature, they increasingly support this phase by accelerating enrichment, correlation, translation, and pattern recognition across large datasets. When applied thoughtfully, AI helps analysts scale their work and improve consistency, while human expertise remains essential for judgment, context, and prioritization especially for high-risk or ambiguous threats.

This phase delivers clarity and a defensible view of what requires attention first and why.

Key Considerations in Phase 3

PHASE 4: Dissemination & Action

Once analysis and prioritization are complete, intelligence must be delivered in a way that enables action. The Dissemination & Action phase focuses on translating finished intelligence into formats that are clear, relevant, and aligned to how different stakeholders make decisions.

This phase is dedicated to ensuring the right information reaches the right teams at the right time. Effective dissemination considers audience, urgency, and operational context, whether intelligence is supporting detection engineering, incident response, fraud prevention, vulnerability remediation, or executive decision-making.

Finished intelligence should include clear assessments, confidence levels, and recommended actions. These recommendations may inform incident response playbooks, ransomware mitigation steps, patch prioritization, fraud controls, or monitoring adjustments. The goal is to remove ambiguity and enable stakeholders to act decisively.

Ultimately, intelligence only delivers value when it drives outcomes. In this phase, stakeholders evaluate the intelligence provided and determine whether, and how, to act on it.

Key Considerations in Phase 4

PHASE 5: Feedback & Retasking

The Feedback & Retasking phase closes the intelligence lifecycle loop by ensuring intelligence remains aligned to real-world needs as threats, priorities, and business conditions change. Rather than treating intelligence delivery as an endpoint, this phase focuses on evaluating impact and continuously refining what the intelligence function is working on and why.

Once intelligence has been acted on, stakeholders assess whether it was timely, relevant, and actionable. Their feedback informs updates to requirements, collection priorities, analytic focus, and delivery methods. Mature programs use this input to adjust tasking in near real time, ensuring intelligence efforts remain focused on the threats that matter most.

Improvements at this stage often center on shortening retasking cycles, reducing low-value outputs, and strengthening alignment between intelligence producers and decision-makers. Over time, this creates a more adaptive and responsive intelligence function that evolves alongside the threat landscape.

Key Considerations in Phase 5 

Assessing Your Threat Intelligence Lifecycle in Practice

Understanding the threat intelligence lifecycle is one thing. Knowing how effectively it operates inside your organization today is another.

Most teams don’t struggle because they lack intelligence activities; they struggle because those activities aren’t consistently aligned, operationalized, or adapted as needs change. Requirements may be defined in one area, while collection, analysis, and dissemination evolve unevenly across teams like CTI, vulnerability management, fraud, or physical security.

To help organizations move from conceptual understanding to practical evaluation, Flashpoint developed the Threat Intelligence Capability Assessment.

The assessment maps directly to the lifecycle outlined above, evaluating how intelligence functions across five core dimensions:

• Requirements & Tasking – How clearly intelligence priorities are defined and tied to real business risk
• Collection & Discovery – Whether visibility is broad, deep, and adaptable as threats evolve
• Analysis & Prioritization – How effectively analysts connect signals, context, and impact
• Dissemination & Action – How intelligence reaches operations and decision-makers
• Feedback & Retasking – How frequently priorities are reviewed and adjusted

Based on responses, organizations are mapped to one of four stages—Developing, Maturing, Advanced, or Leader—reflecting how intelligence actually flows across the lifecycle today.

Teams can apply insights by function or workflow, using the results to identify where intelligence is working well, where friction exists, and where targeted changes will have the greatest impact. Each participant also receives a companion guide with practical guidance, including strategic priorities, immediate actions, and a 90-day planning framework to help translate lifecycle insight into execution.

Take the Threat Intelligence Capability Assessment to evaluate how your program aligns to the lifecycle and where to focus next.

See Flashpoint in Action

Flashpoint’s comprehensive threat intelligence platform supports intelligence teams across every phase of the threat intelligence lifecycle, from defining clear requirements and expanding visibility into relevant threat ecosystems, to analysis, prioritization, dissemination, and continuous retasking as conditions change.

Schedule a demo to see how Flashpoint delivers actionable intelligence, analyst expertise, and workflow-ready outputs that help teams identify, prioritize, and respond to threats with greater clarity and confidence—so intelligence doesn’t just inform awareness, but drives timely, measurable action across the organization.

Frequently Asked Questions (FAQs)

What are the five phases of the threat intelligence lifecycle?

The threat intelligence lifecycle consists of five repeatable phases that describe how intelligence moves from intent to action:

Requirements & Tasking, Collection & Discovery, Analysis & Prioritization, Dissemination & Action, and Feedback & Retasking.

Together, these phases ensure that intelligence is driven by real business needs, grounded in relevant visibility, enriched with context, delivered to decision-makers, and continuously refined as threats and priorities change.

Phase	Primary Objective
Requirements & Tasking	Defining intelligence priorities and tying them to real business risk
Collection & Discovery	Gathering data from relevant sources and expanding visibility as threats evolve
Analysis & Prioritization	Connecting signals, context, and impact to determine what matters most
Dissemination & Action	Delivering intelligence to operations and decision-makers in usable formats
Feedback & Retasking	Reviewing outcomes and adjusting priorities, sources, and focus over time

How do intelligence requirements guide security operations?

Intelligence requirements—often formalized as Priority Intelligence Requirements (PIRs)—define the specific questions intelligence teams must answer to support the business. They provide the north star for what to collect, analyze, and report on.

Clear requirements help teams:

• Focus: Reduce noise by prioritizing intelligence aligned to real risk
• Measure: Track whether intelligence outputs are driving decisions or action
• Align: Ensure security, fraud, physical security, and risk teams are working toward shared outcomes
  

Without clear requirements, intelligence efforts often default to reactive collection and generic reporting that struggle to deliver impact.

Why is the feedback phase of the intelligence lifecycle necessary for a proactive defense?

Feedback & Retasking turns the intelligence lifecycle from a linear process into a continuous improvement loop. It ensures intelligence stays aligned with changing threats, business priorities, and operational needs.

Through regular review and stakeholder input, teams can:

• Identify which intelligence outputs led to action and which did not
  
• Retire low-value sources or reporting formats
  
• Adjust requirements, collection, and analysis as new threats emerge

This phase is essential for moving from static reporting to intelligence-led operations, where priorities evolve in near real time and intelligence continuously improves its relevance and impact.

Blogs

Blog

The Top Threat Actor Groups Targeting the Financial Sector

In this post, we identify and analyze the top threat actors that have been actively targeting the financial sector between 2024 and 2026.

Between 2024 and 2026, Flashpoint analysts have observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period.

However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud.

Why Finance?

The financial sector has long been one of the most attractive targets for threat actors, consistently ranking among the most targeted industries globally.

These institutions manage massive volumes of sensitive data—from high-value financial transactions and confidential customer information to vast sums of capital, making them especially lucrative for threat actors seeking financial gain. Additionally, the urgency and criticality of financial operations increases the chances that victim organizations will succumb to extortion and ransom demands.

Even beyond direct financial incentives, the financial sector remains an attractive target due to its deep interconnectivity with other industries.This means that malicious actors may simply target financial institutions to gain information about another target organization, as a single data breach can have far-reaching and cascading consequences for involved partners and third parties.

The Threat Actors Targeting the Financial Sector

To understand the complexities of the financial threat landscape, organizations need a comprehensive understanding of the key players involved. The following threat actors represent some of the most prominent and active groups targeting the financial sector between April 2024 and April 2025:

RansomHub

Despite being a relatively new Ransomware-as-a-Service (RaaS) group that emerged in February 2024, RansomHub quickly rose to prominence, becoming the second-most active ransomware group in 2024. Notably, they claimed 38 victims in the financial sector between April 2024 and April 2025. Their known TTPs include phishing and exploiting vulnerabilities. RansomHub is also known to heavily target the healthcare sector.

Akira

Active since March 2023, Akira has demonstrated increasingly sophisticated tactics and has targeted a significant number of victims across various sectors. Between April 2024 and April 2025, they targeted 34 organizations within the financial sector. Evidence suggests a potential link to the defunct Conti ransomware group. Akira commonly gains initial access through compromised credentials, Virtual Private Network (VPN) vulnerabilities, and Remote Desktop Protocol (RDP). They employ a double extortion model, exfiltrating data before encryption.

LockBit Ransomware

A long-standing and highly prolific RaaS group operating since at least September 2019, LockBit continued to be a major threat to the financial sector, claiming 29 publicly disclosed victims between April 2024 and April 2025. LockBit utilizes various initial access methods, including phishing, exploitation of known vulnerabilities, and compromised remote services.

Most notably, in June 2024, LockBit claimed it gained access to the US Federal Reserve, stating that they exfiltrated 33 TB of data. However, Flashpoint analysts found that the data posted on the Federal Reserve listing appears to belong to another victim, Evolve Bank & Trust.

FIN7

This financially motivated threat actor group, originating from Eastern Europe and active since at least 2015, focuses on stealing payment card data. They employ social engineering tactics and create elaborate infrastructure to achieve their goals, reportedly generating over $1 billion USD in revenue between 2015 and 2021. Their targets within the financial sector include interbank transfer systems (SWIFT, SAP), ATM infrastructure, and point-of-sale (POS) terminals. Initial access is often gained through phishing and exploiting public-facing applications.

Scattering Spider

Emerging in 2022, Scattered Spider has quickly become known for its rapid exploitation of compromised environments, particularly targeting financial services, cryptocurrency services, and more. They are notorious for using SMS phishing and fake Okta single sign-on pages to steal credentials and move laterally within networks. Their primary motivation is financial gain.

Lazarus Group

This advanced persistent threat (APT) group, backed by the North Korean government, has demonstrated a broad range of targets, including cryptocurrency exchanges and financial institutions. Their campaigns are driven by financial profit, cyberespionage, and sabotage. Lazarus Group employs sophisticated spear-phishing emails, malware disguised in image files, and watering-hole attacks to gain initial access.

Top Attack Vectors Facing the Financial Sector

Between April 2024 and April 2025, our analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections. How are these prolific threat actor groups gaining a foothold into financial data and systems? Examining Flashpoint intelligence, malicious actors are capitalizing on third-party compromises, initial access brokers, insider threats, amongst other attack vectors:

Third-Party Compromise

Ransomware attacks targeting third-party vendors can have a direct and significant impact on financial institutions through data exposure and compromised credentials. The Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024 serves as a stark reminder of this risk.

Initial Access Brokers (IABs)

Initial Access Brokers specialize in gaining initial access to networks and selling these access credentials to other threat groups, including ransomware operators. Their tactics include phishing, the use of information-stealing malware, and exploiting RDP credentials, posing a significant risk to financial entities. Between April 2024 and April 2025, analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections.

Insider Threat

Malicious insiders, whether recruited or acting independently, can provide direct access to sensitive data and systems within financial institutions. Telegram has emerged as a prominent platform for advertising and recruiting insider services targeting the financial sector.

Deepfake and Impersonation

The increasing sophistication and accessibility of AI tools are enabling new forms of fraud. Deepfakes can bypass traditional security measures by creating convincing audio and video impersonations. While still evolving, this threat vector, along with other impersonation tactics like BEC and vishing, presents a growing concern for the financial sector. Within the past year, analysts observed 1,238 posts across fraud-related Telegram channels discussing impersonation of individuals working for financial institutions.

Defend Against Financial Threats Using Flashpoint

The financial sector remains a high-value target, facing a persistent and evolving array of threats. Understanding the tactics, techniques, and procedures (TTPs) of these top threat actors, as well as the broader threat landscape, is crucial for financial institutions to develop and implement effective security strategies.

Flashpoint is proud to offer a dedicated threat intelligence solution for banks and financial institutions. Our platform combines comprehensive data collection, AI-powered analysis, and expert human insight to deliver actionable intelligence, safeguarding your critical assets and operations. Request a demo today to see how our intelligence can empower your security team.

Request a demo today.

Blogs

Blog

Insider Threats: Turning 2025 Intelligence into a 2026 Defense Strategy

In this post, we break down the 91,321 instances of insider activity observed by Flashpoint in 2025, examine the top five cases that defined the year, and provide the technical and behavioral red flags your team needs to monitor in 2026.

Every organization houses sensitive assets that threat actors actively seek. Whether it is proprietary trade secrets, intellectual property, or the personally identifiable information (PII) of employees and customers, these datasets are the lifeblood of the modern enterprise—and highly lucrative commodities within the illicit underground.

In 2025, Flashpoint observed 91,321 instances of insider recruiting, advertising, and threat actor discussions involving insider-related illicit activity. This underscores a critical reality—it is far more efficient for threat actors to recruit an “insider” to circumvent multi-million dollar security stacks than it is to develop a complex exploit from the outside. 

An insider threat, any individual with authorized access, possesses the unique ability to bypass traditional security gates. Whether driven by financial gain, ideological grievances, or simple human error, insiders can potentially compromise a system with a single keystroke. To protect our customers from this internal risk, Flashpoint monitors the illicit forums and marketplaces where these threats are being solicited. 

In this post, we unpack the evolving insider threat landscape and what it means for your security strategy in 2026. By analyzing the volume of recruitment activity and the specific industries being targeted, organizations can move from a reactive posture to a proactive defense.

By the Numbers: Mapping the 2025 Insider Threat Landscape

Last year, Flashpoint collected and researched:

• 91,321 posts of insider solicitation and service advertising
• 10,475 channels containing insider-related illicit activity
• 17,612 total authors

On average, 1,162 insider-related posts were published per month, with Telegram continuing to be one of the most prominent mediums for insiders and threat actors to identify and collaborate with each other. Analysts also identified instances of extortionist groups targeting employees at organizations to financially motivate them to become insiders.

Insider Threat Landscape by Industry

The telecommunications industry observed the most insider-related activity in 2025. This is due to the industry’s central role in identity verification and its status as the primary target for SIM swapping—a fraudulent technique where threat actors convince employees of a mobile carrier to link a victim’s phone number to a SIM card controlled by the attacker. This allows the threat actor to receive all the victim’s calls and texts, allowing them to bypass SMS-based two-factor authentication.

Flashpoint analysts identified 12,783 notable posts where the level of detail or the specific target was particularly concerning.

Top Industries for Insiders Advertising Services (Supply):

1. Telecom
2. Financial
3. Retail
4. Technology

Top Industries for Threat Actors Soliciting Access (Demand):

1. Technology
2. Financial
3. Telecom
4. Retail

6 Notable Insider Threat Cases of 2025

The following cases highlight the variety of ways insiders impacted enterprise systems this year, ranging from intentional fraud to massive technical oversights.

Type of Incident	Description
Malicious	Approximately nine employees accessed the personal information of over 94,000 individuals, making illegal purchases using changed food stamp cards.
Nonmalicious	An unprotected database belonging to a Chinese IoT firm leaked 2.7 billion records, exposing 1.17 TB of sensitive data and plaintext passwords.
Malicious	An insider at a well-known cybersecurity organization was terminated after sharing screenshots of internal dashboards with the Scattered Lapsus$ Hunters threat actor group.
Malicious	An employee working for a foreign military contractor was bribed to pass confidential information to threat actors.
Malicious	A third-party contractor for a cryptocurrency firm sold customer data to threat actors and recruited colleagues into the scheme, leading to the termination of 300 employees and the compromise of 69,000 customers.
Malicious	Two contractors accessed and deleted sensitive documents and dozens of databases belonging to the Internal Revenue Service and US General Services Administration.

Catching the Warning Signs Early

Potential insiders often display technical and nontechnical behavior before initiating illicit activity. Although these actions may not directly implicate an employee, they can be monitored, which may lead to inquiries or additional investigations to better understand whether the employee poses an elevated risk to the organization.

Flashpoint has identified the following nontechnical warning signs associated with insiders:

• Behavioral indicators: Observable actions that deviate from a known baseline of behaviors. These can be observed by coworkers or management or through technical indicators. Behavioral indicators can include increasingly impulsive or erratic behavior, noncompliance with rules and policies, social withdrawal, and communications with competitors.
• Financial changes: Significant and overlapping changes in financial standing—such as significant debt, financial troubles, or sudden unexplained financial gain—could indicate a potential insider threat. In the case of financial distress, an employee can sell their services to other threat actors via forums or chat services, thus creating additional funding streams while seeming benign within their organization.
• Abnormal access behavior: Resistance to oversight, unjustified requests for sensitive information beyond the employee’s role, or the employee being overprotective of their access privileges might indicate malicious intent.
• Separation on bad terms: Employees who leave an organization under unfavorable circumstances pose an increased insider threat risk, as they might want to seek revenge by exploiting whatever access they had or might still possess after leaving.
• Odd working hours: Actors may leverage atypical after-hours work to pursue insider threat activity, as there is less monitoring. By sticking to an atypical schedule, threat actors maintain a cover of standard work activity while pursuing illicit activity simultaneously.
• Unusual overseas travel: Unusual and undocumented overseas travel may indicate an employee’s potential recruitment by a foreign state or state-sponsored actor. Travel might be initiated to establish contact and pass sensitive information while avoiding raising suspicions in the recruit’s home country.

The following are technical warning signs:

• Unauthorized devices: Employees using unauthorized devices for work pose an insider threat, whether they have malicious intent or are simply putting themselves at higher risk of human error. Devices that are not controlled and monitored by the organization fall outside of its scope of operational security, while still carrying all of the sensitive data and configuration of the organization.
• Abnormal network traffic: An unusual increase in network traffic or unexplained traffic patterns associated with the employee’s device that differ from their normal network activity could indicate malicious intent. This includes network traffic employing unusual protocols, using uncommon ports, or an overall increase in after-hours network activity.
• Irregular access pattern: Employees accessing data outside the scope of their job function may be testing and mapping the limits of their access privileges to restricted areas of information as they evaluate their exfiltration capabilities for their planned illicit actions.
• Irregular or mass data download: Unexpected changes in an employee’s data handling practices, such as irregular large-scale downloads, unusual data encryption, or uncharacteristic or unauthorized data destinations, are significant indicators of an insider threat.

Insider Threats: What to Expect in 2026

As 2026 unfolds, insider threat actors will continue to be a major threat to organizations. Ransomware groups and initial access threat actors will continue recruiting interested insiders and exploiting human vulnerabilities through social engineering tactics. Following Telegram’s recent bans on many illicit groups and channels, Flashpoint assesses that threat actors are likely to migrate to different platforms, such as Signal, where encrypted chats make their activity harder to monitor.

As AI technologies continue to advance, organizations will be better equipped to identify and mitigate insider risks. At the same time, threat actors will likely increasingly abuse AI and other tools to access sensitive information. 
Is your organization equipped to spot the warning signs? Request a demo to learn more and to mitigate potential risk from within your organization.

Request a demo today.

Blogs

Blog

Why Effective CTEM Must be an Intelligence-Led Program

Continuous Threat Exposure Management (CTEM) is a continuous program and operational framework, not a single pre-boxed platform. Flashpoint believes that effective CTEM must be intelligence-led, using curated threat intelligence as the operational core to prioritize risk and turn exposure data into defensible decisions.

Continuous Threat Exposure Management (CTEM) is Not a Product

Since Gartner’s introduction of CTEM as a framework in 2022, cybersecurity vendors have engaged in a rapid “productization” race. This has led to inconsistent market definitions, with a variety of vendors from vulnerability scanners to Attack Surface Management (ASM) providers now claiming to be an “exposure management” solution.

The current approach to productizing CTEM is flawed. There is no such thing as a single “exposure management platform.” The enterprise reality is that most enterprises buy three or more products just to approximate what CTEM promises in theory. Even with these technologies, organizations still require heavy lifting with people, process, and custom integrations to actually make it work.

The Exposure Stack: When One Platform Becomes Three (or More)

A functional CTEM approach typically requires multiple platforms or tools, including: 

• Continuous Penetration/Exploitation Testing & Attack Path Analysis for continuous pentesting, attack path validation, and hands-on exposure validation.
• Vulnerability and Exposure Management for vulnerability scanning, exposure scoring, and asset risk views.
• Intelligence for deep, curated vulnerability, compromised credentials, card fraud, and other forms of intelligence that goes far beyond the scope of technology-based “management platforms”.

In some cases, organizations may also use an ASM vendor for shadow IT discovery, a CMDB for asset context, and ticketing integrations to drive remediation. This multi-platform model is the rule, not the exception. And that raises a hard truth: if you need three or more products, plus a dedicated team to implement CTEM, you need an intelligence-led CTEM program.

CTEM is an Operational Discipline, Not a Single Product

The narrative that CTEM can be packaged into a single product breaks down for three critical reasons:

1. CTEM is a Program, Not a Platform

You cannot buy a capability that requires full-stack asset visibility, contextualized threat actor data, real-world validation, and remediation orchestration from one tool. Each component spans a different domain of expertise and data. A vulnerability scanner, alone, cannot validate exploitability, a pentest service has a tough time scaling to daily monitoring, and generic threat intelligence feeds cannot provide critical business context.

However, CTEM requires orchestration of all these components in one operational loop. No single product delivers this comprehensively out of the box; this is why CTEM must be viewed as a continuous program, not a one-size-fits-all product.

2. Human Expertise is Irreplaceable

Vendors often advertise automation, however, key intelligence functions are still powered by and reliant on human analysis. Even with best-in-class AI tools in place, security teams are depending on human insights for:

• Triaging noisy CVE lists
• Cross-referencing exposure data with asset inventories
• Manually validating if risks are real
• Prioritizing based on threat intelligence and internal context
• Writing custom logic and integrations to bridge platforms together

In other words, exposure management today still relies on human insights and expertise. So while vendors advertise “automation and intelligence,” what they’re really delivering is a starting point. Ultimately, AI is a force multiplier for threat analysts, not a replacement.

3. Risk Without Intelligence Is Just Data

Most platforms treat exposure like a math problem. But real risk isn’t just CVSS (Common Vulnerability Scoring System) scores or asset counts, it requires answering critical, intelligence-based questions:

1. How likely is this vulnerability to be exploited, and what’s the impact if it is?
2. How likely is this misconfiguration to be exploited, and what is its impact?
3. How likely is this compromised credential to be used by a threat actor, and what is the potential impact?

These answers require intelligence, not just data. Best-in-class intelligence provides security teams with confirmed exploit activity in the wild, context around attacker usage in APT (Advanced Persistent Threat) campaigns, and detailed metadata for prioritization where CVSS fails. That is why Flashpoint intelligence is leveraged by over 800 organizations as the operational core of exposure management, turning exposure data into defensible decisions.

CTEM Productization vs. CTEM Reality

If your risk strategy requires continuous penetration and exploit testing, vulnerability management, threat intelligence, and manual prioritization and validation, you’re not buying CTEM; you’re building it. At Flashpoint, we’re helping organizations build CTEM the right way: driven by intelligence, and powered by integrations and AI.

The Intelligence-Led Future of Exposure Management

Flashpoint treats CTEM for what it really is, as a program that must be constructed intelligently, iteratively, and contextually.

That means:

• Using threat and vulnerability intelligence to drive what actually gets prioritized
• Treating scanners, ASM platforms, and pentesting as inputs, not outcomes
• Building processes where intelligence, context, and validation inform exposure decisions, not just ticket creation
• Investing in platform interconnectivity, not just feature checklists

Using Flashpoint’s intelligence collections, organizations can achieve intelligence-led exposure management, with threat and vulnerability intelligence working together to provide context and actionable insights in a continuous, prioritized loop. This empowers security teams to build and scale their own CTEM programs, which is the only realistic approach in a cybersecurity landscape where no single platform can do it all.

Achieve Elite Operation Control Over Your CTEM Program Using Flashpoint

If you’re evaluating exposure management tools, ask yourself:

• What happens when we find a critical vulnerability and how do we know it matters?
• Can this platform correlate attacker behavior with our asset landscape?
• Does it validate risk or just report it?
• How many other tools will we need to buy just to complete the picture?

The answers may surprise you. At Flashpoint, we’re helping organizations build CTEM the right way, driven by intelligence, powered by integration, and grounded in reality. Request a demo today and see how best-in-class intelligence is the key to achieving an effective CTEM program.

Request a demo today.

Blogs

Blog

Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups

Ukrainian national indicted and rewards announced for co-conspirators relating to destructive cyberattacks worldwide.

Begin your free trial today.

Blogs

Blog

The Infostealer Gateway: Uncovering the Latest Methods in Defense Evasion

In this post, we analyze the evolving bypass tactics threat actors are using to neutralize traditional security perimeters and fuel the global surge in infostealer infections.

Infostealer-driven credential theft in 2025 has surged, with Flashpoint observing a staggering 800% increase since the start of the year. With over 1.8 billion corporate and personal accounts compromised, the threat landscape finds itself in a paradox: while technical defenses have never been more advanced, the human attack surface has never been more vulnerable.

Information-stealing malware has become the most scalable entry point for enterprise breaches, but to truly defend against them, organizations must look beyond the malware itself. As teams move into 2026 security planning, it is critical to understand the deceptive initial access vectors—the latest tactics Flashpoint is seeing in the wild—that threat actors are using to manipulate users and bypass modern security perimeters.

Here are the latest methods threat actors are leveraging to facilitate infections:

1. Neutralizing Mark of the Web (MotW) via Drag-and-Drop Lures

Mark of the Web (MotW) is a critical Windows defense feature that tags files downloaded from the internet as “untrusted” by adding a hidden NTFS Alternate Data Stream (ADS) to the file. This tag triggers “Protected View” in Microsoft Office programs and prompts Windows SmartScreen warnings when a user attempts to execute an unknown file.

Flashpoint has observed a new social engineering method to bypass these protections through a simple drag-and-drop lure. Instead of asking a user to open a suspicious attachment directly, which would trigger an immediate MotW warning, threat actors are instead instructing the victim to drag the malicious image or file from a document onto their desktop to view it. This manual interaction is highly effective for two reasons:

1. Contextual Evasion: By dragging the file out of the document and onto the desktop, the file is executed outside the scope of the Protected View sandbox.
2. Metadata Stripping: In many instances, the act of dragging and dropping an embedded object from a parent document can cause the operating system to treat the newly created file as a local creation, rather than an internet download. This effectively strips the MotW tag and allows malicious code to run without any security alerts.

2. Executing Payloads via Vulnerabilities and Trusted Processes

Flashpoint analysts uncovered an illicit thread detailing a proof of concept for a client-side remote code execution (RCE) in the Google Web Designer for Windows, which was first discovered by security researcher Bálint Magyar.

Google Web Designer is an application used for creating dynamic ads for the Google Ads platform. Leveraging this vulnerability, attackers would be able to perform remote code execution through an internal API using CSS injection by targeting a configuration file related to ads documents.

Within this thread, threat actors were specifically interested in the execution of the payload using the chrome.exe process. This is because using chrome.exe to fetch and execute a file is likely to bypass several security restrictions as Chrome is already a trusted process. By utilizing specific command-line arguments, such as the –headless flag, threat actors showed how to force a browser to initiate a remote connection in the background without spawning a visible window. This can be used in conjunction with other malicious scripts to silently download additional payloads onto a victim’s systems.

3. Targeting Alternative Softwares as a Path of Least Resistance

As widely-used software becomes more hardened and secure, threat actors are instead pivoting to targeting lesser-known alternatives. These tools often lack robust macro-protections. By targeting vulnerabilities in secondary PDF viewers or Office alternatives, attackers are seeking to trick users into making remote server connections that would otherwise be flagged as suspicious.

Understanding the Identity Attack Surface

Social engineering is one of the driving factors behind the infostealer lifecycle. Once an initial access vector is successful, the malware immediately begins harvesting the logs that fuel today’s identity-based digital attacks.

As detailed in The Proactive Defender’s Guide to Infostealers, the end goal is not just a password. Instead, attackers are prioritizing session cookies, which allow them to perform session hijacking. By importing these stolen cookies into anti-detect browsers, they bypass Multi-Factor Authentication and step directly into corporate environments, appearing as a legitimate, authenticated user.

Understanding how threat actors weaponize stolen data is the first step toward a proactive defense. For a deep dive into the most prolific stealer strains and strategies for managing the identity attack surface, download The Proactive Defender’s Guide to Infostealers today.

Request a demo today.

Blogs

Blog

Surfacing Threats Before They Scale: Why Primary Source Collection Changes Intelligence

This blog explores how Primary Source Collection (PSC) enables intelligence teams to surface emerging fraud and threat activity before it reaches scale.

Spend enough time investigating fraud and threat activity, and a familiar pattern emerges. Before a tactic shows up at scale—before credential stuffing floods login pages or counterfeit checks hit customers—there is almost always a quieter formation phase. Threat actors test ideas, trade techniques, and refine playbooks in small, often closed communities before launching coordinated campaigns.

The signals are there. The challenge is that most organizations never see them.

For years, intelligence programs have leaned heavily on static feeds: prepackaged streams of indicators, alerts, and reports delivered on a fixed cadence. These feeds validate what is already known, but they rarely surface what is still taking shape. They are designed to summarize activity after it has matured, not to discover it while it is still evolving.

Meanwhile, the real innovation in fraud and threat ecosystems happens elsewhere in invite-only Telegram channels, dark web marketplaces, and regional-language forums that update in real time. By the time a static feed flags a new technique, it is often already widespread.

This disconnect has consequences. When intelligence arrives too late, teams are left responding to impact rather than shaping outcomes.

How Threats Actually Evolve

Fraudsters and threat actors do not work in isolation, they collaborate. In closed forums and encrypted channels, one actor experiments with a new login bypass, another tests two-factor authentication evasion, and a third packages those ideas into a tool or service. What begins as a handful of screenshots or code snippets quickly becomes a repeatable process.

These shared processes often take the form of playbooks that act as step-by-step guides that document how to execute a fraud scheme or exploit a weakness. Once a playbook begins circulating, scale is inevitable. Techniques that started as limited tests turn into thousands of coordinated attempts almost overnight.

Every intelligence or fraud analyst has experienced the moment when an unfamiliar tactic suddenly overwhelms detection systems. The frustrating reality is that the warning signs were often visible weeks earlier, they simply never made it into the static feeds teams were relying on.

Why Static Collection Falls Short

Static collection creates a sense of coverage, but that coverage is often shallow. Sources are fixed. Cadence is slow. Context is stripped away.

A feed might tell you that a domain, handle, or email address is associated with a known tactic, but not how that tactic was developed, who is promoting it, or whether it has any relevance to your organization’s specific exposure. You are seeing the exhaust, not the engine.

This lag matters. The window between a tactic being tested in a small community and being deployed at scale is often the most valuable moment for intervention. Miss that window, and response becomes exponentially more expensive.

As threats accelerate and collaboration among adversaries increases, intelligence programs that depend solely on static inputs struggle to keep pace.

A Different Model: Primary Source Collection

Primary Source Collection (PSC) changes how intelligence is gathered by starting with the questions that matter most and collecting directly from the original environments where those answers exist.

Gain the Threat Intelligence Advantage with Primary Source Collection

Rather than relying on a predefined list of sources or vendor-determined priorities, PSC begins with a defined intelligence requirement. Collection is then shaped around that requirement, directing analysts to the forums, marketplaces, and channels where relevant activity is actively unfolding.

This means monitoring closed communities advertising check alteration services. It means observing invite-only groups trading identity fraud tutorials. It means collecting original posts, screenshots, files, and discussions while they are still part of an active conversation instead of weeks later in summarized form. When actors begin discussing a new bypass technique or sharing proof-of-concept screenshots, that is the moment to act, not weeks later when the same method is being resold across marketplaces.

Primary Source Collection provides that window. It surfaces the conversations, artifacts, and early indicators that reveal what is coming next and gives teams the time they need to intervene before campaigns scale.

This does not replace analytics, automation, or baseline monitoring. It strengthens them by feeding earlier, richer insight into downstream systems. It ensures that detection and response are informed by how threats are actually developing, not just how they appear after the fact.

In one case, a financial institution using this approach identified counterfeit checks featuring its brand being advertised in underground marketplaces weeks before customers began reporting losses. By collecting directly from those spaces, analysts flagged the images, traced sellers, and alerted internal teams early enough to prevent further exploitation.

That is what early warning looks like when collection is aligned with purpose.

Making Intelligence Taskable

One of the most important shifts enabled by Primary Source Collection is tasking.

Traditional intelligence programs operate like autopilot. They deliver a steady stream of data, but that stream reflects the provider’s priorities rather than the organization’s evolving needs. Analysts spend valuable time triaging irrelevant information while emerging risks go unnoticed.

In classified intelligence environments, this problem has long been addressed through tasking. Every collection effort begins with a clearly defined requirement and priorities drive collection, not the other way around.

PSC applies that same discipline to open-source and commercial intelligence. Teams define Priority Intelligence Requirements (PIRs), such as identifying actors testing bypass methods for specific login flows, and immediately direct collection toward those needs. As priorities change, tasking changes with them.

This transforms intelligence from a passive stream into an operational capability. Analysts are no longer waiting for someone else’s update cycle. They are shaping visibility in real time, testing hypotheses, validating concerns, and uncovering tactics before they mature.

For leadership, this provides something more valuable than indicators: confidence that critical developments are not happening just out of sight.

How Taskable Collection Works in Practice

A taskable Primary Source Collection framework is dynamic by design. As stakeholder priorities shift due to a new campaign, incident, or geopolitical development, collection pivots immediately.

In practice, this approach includes:

• Source discovery: Identifying new, relevant sources as they emerge, using a combination of analyst expertise and automated tooling.
• Secure access: Entering closed or restricted spaces safely and ethically through controlled environments and vetted identities.
• Direct collection: Capturing original content directly from threat actor environments, including posts, images, and files.
• Processing and enrichment: Applying techniques such as optical character recognition, entity extraction, and metadata tagging to transform raw material into usable intelligence.
• Delivery and collaboration: Routing outputs into investigative workflows or directly to stakeholders to accelerate response.

Intelligence can then mirror the agility of modern threats instead of lagging behind them.

Why This Shift Matters Now

Threat and fraud operations are moving faster than ever. Barriers to entry are lower. Tooling is more accessible. Collaboration rivals legitimate software development cycles.

Defenders cannot afford to move slower than the adversaries they are trying to stop.

Primary Source Collection is how intelligence teams keep pace. It aligns collection with mission needs, enables real-time tasking, and delivers insight early enough to change outcomes instead of just documenting them.

The signals have always been there. What has changed is the ability to surface them while they still matter.

See Primary Source Collection in Action

Flashpoint supports intelligence teams across fraud, cyber, and executive protection with taskable, primary source intelligence. Request a walkthrough to see how PSC enables earlier, more confident decision-making.

Request a demo today.

Blogs

Blog

The CTI Analyst’s Isolated Arsenal: Desktop Tools for High-Risk Intelligence

This blog explores how CTI teams safely analyze high-risk environments, engage with threat actors, and process sensitive data using Flashpoint Managed Attribution.

Cyber Threat Intelligence (CTI) analysts routinely operate in high-risk digital spaces where threat actors operate, such as Dark Web forums, encrypted chat rooms, and sites hosting massive breached datasets. Engaging with this data requires absolute confidence that your operational security (OPSEC) is up-to-date.

OPSEC failures can have significant consequences. A single attribution error or host-machine exposure can put both the analyst at risk, and compromise the organization’s security posture. To ensure your organization’s CTI activities remain anonymous, secure, and effective, this post focuses on two essentials: 

• The types of desktop applications and tools that must run in a secure, isolated environment
• How Flashpoint Managed Attribution (MA) provides the operational foundation for safe CTI workflows.

OPSEC & Access

Successful execution of CTI operations hinges on establishing a complete shield between the analyst and the target environment. These tools form the base layer for secure and anonymous activity, ensuring that an analyst’s real identity and location are never exposed.

Tool Category	Tool/Type	Use Case
Network Anonymity	VPN Clients	IP Masking & Geo-Shifting: Adding a layer of IP obfuscation, especially when accessing geo-restricted content or high-risk sites (often used before Tor for added protection).
Secure Communication	Telegram, Session, Tox, Pidgin (with OTR/OMEMO)	Threat Actor Engagements: Contacting a threat actor (TA) about a posted dataset, discussing access, or validating a claimed compromise.
Network Utility	Torsocks / Proxychains	Script Anonymization: Forcing data collection scripts (Python, Go, etc.) to use an anonymized network when scraping or downloading data.

Operational Case Study: Secure Threat Actor Engagement with Telegram and Flashpoint Managed Attribution

When communicating anonymously with a threat actor, the Flashpoint Managed Attribution workflow provides the following key advantages for CTI teams:

• Identity Protection: Creates a secure, isolated virtual machine with robust anonymization (VPN, Tor, rotating IPs) to protect the analyst’s identity. The analyst sets up messaging clients like Telegram within this secure environment, making it impossible for the threat actor to trace their real IP or location.
• Continuous OPSEC: Continuously masks the operational footprint with constantly changing and untraceable IP addresses, ensuring all communication is routed through multiple layers of anonymity.
• Host Machine Isolation & Secure Logging: All information exchanged is handled within this isolated environment to prevent malicious files from affecting the analyst’s host machine, while all communications are securely logged for later analysis.

Data Processing & Automation

CTI analysts routinely process massive log files and breach dumps that are unstable, unvalidated, or potentially malicious. By deploying essential data processing and automation tools within an isolated environment like Flashpoint Managed Attribution, you ensure this high-risk content never compromises the analyst’s host machine.

Tool Category	Tool/Type	Use Case
Scripting & Automation	Python, Golang, Bash/PowerShell	Breach Data Analysis: Creating custom scraping and parsing scripts to download and search breached datasets (often multi-terabyte files) from ransomware or other leak sites.
Command-Line Tools	grep, awk, sed, curl, wget	Assess Exposure: Quickly search for company-specific keywords, employee names, or technical indicators across massive, potentially compromised datasets.
Data Encoding/Decoding	CyberChef (Desktop/Local Instance)	Indicator of Compromise (IOC) Transformation: Decoding obfuscated strings, converting data formats, or analyzing potentially malicious content without sending it to an external server.

Operational Case Study: Automating Breach Data Analysis with Python and Flashpoint Managed Attribution

Within a Flashpoint Managed Attribution workspace, a CTI analyst deploys a Python script. The anonymized MA environment ensures:

• This script crawls and downloads data through an untraceable, constantly changing IP network, performing on-the-fly parsing and storing extracted intelligence in an encrypted database. 
• Data ingestion and analysis is executed securely, leaving no trace of the analyst’s activity.

Open Source Intelligence (OSINT) & Analysis

The below applications help analysts connect the dots between various pieces of intelligence but often require handling data from unverified or hostile sources, necessitating strict isolation.

Tool Category	Tool/Type	Use Case
Research	Tor Browser	Dark Web Collection: Accessing closed forums, markets, and hosting sites for intelligence gathering and monitoring.
Link Analysis	Maltego	Mapping Threat Actors: Identifying the infrastructure, affiliates, and complex relationships of a cybercrime group under investigation.
Evidence Preservation	Hunch.ly	Chain of Custody: Securely capturing and preserving online evidence (e.g., from a hacktivist blog or a ransomware leak page) before it is taken down.
Metadata Analysis	ExifTool (Desktop Client)	Source Attribution: Analyzing a file downloaded from a threat actor site to extract potential clues like hidden usernames, internal network paths, or original creation dates.

Operational Case Study: Analyzing a Ransomware Leak Page with Hunch.ly

When a new ransomware group emerges, a CTI analyst uses tools like Hunch.ly to safely collect evidence from leak sites. Hunch.ly captures all data, timestamps it, and creates a cryptographic hash to ensure integrity. Using tools like Hunch.ly inside of a secure virtual machine like Flashpoint Managed Attribution ensures the analyst’s anonymity, enabling thorough analysis without risking the analyst’s system or identity.

Unlock Maximum Tool Utility with Flashpoint Managed Attribution

Ultimately, while these desktop tools are indispensable for CTI analysts operating in high-risk environments, their effective and secure deployment hinges on a robust underlying platform. This is where Flashpoint Managed Attribution becomes an invaluable asset. By providing a secure, anonymous workspace, Flashpoint Managed Attribution allows analysts to leverage these powerful tools, from network anonymizers and secure communication channels to advanced OSINT and data processing applications within an environment specifically built for operational security. 

Request a demo today to ensure that gathered critical intelligence remains untraceable to your organization or analysts.

Request a demo today.

Blogs

Blog

Beyond the Malware: Inside the Digital Empire of a North Korean Threat Actor

In this post Flashpoint reveals how an infostealer infection on a North Korean threat actor’s machine exposed their digital operational security failures and reliance on AI. Leveraging Flashpoint intelligence, we pivot from a single persona to a network of fake identities and companies targeting the Web3 and crypto industry.

Last week, Hudson Rock published a blog on “Trevor Greer,” a persona tied to a North Korean IT Worker. Flashpoint shared additional insights with our clients back in July, and we’re now making those findings public.

Trevor Greer, a North Korean operative, was identified via an infostealer infection on their own machine. Information-stealing malware, also known as Infostealers or stealers, are malware designed to scrape passwords and cookies from unsuspecting victims. Stealers (like LummaC2 or RedLine) are typically used by cybercriminals to steal login credentials from everyday users to sell on the Dark Web. It is rare to see them infect the machines of a state-sponsored advanced persistent threat group (APT).

However, when adversaries unknowingly infect themselves, they can expose valuable insights into the inner workings of their campaigns. Leveraging Flashpoint intelligence sourced from the leaked logs of “Trevor Greer,” our analysts uncovered a myriad of fake identities and companies used by DPRK APTs.

Finding Trevor Greer

Flashpoint analysts have been tracking the Trevor Greer email address since December 2024 in relation to the “Contagious Interview” campaign, in which threat actors operated as LinkedIn recruiters to target Web3 developers, resulting in the deployment of multiple stealers compromising developer Web3 wallets. Flashpoint also identified the specific persona’s involvement in a campaign in which North Korean threat actors posed as IT freelance workers and applied for jobs at legitimate companies before compromising the organizations internally.

ByBit Compromise

The ByBit compromise in late February 2025 further fueled Flashpoint’s investigations into the Trevor Greer email address. Bybit, a cryptocurrency exchange, suffered a critical incident resulting in North Korean actors extorting US $1.5 billion worth of cryptocurrency. In the aftermath, Silent Push researchers identified the persona “Trevor Greer” associated with the email address trevorgreer9312@gmail[.]com, which registered the domain “Bybit-assessment[.]com” prior to the Bybit compromise.

A later report claimed that the domain “getstockprice[.]com” was involved in the compromise. Despite these domain discrepancies, both investigations attributed the attack to North Korean advanced persistent threat (APT) nexus groups.

Tracing the Infection

Using Flashpoint’s vast intelligence collections, we performed a full investigation of compromised virtual private servers (VPS), revealing the actor’s potential involvement in several other operations, including remote IT work, several self-made blockchain and cryptocurrency exchange companies, and a potential crypto scam dating back to 2022.

Flashpoint analysts also discovered that the Trevor Greer email address was linked to domains infected with information-stealing malware.

What the Logs Revealed

Analysts extracted information about the associated infected host from Trevor Greer, revealing possible tradecraft and tools used. Analysts further identified specific indicators of compromise (IOCs) used in the campaigns mentioned above, as well as email addresses used by the actor for remote work.

The data painted a vivid picture of how these threat actors operate:

Preparation for “Contagious Interviews”

The browser history revealed the actor logging into Willo, a legitimate video interview platform. This suggests the actor was conducting reconnaissance to clone the site for the “Contagious Interview” campaign, where they lured Web3 developers into fake job interviews to deploy malware.

Reliance on AI Tools

The logs exposed the actor’s reliance on AI to bridge the language gap. The operator frequently accessed ChatGPT and Quillbot, likely using them to write convincing emails, build resumes, and generate code for their malware.

Pivoting: One Node to a Network

By analyzing the “Trevor Greer” logs, we were able to pivot to other personas and campaigns involved in the operation.

• Fake Employment: The logs contained credentials for freelance platforms, such as Upwork and Freelancer, associated with other aliases, including “Kenneth Debolt” and “Fabian Klein.” This confirmed the actor was part of a broader scheme to infiltrate Western companies as remote IT workers.
• Fake Companies: The data linked the actor to fake corporate entities, such as Block Bounce (blockbounce[.]xyz), a sham crypto trading firm set up to appear legitimate to potential victims. 
• Developer Personas: The infection data linked the actor to the GitHub account svillalobosdev, which had been active in open source projects to build credibility before the attack.
• Legitimate Platforms & Tools: Analysts observed the actor using job boards such as Dice and HRapply[.]com, freelance platforms such as Upwork and Freelancer, and direct applications through company Workday sites. To improve their resume, the actor used resumeworded[.]com or cakeresume[.]com. For conversing, the threat actor likely relies on a mix of both GPT and Quilbot, as found in infected host logins, to ensure they sound human. During interviews, analysts determined that they potentially used Speechify. 
• Deep & Dark Web Resources: The actor also likely purchased Social Security numbers (SSNs) from SSNDOB24[.]com, a site for acquiring Social Security data.

Disrupt Threat Actors Using Flashpoint

The “Trevor Greer” case study illustrates a critical shift in modern threat intelligence. We are no longer limited to analyzing the malware adversaries deploy; sometimes, we can analyze the adversaries themselves.

Using their own tools against them, Flashpoint transformed a faceless state-sponsored entity into a tangible user with bad habits, sloppy OPSEC, and a trail of digital breadcrumbs. Behind every sophisticated APT campaign is a human operator, and sometimes, they click the wrong link too. 

Request a demo today to delve deeper into the tactics, techniques, and procedures of advanced persistent threats and learn how Flashpoint’s intelligence strengthens your defenses.

Request a demo today.

Blogs

Blog

From Endpoint Compromise to Enterprise Breach: Mapping the Infostealer Attack Chain

In Flashpoint’s latest webinar, we map the global infostealer attack chain step-by-step, from initial infection to enterprise-level account takeover. We analyze how the commodification of stolen identities works and demonstrate how Flashpoint intelligence provides the critical visibility necessary to disrupt this cycle.

Compromised digital identities have become one of the most valuable currencies in the cybercriminal ecosystem. The rise of information-stealing malware has created an industrial-scale supply chain for stolen credentials, session cookies, and browser fingerprints, directly fueling account takeover (ATO) campaigns that penetrate even the most mature security environments.

Flashpoint recently hosted an on-demand webinar, “From Compromise to Breach: How Infostealers Power Identity Attacks,” where our experts dissected this developing threat landscape. We exposed the exact sequence of events, providing defenders with the actionable intelligence required to disrupt the chain at multiple points. For the full technical breakdown, check out the full on-demand webinar. 

Here are the main key takeaways you need to know:

Stage 1: Initial Infection and Data Harvest (The Compromise)

A full scale compromise often begins with a single event, typically a phishing lure, a malicious download, or a compromised cracked software installer. Once executed, the infostealer goes to work, quickly and stealthily, to build a “log” that grants post-MFA (multi-factor authentication) access.

Scouring now-compromised endpoints, the stealer searches for and compiles data such as:

• Credentials: Saved logins, credit card details, and passwords for applications and websites.
• Session Cookies/Tokens: These are the keys that allow an attacker to bypass login prompts entirely, appearing as an already-authenticated user.
• Browser Fingerprints and System Metadata: Geolocation, IP address, and system language used to evade security tools by accurately mimicking the victim’s legitimate environment.

Stage 2: Commodification and the ATO Supply Chain (The Market)

Once a log is harvested, it enters the Infostealer-as-a-Service ecosystem, a critical industrialized stage of the attack chain. Here, threat actors can rent or purchase access to millions of fresh logs, effectively outsourcing the initial compromise phase and enabling mass identity exploitation for a minimal investment.

Check out the on-demand webinar for a full technical breakdown of this dark web economy and how the commodification of stealer logs drastically reduces the barrier to entry for follow-on attacks.

Stage 3: Post-MFA Account Takeover (The Breach)

This is the ultimate pivot point, where a simple endpoint infection escalates into an enterprise breach. Unlike the brute-forcing and phishing attacks of the past, attackers leverage the stolen session tokens and browser fingerprints.

Stolen log buyers leverage obfuscation tools such as anti-detect browsers. These tools ensure the attacker can seamlessly utilize the stolen cookies and digital fingerprints to appear identical to the original victim. 

They inject valid, unexpired session tokens into their browser, which allows attackers to hijack the victim’s active session. This allows them to avoid fraud and anomaly detection systems, providing them access into corporate VPNs, cloud environments, and internal applications without ever needing to see a login prompt. From here, attackers can move laterally, exfiltrate sensitive data, or deploy ransomware.

Disrupting the Attack Chain Using Flashpoint’s Actionable Intelligence

Defense against this threat requires not only an understanding of the attack chain, but also comprehensive Cyber Threat Intelligence (CTI) to identify and mitigate risks at every stage:

Disruption Point in the Attack Chain	How Flashpoint Empowers Proactive Defense
Stage 1: Initial Infection/Log Creation	Gain immediate alerting on the sale of your organization’s compromised assets on the Dark Web before attackers can leverage stolen data.
Stage 2: Commodification/ATO Setup	Expose the illicit platforms and forums where threat actors discuss, buy, and sell stolen logs, allowing you to track the tooling and TTPs.
Stage 3: Post-MFA ATO/Breach	Identify and remediate the vulnerabilities within browsers or enterprise software that are most actively being targeted by infostealers.

The speed of infostealer-powered attacks demands an intelligence-driven response. Our recent webinar demonstrated how Flashpoint intelligence can empower your security teams to quickly identify and validate stolen logs, protecting your organization from compromise to breach. Watch the on-demand webinar to learn more, or request a demo today.

The Proactive Defender’s Guide to Infostealers

Request a demo today.

Blogs

Blog

Digital Supply Chain Risk: Critical Vulnerability Affecting React Allows for Unauthorized Remote Code Execution

CVE-2025-55182 (VulnDB ID: 428930), is a severe, unauthenticated RCE impacting a major component of React and its ecosystem, putting global applications at immediate, high-fidelity risk.

The React team disclosed a critical vulnerability impacting three products in the React Server Components (RSC) that allows for unauthenticated remote code execution. 

Flashpoint’s vulnerability research team assesses significant enterprise and supply chain risk given React’s ubiquity: the impacted JavaScript library underpins modern UIs, with 168,640 dependents and more than 51 million weekly downloads.

How CVE-2025-55182 Works

CVE-2025-55182 (VulnDB ID: 428930) impacts all React versions since 19.0.0, meaning that this issue has been potentially exploitable since November 14, 2024. This vulnerability stems from how React handles payloads sent to React Server Function endpoints and deserializes them.

Depending on the implementation of this library, a remote, unauthenticated threat actor could send a crafted payload that would be deserialized in a way that causes remote code execution. This would lead to a total compromise of the system hosting the application, allowing for malware such as infostealers, ransomware, or cryptojackers (cryptocurrency mining) to be downloaded.

A working exploit for CVE-2025-55182 has already been published that is effective against some installations. In addition, Amazon has reported that two threat actors, attributed to Chinese Advanced Persistent Threat Groups (APTs), have begun to exploit this vulnerability. Those groups are:

• Earth Lamia (STAC6451, REF0657, CL-STA-0048)
• Jackpot Panda (iSoon, DRAGNET PANDA, Anxun Information, deepclif, Poison Carp, Houndstooth Typhoon)

Understanding the Impact and Scope of CVE-2025-55182

It is critical that security teams fully understand the potential downstream scope and impact so that they can fully focus on mitigation, rather than time-consuming research. While the vendor has provided a full disclosure, there are several important caveats to understand about CVE-2025-55182:

1. Applications not implementing any React Server Function endpoints may still be vulnerable as long as it supports React Server Components.
2. If an application’s React code does not use a server, it is not affected by this vulnerability.
3. Applications that do not use a framework, bundler, or bundler plugins that support React Server Components are unaffected by this vulnerability.

Additionally, several React frameworks and bundlers have been discovered to leverage vulnerable React packages in various ways. The following frameworks and bundlers are known to be affected:

• next
• react-router
• waku
• @parcel/rsc
• @vitejs/plugin-rsc
• rwsdk

NPMJS.com currently shows that the react-dom package, which is effectively part of React, has 168,640 dependents. This means that an incredible number of enterprise applications are likely to be affected. Nearly every commercial application is built on hundreds, sometimes thousands of components and dependencies. Furthermore, applications coded via Vibe and similar technology are also likely to leverage React: potentially amplifying the downstream risk this vulnerability poses.

How to Mitigate CVE-2025-55182

For mitigation, the React library has released versions 19.0.1, 19.1.2, and 19.2.1 that resolve the issue. Flashpoint advises organizations to upgrade their respective libraries urgently. Security teams leveraging dynamic SBOMs (Software Bill of Materials) can drastically increase risk mapping and triage for deployed React versions.

CloudFlare has upgraded their web-application firewall (WAF) to protect against CVE-2025-55182. It is available for both free and paid plans but requires that React application traffic is proxied through the CloudFlare WAF.

To avoid confusion, security teams should ignore CVE-2025-66478. It has been rejected for being a duplicate of the preferred CVE-2025-55182.

Mitigate Critical Vulnerabilities Using Flashpoint

Flashpoint strongly recommends security teams treat this vulnerability with utmost urgency. Our vulnerability research team will continue to monitor this vulnerability and its downstream impacts. All updates will be provided via Flashpoint’s VulnDB. 

Request a demo today and gain access to quality vulnerability intelligence that helps address critical threats in a timely manner.

Request a demo today.

Blogs

Blog

Flashpoint’s Top 5 Predictions for the 2026 Threat Landscape

Flashpoint’s forward-looking threat insights for security and executive teams, provides the strategic foresight needed to prepare for the convergence of AI, identity, and physical security threats in 2026.

As the global threat landscape accelerates its transformation, 2026 marks an inflection point requiring defensive strategies to fundamentally shift. The volatility observed in 2025 has paved the way for an era soon to be defined by AI-weaponized autonomy, information-stealing malware, systemic instability of public vulnerability systems, and the complete convergence of digital and physical risk.

Flashpoint offers a unique window into these complexities, providing organizations with the foresight needed to navigate what lies ahead. Drawing from Flashpoint’s leading intelligence and primary source collections, we highlight five key trends shaping the 2026 threat landscape. These insights aim to help organizations not only understand what’s next but also build the resilience needed to withstand and adapt to emerging challenges.

Prediction 1: Agentic AI Threats Will Weaponize Autonomy, Forcing a New Defensive Standard

2026 will see continued evolution of AI threats, with future attacks centering on autonomy and integration. Across the deep and dark web, Flashpoint is observing threat actors move past experimentation and into operational use of illegal AI. 

As attackers train custom fraud-tuned LLMs (Large Language Models) and multilingual phishing tools directly on illicit data, these AI models will become more capable. The criminal intent shaping their misuse will also become more sophisticated. Additionally, 2026 will see a greater marketplace for paid jailbreaking communities and synthetic media kits for KYC (Know Your Customer) bypass.

These advancements are enabling criminals to move beyond simple tools and engage in scaled, autonomous fraud operations, leading to two major shifts:

1. Agentic AI is becoming the true flashpoint: Threat actors will be using agentic systems to automate reconnaissance, generate synthetic identities, and iterate on fraud playbooks in near real-time. In this SaaS ecosystem, AI will help attackers leverage subscription tiers and customer feedback loops at scale.
2. The attack surface will shift to focus on AI Integrations: Organizations are increasingly plugging LLMs into live data streams, internal tools, identity systems, and autonomous agents. This practice often lacks the same security vetting, access controls, and monitoring applied to other enterprise systems. As such, attackers will heavily target these integrations, such as APIs, plugins, and system connections, rather than the models themselves.

“The ubiquity of automation has dramatically increased attack tempo, leaving many security teams behind the curve. While automation can replace repetitive tasks across the enterprise, organizations must not make the critical mistake of substituting human judgement for AI at the intelligence level.

This is paramount because a critical threat in 2026 is Agentic AI autonomy weaponized against soft targets—API integrations and identity systems. The only winning defense will be human-led and AI-scaled, prioritizing purposeful use to keep organizations ahead of this exponential risk.”

Josh Lefkowitz, CEO at Flashpoint

These evolving AI threats will force a fundamental shift in defensive strategies. Defenders will have to shift to deploying systems around AI rather than trust them on their own.

Prediction 2: Identity Compromise via Infostealers Will Become the Foundation of Every Attack

Infostealers will become the entry point, the data broker, the reconnaissance layer, and the fuel for everything that comes after a cyberattack. This shift is already in motion and is accelerating rapidly: in just the first half of 2025, infostealers were responsible for 1.8 billion stolen credentials, an 800% spike from the start of the year. However, 2026 will redefine the malware’s role, making its most valuable output being access, rather than disruption.

Infostealers will become the upstream event that powers the rest of the attack chain. Identity and session data will be increasingly targeted, since it gives attackers immediate access into victim environments. Ransomware, fraud, data theft, and extortion will simply be downstream ways to monetize.

This upstream approach defines the new reality of the attack chain, which is already operational. Nearly every major stealer strain Flashpoint observes now exfiltrates the following:

• Autofill PII (personable identifiable information)
• Saved addresses
• Phone numbers
• Internal URLs
• Browsing history
• Cloud app tokens

An organization’s attack surface is no longer just composed of their own networks. It is the entire digital identity of their employees and partners. This new reality requires security teams to take a new approach. Instead of attempting to block attacks, they must proactively detect compromised credentials before they are weaponized. This will be the difference between reacting to a data breach and preventing one.

“The infostealer economy has fully industrialized the attack chain, making initial compromise a low-cost commodity. Multiple security incidents in 2025 tie back to credentials found in infostealer logs. This reality has underscored the critical importance of digital trust—specifically, verifying who can access what resources. For 2026, identity is the perimeter to watch, and security teams must proactively hunt for compromised credentials before they’re weaponized.”

Ian Gray, Vice President of Intelligence at Flashpoint

Prediction 3: CVE Volatility Will Force Redundancy in Vulnerability Intelligence

The temporary funding crisis at CVE in April 2025 and the subsequent CISA stopgap extension through March 2026 exposed the systemic fragility of a centralized vulnerability intelligence model. With the future of the CVE/NVD system hanging in the balance, 2026 will be defined by the urgent need for redundancy and diversification in vulnerability intelligence.

In today’s vulnerability intelligence ecosystem, nearly every organization’s vulnerability management framework relies on CVE and NVD—including its “alternatives” such as the EUVD (European Union Vulnerability Database). The CVE system has grown into a critical global cybersecurity utility, relied upon by nearly all vulnerability scanners, SIEM platforms, patch management tools, threat intelligence feeds, and compliance reports. A complete shutdown of CVE would result in a widespread loss of institutional infrastructure.

The next generation of security needs to be built on practices that are resilient, diversified, and intelligence-driven. It should be focused on providing insights that can be used to take action such as threat actor behavior, likelihood of exploitation in the wild, relevance to ransomware campaigns, and business context. Security teams will need to leverage a comprehensive source of vulnerability intelligence such as Flashpoint’s VulnDB that provides full coverage for CVE, while also cataloging more than 100,000 vulnerabilities missed by CVE and NVD.

Prediction 4: Executive Protection Will Remain a Critical Challenge as Cyber-Physical Threats Converge

The continued blurring of lines between cyber, physical, and geopolitical threats will elevate the risk to organizational leadership, turning executive protection into a holistic intelligence function in 2026. The rise of information warfare combined with physical world convergence means the threat to key personnel is no longer purely digital.

In the aftermath of the tragic December 2024 assassination of United Healthcare’s CEO, Flashpoint has seen the continued circulation and glorification of “wanted-style posters” of executives in extremist communities. Additionally, Flashpoint has seen nation-state actors participate, using espionage and influence to target high-value individuals.
Organizations must adopt an integrated approach that connects insights from threat actor chatter and a wealth of other OSINT sources. This fusion of intelligence is essential for applying frameworks to ensure the safety of leadership and key personnel.

Prediction 5: Extortion Shifts to Identity-Based Supply Chain Risk

2025 was marked by several large-scale extortion campaigns, demonstrating how the threat landscape is rapidly evolving. Ransomware operations have shifted into a straight extortion play. Flashpoint has observed a surge in new entrants to the ransomware market, accompanied by a decline in the quality and decorum of ransomware groups.

Furthermore, vishing campaigns attributed to “Scattered Spider” have highlighted weaknesses in identity, trust, and verification. Campaigns from “Scattered LAPSUS$ Hunters” have also exposed vulnerabilities in third-party integrations. These attacks culminated in extortion, showcasing that modern attacks will target trusted users and trusted applications for initial access, and will forgo ransomware in place of data access.

As this shift continues into 2026, threat actors will increasingly focus their efforts on exploiting human behavior and identity systems. Instead of attempting to spend resources on breaking network perimeters, attackers will instead socially engineer employees to gain access to corporate systems at scale. This change in TTPs will undoubtedly greatly increase supply chain risk, especially for third parties.

Charting a Path Through an Evolving Threat Landscape with Flashpoint Intelligence

These five predictions highlight the transformative trends shaping the future of cybersecurity and threat intelligence. Staying ahead of these challenges demands more than just reactive measures—it requires actionable intelligence, strategic foresight, and cross-sector collaboration. By embracing these principles and investing in proactive security strategies, organizations can not only mitigate risks but also seize opportunities to enhance their resilience.

As the threat landscape continues to rapidly evolve, staying informed and prepared are critical components of risk mitigation. With the right tools, insights, and partnerships, security teams can navigate the complexities ahead and safeguard what matters most.

Request a demo.

Blogs

Blog

Beyond Hamas: Militant and Terrorist Groups Involved in the October 7 Attack on Israel

Examining current and potential involvement of militant terrorist groups in the Israel-Hamas conflict, beginning with the October 7 attacks

October 7: Hamas attacks Israel

In the midst of the Israel-Hamas War, which erupted with a surprising and devastating attack on October 7, 2023 that resulted in the deaths of more than 1,300 Israelis, it is becoming increasingly apparent that the dynamics of this complex conflict extend beyond the actions of Hamas alone. While Hamas took the lead in launching the initial assault, there is evidence, outlined in this article, that numerous other militant and terrorist groups worked in concert with Hamas, which continues to shape the trajectory of the ongoing conflict.

Based on frontline reportage, open-source intelligence, including social media and message platforms, and Flashpoint collections surrounding the events on October 7, we explore the roles and actions of additional militant and terrorist factions, shedding light on their collective impact in the evolving Israel-Hamas War. 

We will update this article as the situation in Israel, Gaza, and the Middle East develops.

Militant and Terrorist Groups Involved in October 7 Attack on Israel

Izz al-Din al-Qassam Brigades (كتائب الشهيد عز الدين القسام)

Operation Al-Aqsa Tufan (Flood) involved coordinated attacks from the Gaza Strip into bordering areas in Israel on October 7, coinciding with a major Jewish holiday and marking the beginning of the 2023 Israel–Hamas war. The attack included a rocket barrage of thousands of missiles, vehicle-transported incursions into Israeli territory, kidnappings, including at a music festival, and significant civilian casualties. It has been described as one of the bloodiest days in Israel’s history and the deadliest for Jews since the Holocaust. Founded in the late 1980s, Izz al-Din al-Qassam Brigades is the militant wing of the terrorist organization Hamas. It has been designated as a terrorist organization by several countries, including the United States, Israel, and the European Union. 

The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram

Palestinian Islamic Jihad (الجهاد الإسلامي الفلسطيني)

As we previously reported, Hamas and PIJ communicate often with followers via Telegram. On the day after the October 7 attacks, PIJ, in one of its main channels, posted that “the elite of Al-Quds Brigades is entering the border to support al-Qassam Brigades fighters (Hamas) and supply them with weapons.” It has also been reported that PIJ took part in the October 7 attacks alongside Hamas.

On October 17, a rocket hit the Al Ahli Arab Hospital in Gaza, killing hundreds of Palestinian civilians. In a statement, Israeli Defense Forces said that “[Palestinian] Islamic Jihad is responsible for the failed rocket launch which hit the hospital in Gaza.” PIJ has denied the allegation in a statement, reportedly calling it “false and baseless.”

Palestinian Islamic Jihad (PIJ) is a Palestinian terrorist organization that is designated by several countries, including the United States, Israel, and the European Union. It was founded in the late 1970s with the goal of establishing an Islamic Palestinian state and has carried out attacks against Israel.

Al-Aqsa Martyrs Brigade (كتائب شهداء الأقصى)

The Al-Aqsa Martyrs Brigade is a Palestinian militant organization affiliated with Fatah, a major Palestinian political party, that has carried out attacks and other activities against Israel. One of the key players in Palestinian politics today, Al-Aqsa Martyrs brigade was founded in the late 1950s and has historically been associated with the Palestine Liberation Organization (PLO). The group was designated a Foreign Terrorist Organization by the US Department of State in 2002.

Above: Screengrab from October 7 showing a video of a man wearing a headband with the Al-Aqsa Martyrs Brigade emblem. The video, posted in an official Al-Aqsa Martys Brigade Telegram channel, shows the man speaking alongside a gravely injured Israeli soldier. The message hashtag translates to “#Scenes_of_enemy_soldiers_capture” (Image: Flashpoint)

Democratic Front for the Liberation of Palestine (الجبهة الديمقراطية لتحرير فلسطين)

The Democratic Front for the Liberation of Palestine (DFLP) is a Palestinian political and militant organization founded in 1969, known for its left-wing and Marxist ideologies. It has historically aimed for the liberation of Palestine and the establishment of an independent Palestinian state through both militaristic and political means. While a member of the Palestine Liberation Organization (PLO), it has not been as prominent as other Palestinian factions like Fatah or Hamas in recent years.

Above: Pictures posted by an official Democratic Front for the Liberation of Palestine showing armed militants reportedly inside Israeli territory on October 7. (Image: Flashpoint)

Palestinian Mujahideen Movement (حركة المجاهدين الفلسطينيين)

The Palestinian Mujahideen Movement is a Palestinian militant organization that emerged in the early 1970s with the goal of resisting Israeli occupation and achieving Palestinian self-determination through various armed activities and operations against Israeli forces. However, it is not as widely recognized or prominent as Palestinian terrorist groups like Hamas or the Palestinian Islamic Jihad (PIJ).

Above: Screengrab of an official Palestinian Mujahideen Movement channel showing an image of Dr. Asaad Abu Sharia, the General of the Palestinian Mujahideen Movement, congratulating the “heroes…who stormed the positions and settlements of [Israel].”

We have shared this Telegram message in lieu of the many messages shared in the same channel the day prior, October 7, that showed graphically violent images of what appears to be soldiers in IDF uniforms. (Image: Flashpoint)

Popular Resistance Committees (لجان المقاومة الشعبية)

The Popular Resistance Committees (PRC), whose military wing is referred to as Al-Nasser Salah al-Deen Brigades (ألوية الناصر صلاح الدين), are a coalition of various Palestinian factions and armed groups in the Gaza Strip. They were formed in the early 2000s during the Second Intifada, a period of intense Palestinian-Israeli conflict. The PRC includes members from different political and militant backgrounds and has carried out attacks against Israel. While not as prominent as terrorist organizations like Hamas or the Palestinian Islamic Jihad (PIJ), the PRC has played a role in the ongoing Israeli-Palestinian conflict, as evidenced by the events of October 7, 2023.

Above: Screengrab of communications within the official Al-Nasser Salah al-Din Brigades Telegram channel from October 7, alongside photos of allegedly confiscated military equipment and IDs belonging to captured Israeli soldiers. (Image: Flashpoint)

Those who could join the fight

Lebanese Hezbollah (حزب الله اللبناني)

Though not directly involved in the October 7 attacks, Lebanese Hezbollah and Israel have exchanged assaults in connection with the ongoing Israel-Hamas War since October 8.

The Israel-Hamas War: Insights Through an Intelligence Lens

Also known as Hezbollah, Lebanese Hezbollah is a Shiite Islamist political and militant organization based in Lebanon. It was founded in the early 1980s with support from Iran, following the Israeli invasion of Lebanon. Hezbollah’s primary goal is to resist Israel and promote Shiite interests in Lebanon and the wider region. The group was designated a Foreign Terrorist Organization by the US Department of State in 1997, the same year as Hamas and PIJ.

Lions’ Den (عرين الأسود)

Saraya al-Quds Military spokesman Abu Hamza has called for Lions’ Den and Jenin Brigade, another Palestinian militant group, to join the fight.

The Lions’ Den is a Palestinian militant group in the Israeli-occupied West Bank, formed in August 2022. Comprising members from various Palestinian militant and terrorist organizations, including Hamas and Palestinian Islamic Jihad, along with disaffected Fatah members, it resonates with some young Palestinians frustrated by the Israeli occupation, settlements, settler violence, and the perceived ineffectiveness of the Palestinian Authority. They have engaged in various West Bank attacks, funded in part by Hamas.

These profiles represent the most meaningful actors on the digital and physical frontlines of the Israel-Hamas War at the moment. Flashpoint has seen an expansion of participants as the conflict unfolds and expands into new physical and digital theaters. We will therefore update this article as the situation continues to develop.

Request a demo today.

Blogs

Blog

The First 72 Hours of the Israel-Hamas War: Hamas and PIJ Activity on Telegram

Analyzing Telegram’s role in facilitating communication and strategy for Hamas and PIJ during the initial days of the Israel-Hamas War

Telegram: A crucial modern warfare channel

Telegram, with its 700 million-plus-strong user base, has evolved into a pivotal communication hub for Hamas and Palestinian Islamic Jihad (PIJ). Its robust privacy and encryption protocols safeguard communications while also providing a covert operational space for militant groups and cybercriminals. The platform’s role in open-source intelligence (OSINT) is vital, offering real-time insights into unfolding global events, such as the ongoing military conflict between Hamas and Israel, and becoming an essential tool for intelligence professionals navigating the multifaceted landscape of contemporary warfare. Organizations with regional interests should perceive Telegram as a crucial asset in understanding their risk apertures and navigating through conflict complexities.

In the context of recent global conflicts, including the Russia-Ukraine war and the Hamas-Israel conflict, platforms like Telegram have demonstrated their significance by providing real-time updates, documenting potential war crimes, and offering a platform for anti-war narratives amidst governmental censorship. Both scenarios underscore Telegram’s evolving role in modern warfare, influencing narratives and strategies, and providing a digital battlefield for organizations and intelligence professionals to navigate and anticipate conflict dynamics.

The Israel-Hamas War: Insights Through an Intelligence Lens

October 7: Surprise Hamas attack

This digital battlefield, while shaping the narratives and strategies in contemporary conflicts, abruptly collided with reality on October 7, when the virtual orchestrations of Hamas transformed into a tangible, devastating surprise attack on Israel.

Hamas militants launched an unexpected, devastating attack on Israel on October 7, resulting in hundreds of casualties and numerous hostages. Over 2,000 rockets were fired into Israel, causing significant casualties and prompting Prime Minister Benjamin Netanyahu to declare war on Hamas, mobilizing the military and reserves. The assault, occurring on the fiftieth anniversary of the 1973 Egypt and Syria attack and during the Jewish holiday, Shemini Atzeret, took Israel by surprise. 

Reports state that the attack resulted in hundreds dead and more than 500 injuries, the kidnappings of Israeli soldiers, and vehicle takeovers, while Hezbollah celebrated the assault. The US Embassy in Jerusalem issued an alert and initiated shelter-in-place protocols for its personnel. Militants breached the Gaza-Israel barrier using various methods, and Hamas commander Mohammed Deif urged Palestinians and Arabs to join the operation, raising fears of a wider conflict.

At around 5:30 a.m. UTC, Hamas posted in one of its main Telegram channels, that the Commander-in-Chief of Al-Qassam Brigades announced the beginning of Hamas’s Al-Aqsa Tufan (Flood) and the firing of over 5,000 rockets aimed at Israel. Shortly thereafter, reports show that air raid sirens sounded in Jerusalem around 6:30 a.m. local time, signaling an attack and instructing citizens to take cover.

Hamas Telegram post announcing the start of Al-Aqsa Tufan (Image: Flashpoint)

This message represents one of 1,145 messages sent over Hamas’s main Telegram channel on October 7. For context, the day prior, 373 messages were sent over the same channels, showing more than a 3X spike in chatter from October 6.

October 8: Violence escalates

The conflict intensifies with continued assaults and counter-assaults from both Israel and Hamas. The death toll rises sharply on both sides, and the situation garners international attention and condemnation. Hamas issues a threat to execute Israeli hostages, prompting further international outrage. The U.S. confirms that several American citizens have been killed in the attacks and expresses its unwavering support for Israel. Various nations and international leaders continue to condemn the violence and express solidarity with Israel.

On October 8, Palestinian Islamic Jihad posted that “the elite of Al-Quds Brigades is entering the border to support Al-Qassam Brigades fighters and supply them with weapons.” (Image: Flashpoint)

On Sunday, 1,129 posts were sent between PIJ and its followers on Telegram, with messages such as above sharing updates of the assault.

October 9: Broadening battlefields

The conflict takes a new turn as rockets are fired from Lebanon toward Israel, prompting Israeli forces to retaliate against Lebanese territories. The U.S. updates the number of American citizens killed in the attacks and acknowledges that Americans are among those taken hostage by Hamas. Israeli Defense Minister Yoav Gallant orders a “complete siege” on Gaza and promises a robust and unrestrained response to the ongoing attacks, vowing to eliminate any threats against Israel.

Telegram post from a major Hamas channel linking to a video of Abu Obaida, the spokesperson for the al-Qassam Brigades, in which he signals further violence to Israelis, particularly hostages (Image: Flashpoint).

Throughout Monday, Telegram activity from Hamas and PIJ fell by almost half compared to the day prior. Within the first 72 hours of the Israeli-Hamas War, Flashpoint observed a total of 5,472 Telegram posts shared by both Hamas and PIJ across their main channels.

Blogs

Blog

Qakbot Takedown: A Brief Victory in the Fight Against Resilient Malware

Prior botnet takedowns like Emotet and TrickBot have shown that sophisticated malware operations, like Qakbot, can often rebuild infrastructure and return from disruptions in new forms

Qakbot takedown and seizure

A global law enforcement operation has successfully disrupted the infrastructure of the Qakbot botnet, striking a major—though likely temporary—blow to a dominant player in the cybercriminal underground supply chain. 

Qakbot, familiarly Qbot, has been a major cyber threat since 2007, infecting victims’ computers to steal financial information and distribute additional malware payloads like ransomware. As a result of the takedown, more than 700,000 infected devices worldwide were identified and cleaned of the malware. The DOJ also announced the seizure of $8.6M in cryptocurrency in illicit profits.

While there is no doubt that the Qakbot takedown is a major win in the fight against cybercrime, it may only provide short-term relief in the fight against a notoriously resilient cybercriminal ecosystem.

‘Swiss Army knife’

A Swiss Army knife of cybercrime tools, Qakbot was a complex malware that opened remote access to victims’ systems, stole credentials and financial information, and downloaded additional malware payloads. Its modular architecture enabled frequent updates to add new capabilities over its 15+ years of operation.

“The collaborative endeavors of these authoritative bodies exemplify the power of a comprehensive, multi-agency approach, designed to maximize its impact..”

Ian Gray, VP Of Intelligence

Qakbot has been a versatile workhorse for cybercriminals. Its banking trojan functionality has been used to pilfer payment information and intercept financial transactions. As a loader, it distributed ransomware such as ProLock to extort victims.

Qakbot has also powered large-scale spam email campaigns and brute force attacks. Its worm-like spreading kept it entrenched in infected networks. By providing the backdoor access and distribution channel for other malware, Qakbot played a key supporting role in the cybercrime ecosystem. Botnets like Emotet and TrickBot operated similarly, loading additional threats onto compromised systems. These jack-of-all-trades botnets have proven lucrative for their criminal operators.

A history of temporary relief

Prior botnet takedowns like Emotet and TrickBot have shown that sophisticated malware operations can often rebuild infrastructure and return from disruptions in new forms.

In the case of Emotet, the botnet came back online in 2022 using new techniques after its infrastructure was dismantled in 2021. TrickBot also persisted despite takedown attempts and remains an active threat. This resiliency highlights the challenges law enforcement faces in permanently eliminating cyber threats.

While takedowns temporarily degrade capabilities, dedicated cybercriminal groups adapt to avoid further disruption. New malware families also inevitably emerge to fill the gaps left by larger takedowns. For example, BazarLoader and ZLoader rose to prominence as loader malware after the Emotet takedown.

Yet despite their disruptions, resilient botnets often return and new ones emerge. After prior actions against Emotet and TrickBot, the lingering demand in underground markets brought them back in adapted new forms. Bots remain attractive tools for cybercriminals thanks to their versatility, automation, and money generating potential.

While Qakbot’s infrastructure was disrupted, its operators may attempt to rebuild or evolve their techniques. Sustained pressure on botnet financial flows, developer communities, and other aspects of the cybercrime supply chain is needed to deter future attacks. For now, the coordinated Qakbot takedown bought time and degraded the capabilities of a dominant cybercrime player.

The fight against cybercrime must be persistent and comprehensive

The Qakbot takedown was effectively coordinated among global governments, including France, Germany, Latvia, Romania, the Netherlands, the UK, and the US, as well as the private sector. The collaborative endeavors of these authoritative bodies exemplify the power of a comprehensive, multi-agency approach, designed to maximize its impact.

Law enforcement and the private sector should to continue coordinating takedowns while also focusing on detecting new malware variants early, disrupting communication channels, and following the money trails of criminal enterprises.

Cyber hygiene and threat awareness across organizations must also improve to reduce vulnerability to malware infections, including loaders and trojans that distribute threats like Qakbot. Technical controls like endpoint detection, network monitoring, and patching are also key.

Ultimately, defeating cybercrime requires comprehensive strategy across law enforcement operations, cybersecurity practices, and international collaboration. The Qakbot takedown represents meaningful progress, but the world must remain vigilant against an adaptable threat landscape.

Get Flashpoint on your side

Flashpoint Ignite enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Unmasking the Attacker and Decoding Threat Actor Patterns

Contextual visibility into the patterns and activities of threat actors streamlines investigations and helps your organization build proactive defenses against cyber and physical attacks.

Scaling your Understanding of Key Threat Actors

Stopping threat actors in their tracks is an arms race. Attackers are quick to change their behaviors to avoid detection or attribution. But manually keeping track of and attributing specific threat actor TTPs, such as mapping indicators and behavioral patterns, is not scalable.

As a result, building a robust and dynamic understanding of these patterns is critical for understanding who is targeting your organization and how they may be executing their attacks, so you can build proactive defenses and mitigate risk holistically.

Building Threat Actor Profiles—in Seconds

Flashpoint has introduced a new capability that allows users to create high-level threat actor profiles in seconds. These auto-generated profiles provide a snapshot of key information about a threat actor, allowing analysts to quickly understand the full picture of threat actor activity, identify immediate threats, and prioritize remediation efforts. The profile builder is available in Ignite to Cyber Threat Intelligence (CTI) and Physical Security Intelligence (PSI) users.

The Digital Fingerprints of a Modern Threat Actor

These profiles include detailed descriptions of a threat actor’s digital fingerprint, encompassing their aliases and activities across our collections, such as the illicit communities they visit, their posts, and the frequency of their interactions. These profiles are automatically updated, ensuring that the most current and valuable data and intelligence are available to accurately identify, attribute, and analyze threat actors.

This capability rapidly generates threat actor profiles, enabling Ignite users to efficiently add additional information, expand analysis, and support investigations. It facilitates connecting the dots between a threat actor’s various aliases and networks of influence, tracking their online behavior, and seamlessly pivoting to relevant details for a comprehensive investigation. These insights contribute to fortifying your defense and addressing potential vulnerabilities in your systems.

The Impact of Specific Threat Actor Groups

The impact of cyber attacks has never been more apparent. For example, opportunistic cyber threats groups like Lockbit and Clop, who dominated the 2023 ransomware threat landscape, often target upstream vendors, such as supply chain and cloud services, causing potentially serious ripple effects for businesses who use those vendors. Beyond cyber threat actors, most physical attacks on people, places, and infrastructure also involve some degree of online activity, as threat actors often turn to online discussion forums as well as social media platforms to plan physical attacks.

As a result, it becomes essential to gain instant and continuous visibility into the patterns and activities of threat actors targeting your organization. This visibility not only streamlines investigations but also empowers you to make informed decisions about security architecture and fixes. It facilitates effective communication between business and security operations teams and enhances the threat modeling processes, leading to more accurate results. With these dynamic insights, you can proactively make better-informed decisions about your security investments.

Get Flashpoint on Your Side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Threat Actor Profiles Frequently Asked Questions (FAQs)

What are threat actor profiles and why are they important?

Threat actor profiles are automated summaries within Flashpoint Ignite that consolidate all known activity associated with a specific digital alias. They are important because they allow security analysts to instantly see an attacker’s behavioral patterns, tactics, and history without manually reading through thousands of individual posts. This speed is critical for identifying and stopping threats before they scale.

Feature	Security Benefit
Automation	Generates a full profile in seconds rather than hours.
Digital Fingerprints	Links multiple aliases and networks to a single actor.
Real-Time Updates	Keeps profiles current with the actor’s most recent posts.

How does Flashpoint identify the “digital fingerprint” of an attacker?

Flashpoint identifies an attacker’s digital fingerprint by tracking their unique behaviors across illicit online communities. This includes analyzing the specific forums they visit, the frequency of their interactions, and the specific language or “slang” they use. By aggregating this data, the platform can link different online personas back to a single threat actor.

• Activity Tracking: Monitoring which dark web marketplaces and forums an actor favors.
• Alias Linking: Connecting disparate usernames used by the same individual.
• TTP Mapping: Identifying the specific tools and methods the actor repeatedly uses.

Why is monitoring online chatter vital for physical security?

Monitoring online chatter using Flashpoint’s intelligence collection is vital for physical security because most modern physical attacks—such as protests, breaches, or violence—are planned in digital forums or social media first. By gaining visibility into these conversations, security teams can receive early warnings about threats to facilities, executives, or supply chains, allowing for a proactive physical response.

Threat Type	Digital Precursor	Physical Impact
Executive Protection	Doxing or mentions of a leader’s travel plans.	Harassment or targeted physical harm.
Event Security	Coordination of protests on messaging apps.	Disruption or breach of a secure perimeter.
Supply Chain	Discussions of logistics vulnerabilities.	Theft or delays in critical shipments.

Request a demo today.

Blogs

Blog

The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle

Understanding the anatomy of a ransomware attack empowers security teams to strengthen defenses, reduce the risk of successful attacks, and protect organizations from the serious consequences of a ransomware incident

Ransomware attacks are pervasive and devastating, targeting organizations and causing havoc on operations, finances, and reputation. To defend against these threats, security teams must understand the ransomware attack lifecycle.

As reliance on digital systems and networks increases, the risk of ransomware attacks grows exponentially. These attacks can cripple businesses, disrupt services, compromise data, and lead to significant financial losses. Cybercriminals continually evolve their tactics, demanding constant adaptation from security teams.

In this blog, we will explore the intricacies of ransomware, breaking down the attack lifecycle. Understanding this anatomy empowers security teams to strengthen defenses, reduce the risk of successful attacks, and protect organizations from the serious consequences of a ransomware incident.

Phase 1: Reconnaissance and target selection

Phase 1 of a ransomware attack involves the threat actor researching and selecting organizations to attack. During this phase, threat actors identify potential targets and gather critical information about them.

Identifying potential targets

Threat actors engage in reconnaissance to identify organizations that are more likely to yield a high return on their malicious activities. They carefully assess factors such as the industry, size, financial stability, and the value of the data held by the potential targets. Organizations that heavily rely on their digital infrastructure and are more likely to pay a ransom to regain access to critical systems and data are prime targets.

Techniques used for reconnaissance

Threat actors employ various techniques to gather information during the reconnaissance phase. These techniques may include passive reconnaissance, where they collect publicly available data from websites, social media platforms, and professional networking sites. They may also utilize active reconnaissance, such as scanning for open ports and vulnerabilities, conducting phishing campaigns to gather employee information, or leveraging third-party sources like leaked databases and dark web forums.

Vulnerability factors

Several factors can make organizations more vulnerable to targeting during the reconnaissance phase: 

• Lack of Security Awareness: Organizations that do not prioritize cybersecurity awareness and training for their employees may inadvertently provide attackers with valuable information through social engineering tactics.
• Inadequate Patch Management: Failure to promptly apply software patches and updates leaves systems vulnerable to known vulnerabilities that threat actors can exploit.
• Weak Access Controls: Poorly managed user accounts, weak passwords, and insufficient access controls increase the likelihood of unauthorized access to sensitive systems and data.
• Absence of Network Segmentation: If an organization’s network lacks proper segmentation, a successful initial access point can provide attackers with the opportunity to move laterally within the network and escalate privileges.
• Lack of Monitoring and Detection: Organizations that lack robust monitoring and detection capabilities may not notice the initial signs of a reconnaissance attempt, allowing threat actors to proceed undetected.

Phase 2: Initial access

Phase 2 of a ransomware attack is the critical stage where threat actors strive to gain initial access to an organization’s network and systems.

During this stage, threat actors employ a range of techniques to achieve initial access, including:

• Phishing Emails: One of the most common and successful methods, threat actors craft convincing emails designed to deceive recipients into clicking on malicious links or opening infected attachments.
• Exploit Kits: These toolkits contain prepackaged exploits that target vulnerabilities in software, commonly used web browsers, or plugins. By visiting compromised websites, unsuspecting users can unwittingly trigger the exploit kit and grant the attacker initial access.
• Vulnerable Software: Exploiting weaknesses in software, particularly outdated or unpatched applications, is another avenue threat actors may exploit to gain a foothold within an organization’s network. This was recently observed through CLOP’s use of the MOVEit and GoAnywhere MFT vulnerabilities to attack over 100 organizations globally.

Social engineering tactics play a significant role in the success of initial access attempts. Threat actors exploit human psychology to deceive individuals and gain access to sensitive information or systems.

Pretexting, where a false scenario or pretext is created to gain the target’s trust, and baiting, which offers enticing rewards or incentives, are common social engineering tactics used to manipulate individuals. Moreover, tailgating—or taking advantage of individuals holding doors open for others—can be used to gain unauthorized physical access to secure areas within an organization.

Phase 3: Lateral movement and privilege escalation

Once threat actors have gained initial access to an organization’s network and systems, they proceed to Phase 3 of a ransomware attack: lateral movement and privilege escalation. 

This stage involves the navigation and expansion of their reach within the compromised network. Threat actors explore the compromised network to locate valuable data, critical systems, and potential targets for encryption.

They employ lateral movement, traversing through the network to gain control over multiple machines, servers, or devices, which increases the likelihood of finding and encrypting valuable information while making it challenging for defenders to contain the attack.

Threat actors may use several techniques to achieve lateral movement.

• Exploiting Misconfigurations: They take advantage of misconfigured network shares, weak or shared passwords, and unsecured remote desktop protocols (RDP) to gain unauthorized access to other systems within the network.
• Credential Theft and Reuse: They employ various tactics to steal or acquire legitimate user credentials, such as using keyloggers, credential harvesting, or compromising administrative accounts. These stolen credentials are then reused to move laterally within the network.
• Pass-the-Hash: This technique involves stealing hashed credentials from compromised systems and using them to authenticate and gain access to other systems without needing to know the plaintext passwords.

Once within the network, threat actors seek to escalate their privileges. By elevating their access rights, they gain increased control over critical systems and can maneuver more freely within the network. Privilege escalation techniques may include:

• Exploiting Vulnerabilities: They identify vulnerabilities in software, operating systems, or network configurations that can be leveraged to elevate their privileges. This may involve exploiting unpatched systems or misconfigured permissions.
• Leveraging Stolen Credentials: If threat actors have successfully stolen credentials during the initial access phase, they can use these credentials to escalate their privileges within the network, gaining administrative or higher-level access.
• Abusing Trusted Applications or Services: They manipulate trusted applications or services that have higher privileges or access rights to gain elevated permissions within the network.

It is important to note that lateral movement and privilege escalation are not necessarily linear processes. Threat actors adapt their tactics based on the network’s topology, security measures, and available targets, maneuvering opportunistically within the network.

Phase 4: Deployment of ransomware payload

In Phase 4 of a ransomware attack, threat actors execute their ultimate objective: deploying the ransomware payload. This phase involves the encryption of the victim’s files and the subsequent demand for a ransom payment.

Ransomware comes in various forms, each with its own characteristics and objectives. Some common types include:

• Encryption Ransomware: This type of ransomware encrypts the victim’s files, rendering them inaccessible until a decryption key is obtained by paying the ransom. Examples include notorious strains like WannaCry and Ryuk.
• Locker Ransomware: Locker ransomware locks the victim out of their system or specific applications, denying access to the device or critical functionalities. It often displays a ransom message directly on the victim’s screen, demanding payment to regain access.
• Hybrid Ransomware: Hybrid ransomware combines elements of both encrypting and locker ransomware. It encrypts files while simultaneously locking the victim out of the system, amplifying the impact and urgency of the attack.

To deploy the ransomware payload effectively, threat actors may leverage various techniques including:

• Email Attachments and Links: Malicious attachments or links embedded within phishing emails are a common delivery method for ransomware. Opening the attachment or clicking on the link initiates the download and execution of the ransomware payload.
• Drive-by Downloads: By visiting compromised or malicious websites, victims unknowingly trigger the download and execution of ransomware through vulnerabilities in their web browsers or plugins.
• Exploit Kits: Exploit kits can exploit vulnerabilities in software or operating systems to deliver ransomware onto the victim’s system. The kits automatically detect and target vulnerabilities, enabling threat actors to distribute the ransomware payload more efficiently.

Ransomware-as-a-Service (RaaS) and its role in the attack lifecycle

Ransomware-as-a-Service (RaaS) has emerged as a significant contributor to the proliferation of ransomware attacks. RaaS allows less technically skilled threat actors to access ransomware tools and infrastructure developed by more sophisticated actors. It operates on a profit-sharing model, where the developers take a percentage of the ransom payments. RaaS lowers the barrier to entry for cybercriminals, enabling the widespread distribution and execution of ransomware attacks.

Recommended Reading: The History and Evolution of Ransomware Attacks

RaaS platforms provide aspiring threat actors with user-friendly interfaces, technical support, and even customer service. They often offer customization options, allowing attackers to tailor the ransomware to their specific targets. The availability of RaaS has led to a surge in ransomware attacks globally, as it empowers a wider range of cybercriminals to participate in these lucrative campaigns.

Phase 5: Encryption and impact

The true consequences of the attack begin to unfold during the encryption and impact phase. During this phase, threat actors encrypt the victim’s files and inflict significant damage on their systems. 

Ransomware employs sophisticated encryption algorithms to lock the victim’s files, rendering them inaccessible without the decryption key. The encryption process typically targets a wide range of file types, including documents, images, videos, databases, and more. Threat actors often use strong encryption algorithms like RSA or AES to ensure the victim cannot decrypt the files without the decryption key.

As the encryption process unfolds, the victim’s files become unusable, with each file typically receiving a unique encryption key. The ransomware may also overwrite or modify the original file, making recovery without the decryption key even more challenging. The impact on the victim’s systems can be severe, leading to operational disruption, data loss, financial consequences, and reputational damage.

The consequences of a successful ransomware attack can be devastating for both organizations and individuals, and often entails many of the following:

• Operational Disruption: Ransomware attacks can cripple an organization’s operations, causing significant disruptions and downtime. Critical systems may become inaccessible, leading to productivity losses, delayed services, and financial repercussions.
• Data Loss and Corruption: If proper backups are not in place, victims may lose access to their valuable data permanently. Ransomware may also corrupt files during the encryption process, making recovery even more challenging.
• Financial Losses: Organizations may face substantial financial losses due to ransom payments, costs associated with recovery and remediation efforts, and potential regulatory penalties. Moreover, there may be indirect financial impacts stemming from reputational damage and customer loss.
• Reputational Damage: Publicly disclosed ransomware attacks can tarnish an organization’s reputation. Clients, partners, and stakeholders may lose trust in the organization’s ability to protect sensitive information, leading to a loss of business opportunities and customer confidence.
• Legal and Regulatory Ramifications: Depending on the nature of the compromised data, organizations may face legal and regulatory consequences, especially if personal or sensitive information is involved. Violations of data protection regulations can result in significant fines and legal liabilities.

Phase 6: Extortion and communication

In Phase 6 of a ransomware attack, threat actors establish communication with their victims and begin the process of extortion. At this time, they’ll demand ransom payments in exchange for providing the decryption keys or access to the victim’s systems. 

During this phase, threat actors initiate contact with the victim to convey their demands and establish a line of communication. They often use anonymizing technologies, such as the Tor network, to mask their identities and make it difficult to trace their activities. Communication can occur through various channels, including email, instant messaging platforms, or even dedicated ransom negotiation portals set up by the attackers.

Threat actors employ different methods to demand ransom payments from their victims. These may include:

• Bitcoin or Cryptocurrency Payments: Threat actors typically demand ransom payments in cryptocurrencies, such as Bitcoin, due to the pseudonymous and decentralized nature of these currencies, which makes them difficult to trace.
• Payment Deadlines and Threats: Threat actors often impose strict deadlines for payment, accompanied by threats of permanently deleting the decryption keys or increasing the ransom amount if the deadline is not met. These tactics aim to pressure victims into complying with their demands.
• Proof of Data Exfiltration: In some cases, threat actors may claim to have exfiltrated sensitive data from the victim’s systems and threaten to publicly release it unless the ransom is paid. This adds an additional layer of pressure and urgency for victims to comply.

Engaging or not engaging with threat actors during the extortion phase raises legal and ethical considerations. Organizations must carefully evaluate their options:

• Legal Considerations: Paying the ransom may be illegal in some jurisdictions or against organizational policies. Additionally, organizations may have legal obligations to report the incident, particularly if personal or sensitive data has been compromised.
• Funding Criminal Activities: Paying the ransom may contribute to funding further criminal activities, as the money can be used to finance future attacks. Supporting cybercriminals through ransom payments perpetuates the ransomware ecosystem.
• No Guarantee of Decryption: There is no guarantee that threat actors will provide the decryption keys or restore access to the victim’s systems even after the ransom is paid. Organizations must consider the risk of paying the ransom and not receiving the promised outcome.
• Cyber Insurance Coverage: Organizations with cyber insurance policies should consult with their insurance providers regarding their coverage and the implications of paying the ransom.

It is crucial for organizations to consult legal counsel, law enforcement agencies, and experienced incident response professionals before making any decisions regarding ransom payment. Each situation is unique, and a thorough evaluation of the risks, legal obligations, and ethical considerations is necessary.

Phase 7: Recovery and mitigation

The recovery and mitigation phase of an attack is where organizations focus on restoring systems, recovering encrypted data, and implementing measures to prevent future attacks.

Recovering from a ransomware attack requires a systematic approach. Key strategies for recovering encrypted data and restoring systems include:

• Isolate and Contain: Immediately isolate the affected systems to prevent further spread of the ransomware. Disconnect compromised devices from the network and shut them down to mitigate the risk of re-infection.
• Incident Analysis: Conduct a thorough analysis of the incident to identify the ransomware variant, its impact, and the compromised systems. This analysis can help determine the appropriate recovery strategy.
• Data Restoration: If backups are available, restore data from clean and secure backups. It is crucial to ensure backups are offline or properly protected to prevent them from being compromised by the ransomware.
• Decrypting Data: In some cases, decryption tools may be available from trusted sources, such as law enforcement agencies or security companies. These tools can help decrypt files without paying the ransom. However, this is not always possible, depending on the specific ransomware variant.
• System Rebuilding: In situations where data restoration is not feasible or backups are unavailable, organizations may need to rebuild affected systems from scratch using known good configurations and software.

Effectively responding to ransomware incidents requires a well-defined incident response plan, and may include some of these best practices:

• Incident Response Plan: Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a ransomware attack. This plan should include roles and responsibilities, communication protocols, and predefined actions for different scenarios.
• Rapid Response: Ensure you have the alerting capabilities to act swiftly and decisively to contain the attack, isolate affected systems, and initiate the recovery process. Promptly engage internal IT teams, incident response experts, and relevant stakeholders.
• Communication and Notification: Establish clear lines of communication both internally and externally. Notify appropriate personnel, such as legal, PR, and executive teams, and consider legal and regulatory obligations for disclosing incidents involving compromised data.
• Forensic Investigation: Conduct a thorough forensic investigation to understand the root cause, identify the attack vector, and collect evidence for potential legal actions or future prevention measures.
• Employee Awareness and Training: Continuously educate employees about the risks of ransomware, phishing, and social engineering. Regularly train staff on cybersecurity best practices, including strong password management, recognizing suspicious emails, and reporting incidents promptly.

Prevention is key in mitigating future ransomware attacks. Implementing proactive security measures can significantly reduce the risk and impact of such incidents. Consider these important measures:

• Patch Management: Regularly apply security patches and updates to operating systems, software, and firmware to address known vulnerabilities that threat actors often exploit.
• Endpoint Protection: Deploy robust antivirus and anti-malware solutions, along with advanced endpoint detection and response (EDR) tools to detect and block malicious activities.
• Network Segmentation: Implement network segmentation to restrict lateral movement and contain the impact of an attack. Separating critical systems from the rest of the network helps prevent the rapid spread of ransomware.
• Least Privilege Access: Enforce the principle of least privilege, granting users only the necessary access rights required to perform their duties. This minimizes the potential damage that can be caused by compromised accounts.
• Regular Data Backups: Maintain regular, encrypted, and secure offline backups of critical data. Regularly test the restoration process to ensure backups are viable for recovery in the event of a ransomware incident.

Know your enemy

Ransomware attacks continue to evolve, becoming more sophisticated and widespread. Threat actors adapt their tactics, techniques, and tools to exploit vulnerabilities and maximize their financial gain. As such, ongoing vigilance and adaptation are essential.

But at each stage of a ransomware attack, robust threat intelligence can stop an emerging risk in its tracks and minimize—or even prevent—damage to your organization.

An effective threat intelligence program enables you to understand threat actors and their TTPs each step of the way. Critical capabilities for your threat intelligence program include:

• Vulnerability intelligence that gives practitioners access to real-time, comprehensive information so that they can understand the scope of the incident and develop effective response strategies to make faster, informed decisions and mitigate the attack. 
• A robust alerting system that allows security practitioners o set up customizable, automated ransomware alerts of leaked assets as a result of an extortion incident, and gain insight into the extent of exposure and damage. 
• Real-time and continuous data collection that includes background and assessments of the vulnerability, status updates with timelines, known victims, change logs, and intelligence that contributes to a more holistic understanding of a risk and informs decision-making.
• A managed attribution solution that allows intelligence teams to shift from defense to offense by enabling security teams to safely and anonymously conduct investigations.
• Robust risk management practices and incident response plans in place in order to respond effectively and recover from security breaches.

To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, begin a free trial, or watch this video to discover the top ways to prevent an attack at your organization.

Request a demo today.

Blogs

Blog

Lost in Transition: A Timeline of Failed Successors to Breach and Raid Forums

The legacy of Raid, Breach, and their ‘successors’ provides an important lens into how data breach communities function and the real-life implications of the information they traffic

Race to the bottom

Starting June 24, 2023, visitors to the former domain of Raid Forums were greeted by the avatar of arrested administrator “pompompurin” in tiny handcuffs—an unprecedented trolling of sorts by authorities. 

Pompompurin, whose real name is Conor Brian Fitzpatrick, became a highly reputable threat actor on the now-defunct top-tier hacking forum Raid Forums and upon its shutdown, founded Breach Forums. Breach Forums continued the legacy of Raid Forums, both as a fixture among the data breach communities and as a law enforcement target. 

The founder and administrator of Raid Forums, Diogo Santos Coelho (aka “omnipotent), was arrested on January 31, 2022. Fitzpatrick, who has been operating on English- and Russian-language forums under the pompompurin moniker since at least October 2020, was arrested by federal agents on March 15, 2023.

Now, both Raid Forums and Breach Forums are no more. And ever since their seizures, other threat actors, some of whom were involved in the Breach and Raid, have attempted to continue their legacies in the purpose and services they provide. But it has thus far been a race to the bottom. 

Insight into the illicit spaces where cyber threat actors operate is vital to any threat intelligence operation. The legacy of Raid, Breach, and their “successors” provides an important lens into how data breach communities function and the real-life implications of the information they traffic. 

Timeline

Here is a summary of the recent events that we have observed within cybercriminal communities related, in some way, to Breach Forums and its legacy as a popular home for threat actors. 

• March 17, 2023: Breach Forums administrator “baphomet” decides to shut down the forum following the March 15 arrest of administrator pompompurin. The Washington Post included Flashpoint analysis in its March 22 coverage on the end of Breach Forums.

• March 29, 2023: PwnedForum, an identically formatted clone of Breach Forums, launches and quickly gains users and shares compromised data. The forum’s creator, “Sinistery,” solicited forum administrators and developers to volunteer to operate the site. 
• However, the forum was quickly shut down on April 4, 2023, following a disagreement between Sinistery and forum administrators. A message attempting to sell PwnedForum was briefly advertised on the website before closing. One of the forum’s former main administrators, “Frost,” stated that they were working on a new forum separate from PwnedForum, though they did not provide a timeline.

• May 29, 2023: “Impotent,” the forum administrator Exposed, leaks the database of 478,870 Raid Forums users.

• June 4, 2023: PwnedForums posted on Telegram that the notorious leak collective, ShinyHunters, is launching a forum with former Breach Forums admins.
• Also on June 4, a user posted an advertisement for the Exposed forum, calling it the “new” Breach Forums and inviting the Russian hacktivist collective Killnet to join the forum.

• June 12, 2023: ShinyHunters launches a new forum called Breach Forums—eponymous by name only.

• That very same day, Exposed Forums shut down. Its founders, “Impotent” and “Purism,” share that they will no longer support the development of Exposed Forums while cautioning against using the new Breach Forums due to operational security concerns.

• June 18, 2023: Breach Forums is hacked, and the data breach exposes the personal information of over 4,000 registered members.
• OnniForums, which appears to have launched in April 2023, took responsibility for the attack. It also claimed to have breached the forum Exposed, using a zero-day vulnerability in the open source forum software MyBB. The data leak included login keys, usernames, email addresses, IP addresses, password hashes, registration dates, members’ last visits and posts, number of posts, last activity, and social media handles with profile links.

• June 24, 2023: The user database of DarkForums, a relatively new and unknown forum, is breached and leaked, joining the ranks of Raid Forums and the new Breach Forums. 

Though it is difficult to assess if any of these forums will sufficiently fill the void of the data breach communities that Raid Forums provided, threat actors continue to start new darknet venues—a perpetual cycle that shows the resiliency of illicit communities and forums, despite law enforcement, in-fighting, and the adversarial nature of these communities that lends itself to, well, data breaches. Though there may not be a centralized venue for data breaches, it will not be for a lack of trying … even if it means leaking the databases of their competitors.

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.

Blogs

Blog

Days of Chaos: How OSINT Helps Us Understand the Putin-Prigozhin Schism

Social media and messaging platforms like Telegram continue to play a key role in understanding events, rumors, and ideas as they unfold in the Russia-Ukraine war

Putin Vs. Prigozhin

The once-cordial relationship between Vladimir Putin and Yevgeny Prigozhin, commonly known as “Putin’s chef,” has soured completely, marking one of the most compelling storylines in Russia’s now 16-month-long invasion of Ukraine. This particular conflict, however, played out in Russia on June 23 and lasted a scintillating ~36 hours, ending in a schism whose implications continue to reverberate across the world, especially in Russia.

Social media and messaging platforms like Telegram continues to play a key role in helping individuals and organizations alike understand events, rumors, and ideas as they unfolded, often in real time. As we describe in this article, and as we highlighted in our popular report on the role of open-source intelligence (OSINT) in the Russia-Ukraine War, organizations are rightfully viewing OSINT as a key element of their intelligence and security operations and leveraging it to understand organizational risk as it relates to the cyber, physical, and informational battlefields of this war.

Let’s zoom in on two crucial days—June 23 and June 24—of the conflict between Putin and Prigozhin and examine the importance of OSINT in understanding the events, then and now.

June 23: Wagner Accuses MOD of Missile Strike, Potential Military Coup Brews

On June 23, Yevgeny Prigozhin, the founder of the paramilitary company Wagner Group, accused Russia’s Ministry of Defence (MOD) and its leader, Sergei Shoigu, of conducting a missile strike on his mercenaries. Prigozhin claimed that the strike resulted in numerous fatalities. He characterized the MOD as “evil” and called for those responsible to be held accountable. It was unclear whether this move should be classified as a coup, insurrection, mutiny, or hardline bargaining tactic at the time.

In retaliation, Prigozhin has appeared to openly advocate for armed resistance against the MOD, adding fuel to an already tense stand-off. Prigozhin warned that “the next move will be ours,” and that those who are responsible for the deaths of the Wagner troops killed today, as well as the deaths of many tens of thousands of Russian soldiers, will be “punished” and “justice” will be “returned,” both to Russia’s armed forces and all of Russia. The MOD has rejected these accusations, claiming that they “do not correspond to reality” and labeling them as an “informational provocation.”

Round 2: #Shoigu hits back.

"All the video frames distributed on social networks on behalf of Yevgeny #Prigozhin about the alleged 'strike by the Russian Defense Ministry on the rear camps of the PMC Wagner” do not correspond to reality and are an informational provocation. pic.twitter.com/pBIPdFEdLc

— Jason Corcoran (@jason_corcoran) June 23, 2023

The current events, particularly the Wagner Group turning on Putin, can be traced back to the devastating fighting at Bakhmut, where the Wagner Group suffered heavy losses. This battle resulted in significant costs and losses for Russia.

June 24: Prigozhin’s March To Moscow

On June 24, Prigozhin announced that Wagner Group, the private military company (PMC) he leads, would cease its march on Moscow, ending what has been widely regarded as an armed insurrection and potential coup attempt targeting Russia’s military and government leadership.

In an interesting twist, Belarusian President Lukashenko stepped in, providing a means for Wagner to continue operating in a “legal” manner. This intervention prompted the move of Wagner Group and Prigozhin to Belarus. This is particularly noteworthy as PMCs are technically illegal under Article 359 of the 1996 Russian Criminal Code. As a result of the negotiations, the sides agreed that a “bloodbath” on Russian territory should be averted and de-escalatory steps should be taken. Prigozhin agreed that Wagner would halt its advance on Moscow, which Prigozhin claims Wagner got within 200 kilometers of, and turn back to “go in the opposite direction to [their] field camps.” In return, Wagner personnel would be granted “security guarantees.” 

Prigozhin claims that Wagner had not spilled “a single drop of blood of our fighters” since the start of their march on Russia the day prior. However, Prigozhin claims that Russia’s military had attempted to fire at the PMC during their march, reportedly downing at least one and potentially multiple Russian military helicopters. There are also reports of a fire at a fuel depot in Voronezh, which may have been hit by a Russian helicopter.

Wagner troops seized control of multiple military and administrative buildings in the Russian city of Rostov-on-Don early on Saturday morning and had since reportedly reached Voronezh, which lies 500 kilometers north of the city and on the way to Moscow. On June 24, Russian media reported that Wagner was preparing to leave Rostov-on-Don.

Since then, the Kremlin has said that Prigozhin would not have to face charges in Russia, but he has been dubbed a “traitor” by Putin. As of this publishing, Prigozhin is allegedly in Belarus, according to the country’s President, Lukashenko, who brokered the deal on Prigozhin behalf.

Concluding thoughts

In today’s dynamic geopolitical climate, staying ahead of the curve necessitates more than just monitoring mainstream media. Open-source intelligence collections have emerged as a game-changing tool for keeping abreast of the latest events in Ukraine and Russia, which can help various organizations and sectors sift through vast amounts of information, quickly filter out the noise, and deliver the most salient insights in real-time. The recent events in Russia showcase the value of this intelligence resource in offering a multifaceted perspective on ground realities. 

Get Flashpoint on your side

Flashpoint’s suite of actionable intelligence solutions enables organizations to proactively identify and mitigate cyber and physical risk that could imperil people, places, and assets. To unlock the power of great threat intelligence, get started with a free Flashpoint trial.

Request a demo today.