Normal view

Threats to the 2026 FIFA World Cup

4 June 2026 at 02:00

Executive Summary

The 2026 FIFA World Cup, which takes place across sixteen host cities in the United States (US), Mexico, and Canada, presents a complex threat environment across multiple security domains. The tournament’s global visibility creates opportunities for both financially and geopolitically motivated threat actors to target attendees, affiliated organizations, sponsors, vendors, and event-supporting infrastructure.

Physical security will almost certainly remain the highest priority for event coordinators and local government officials, given the high levels of international attention and the concentration of large crowds in host cities spanning three countries and multiple, distinct security environments. Mexico’s host cities face the highest physical risk due to the persistent presence of local and transnational criminal organizations (TCOs), with elevated concerns around theft, extortion, kidnapping, and fraud. US and Canadian host cities likely face a more limited threat from violent extremists, with greater risks to soft targets such as fan zones, watch parties, transit hubs, and other crowded public areas.

Civil unrest and disruptive protests are also very likely in a majority of host cities. Localized travel disruptions are especially likely in Mexico, where prior demonstrations have already blocked roads near World Cup venues. Large police or military deployments near event sites will likely increase the risk of confrontation.

The most immediate risk to corporate sponsors and affiliates is likely cybercriminal exploitation of World Cup demand and branding. Recorded Future’s Payment Fraud Intelligence team has already identified World Cup-themed purchase scams, fake FIFA-branded stores, and spoofed FIFA and host city domains. Carders are also likely to leverage stolen payment card credentials to fraudulently purchase event tickets and travel-related services for rapid resale and monetization. Efforts to use individuals’ interest in the World Cup to deliver malware or carry out data extortion or fraud will likely accelerate as the tournament approaches. Threat actors will likely continue to use AI-generated content to scale fraud, impersonation, phishing, smishing, and social engineering campaigns.

The concentration of senior government officials, diplomats, security personnel, corporate executives, and media at World Cup events also very likely increases the risk of cyber espionage and disruptive cyber incidents. Russian, Chinese, and Iranian state-sponsored threat groups will likely use the tournament as an intelligence collection opportunity, targeting executives, VIP attendees, national delegations, media partners, telecommunications providers, airlines, hotels, event logistics firms, and commercial affiliates. China is most likely to pursue targeted espionage, while Russia and Iran pose a higher risk of more disruptive attacks through proxy hacktivism.

Influence activity related to the tournament remains largely overt, driven by state media and diplomatic messaging from Russia, China, and Iran. These narratives focus on host-country legitimacy, Iran’s conditional participation, visa and access issues, public safety, immigration, ticketing, and alleged politicization of the event. Covert influence activity has so far been limited and opportunistic, but could increase as the tournament approaches, particularly around geopolitical flashpoints or viral news events.

Organizations involved in or exposed to the World Cup should prioritize proactive monitoring of location-specific physical security risks, protest activity, cybercriminal infrastructure, phishing and credential exposure, malicious traffic, ransomware indicators, and influence operations. Cyber indicators such as increased scanning activity or newly registered domains linked to FIFA or host cities may indicate an expansion of criminal or espionage activity. Developments around geopolitical flashpoints such as the war in Iran may increase the likelihood of attempts to disrupt the tournament through cyber or physical attacks.

Key Findings

  • World Cup crowds will likely elevate physical security risks around match venues and fan areas, exacerbated by factors such as TCO activity in Mexico and impending primary elections and 250th Independence Day celebrations in the US.
  • Opportunistic criminal activities tied to organized crime very likely constitute the largest physical security risks to Mexico’s World Cup host cities, while US venues face very likely less substantial (but nonetheless tangible) threats from violent extremists, particularly homegrown violent extremists (HVEs).
  • Cybercriminal threat actors are exploiting World Cup-themed branding via purchase scams and phishing infrastructures, with AI-generated content likely enabling operations to surpass volumes observed during prior World Cups. Carders frequently use fraudulent ticket purchases and resale schemes as a rapid monetization method for stolen payment card credentials.
  • Russian, Chinese, and Iranian state-sponsored threat groups will likely use the World Cup as an intelligence collection opportunity, while Russia and Iran pose additional risks of disruptive cyber operations, particularly from proxies and hacktivist personas.
  • World Cup-related influence activity from Russia, China, and Iran is driven overwhelmingly through overt state media and diplomatic messaging, while observed covert activity remains limited, opportunistic, and largely secondary to broader geopolitical narratives about Iran, host-country legitimacy, and US access and security policies.

Country Risk

Insikt Group assessed four categories of country-level risk in World Cup host countries: security and crime data; network intrusion activity, which measures Malicious Traffic Analysis events targeting each country; ransomware attacks targeting victims in each country; and data privacy and surveillance-related risks, accessible in the Recorded Future Intelligence Operations Platform as State Surveillance risk. While public reporting indicates declining crime rates in many World Cup host cities, violent crime risks are almost certainly greatest in Mexico; opportunistic crime, such as theft, likely presents the greatest physical security risk in Canadian and US host cities. By comparison, threats to data security and privacy are likely greatest in the US and Canada, given the higher volume of malicious cyber activity targeting US and Canadian entities. Factors complicating the security environment across World Cup host nations include TCO operations in Mexico; 250th anniversary celebrations in the US; and the lead-up to the US midterm elections in November 2026, including summer primary elections.

A country level security environment chart broken down by Security and Crime, Network Intrusion Activity, Ransomware Targeting and State Surveillance for Canada, Mexico and United States
Figure 1: Composite Country Risk Scores for Canada, Mexico, and the US (Source: Recorded Future)

Iran Expands Handala Brand to Physical Threats

2 June 2026 at 02:00

Executive Summary

Iran’s Ministry of Intelligence (MOIS) has likely broadened the use of its “Handala” brand to encompass MOIS’s external physical and influence operations targeting US and Israeli interests. Since the beginning of the Iran War, Insikt Group has observed significant overlaps in the online activities of Handala Hack Team, a newly created, Handala-branded persona referring to itself as the “Handala Popular Resistance Front” (HPRF), and three influence operations networks previously identified by Insikt Group. Based on frequent amplification and cross-posting of claims and content between Handala Hack Team and these four additional entities, we now attribute these groups to MOIS, with varying degrees of confidence.

The nexus between these personas and MOIS, as well as their multidomain tactics, techniques, and procedures (TTPs) and targeting, likely reflects how MOIS’s external operations have shifted in response to the Iran War. Notably, the HPRF and the three influence operations networks all almost certainly share a modus operandi: their administrators solicit individuals to conduct physical attacks and espionage targeting US and Israeli entities, on behalf of Iranian intelligence agencies, for a financial reward. By encompassing these groups under the Handala brand, MOIS likely seeks to take advantage of Handala’s global recognition to amplify its solicitation efforts.

MOIS’s likely coordination of distinct cyber, physical, and influence personas under a single brand very likely amplifies physical and cyber threats to targeted individuals and facilities. Handala-linked physical threat actors could almost certainly leverage the recognition of the brand’s hacktivist personas to recruit individuals to conduct targeted violent attacks, espionage, sabotage, or other physical threat activities. Shared resources, intelligence, and coordination efforts from a centralized source likely increase the impact of an attack. This very likely entails heightened risks for US and Israeli law enforcement, military, and intelligence agencies and their personnel, in addition to energy, transportation, and research organizations operating in the region.

Quantum Risk Explained

7 May 2026 at 02:00

Summary

  • Quantum computing is moving from theory toward early practical use, with direct implications for encryption, authentication, and long-term data confidentiality.
  • The primary risk is the eventual emergence of cryptographically relevant quantum computers (CRQCs), which would break today’s public-key cryptography and undermine encryption, digital identity, and software trust at scale.
  • Quantum risk is already present: “harvest now, decrypt later” activity exposes long-lived sensitive data today, regardless of when CRQCs ultimately arrive.
  • Regulatory mandates and procurement standards are accelerating post-quantum cryptography (PQC) adoption, making quantum readiness a multi-year compliance and resilience priority.
  • Organizations that delay preparation beyond 2026 are likely to face compressed migration timelines, higher transition costs, and increased operational disruption.

Quantum Computing Explained

Quantum computing applies principles of physics to solve certain complex problems far more efficiently than classical computers. Its security relevance lies primarily in cryptanalysis and optimization: A sufficiently powerful quantum computer will reduce the calculations required to protect today's public-key encryption from thousands of years to hours or less. Researchers have used the term “Q-Day” to refer to the hypothetical point at which quantum computers will be powerful enough to break encryption.

Quantum computing is now moving from theory toward early practical use, bringing “Q-Day” closer to reality. Industry estimates suggest quantum computing alone could generate up to $1.3 trillion in value by 2035. Major cloud providers, including IBM, Google, and Microsoft, are expanding their quantum services, while specialised firms such as Quantinuum and PsiQuantum continue to improve system stability and error correction. While these advances are not yet transformative, they are consistent with the early stages of commercial adoption.

Figure 1: Key risks of quantum computing
Figure 1: Key risks of quantum computing (Source: Recorded Future)

Alongside its potential benefits across finance, pharmaceuticals, defense, and other sectors, quantum computing introduces four key security risks.

Risk 1: Breaking Public-Key Encryption

Figure 2: Potential impacts of breaking public-key encryption
Figure 2: Potential impacts of breaking public-key encryption (Source: Recorded Future)


The most critical risk is the eventual arrival of cryptographically relevant quantum computers (CRQCs), systems capable of breaking widely used public-key algorithms such as RSA, Elliptic Curve Cryptography (ECC), and Diffie-Hellman. These algorithms underpin internet communications (Transport Layer Security [TLS], virtual private networks [VPNs], Secure Shell [SSH]), identity and access management, industrial and internet-of-things (IoT) systems, and the integrity of software supply chains.

If broken, threat actors could decrypt sensitive data, impersonate trusted systems, and undermine digital authentication. This could enable:

  • Forged digital signatures
  • Compromised code-signing pipelines
  • Spoofed websites, identities, and certificates
  • Manipulated financial transactions and legal documents

Risk 2: Harvest Now, Decrypt Later (HNDL)

Figure 3: “Harvest now, decrypt later” workflow
Figure 3: “Harvest now, decrypt later” workflow (Source: Recorded Future)

Although cryptographically relevant quantum computers (CRQCs) may still be years away, the risk is already materializing through “harvest now, decrypt later” (HNDL) activity. State-sponsored threat actors are likely collecting and storing encrypted data today with the intent to decrypt it once quantum capabilities mature. A 2021 Booz Allen Hamilton assessment found that Chinese economic espionage operations are likely targeting encrypted data with long-term intelligence value, including biometric identifiers, covert source identities, and weapons designs.

Large-scale routing manipulation offers one method for intercepting such data. Researchers at the US Naval War College and Tel Aviv University documented systematic Border Gateway Protocol (BGP) hijacking by China Telecom between 2016 and 2019, which redirected traffic from US, Canadian, and Scandinavian networks through Chinese infrastructure. These types of operations align with a long-term HNDL collection strategy.

Under the HNDL model, exposure occurs at the moment data is transmitted or stored, not when it is eventually decrypted. The primary risk, therefore, centers on long-lived data: information that must remain confidential for a decade or more, or whose sensitivity does not diminish over time, such as government and national security records, intellectual property and trade secrets, personal identifiers, financial data, biometric templates, healthcare records, and legal archives. For these data classes, compromise may not be immediately visible, but once decrypted, the consequences are irreversible. As a result, organizations holding long-lived sensitive data face near-term strategic risk regardless of when CRQCs become operational.

Large-scale routing manipulation offers one method for intercepting such data. Researchers at the US Naval War College and Tel Aviv University documented systematic Border Gateway Protocol (BGP) hijacking by China Telecom between 2016 and 2019, which redirected traffic from US, Canadian, and Scandinavian networks through Chinese infrastructure. These types of operations align with a long-term HNDL collection strategy.

Under the HNDL model, exposure occurs at the moment data is transmitted or stored, not when it is eventually decrypted. The primary risk, therefore, centers on long-lived data: information that must remain confidential for a decade or more, or whose sensitivity does not diminish over time, such as government and national security records, intellectual property and trade secrets, personal identifiers, financial data, biometric templates, healthcare records, and legal archives. For these data classes, compromise may not be immediately visible, but once decrypted, the consequences are irreversible. As a result, organizations holding long-lived sensitive data face near-term strategic risk regardless of when CRQCs become operational.

Risk 3: Quantum-Accelerated Brute-Force Attacks (Grover’s Algorithm)

Quantum computing does not break modern symmetric encryption outright, but it can accelerate search-intensive tasks through techniques such as Grover’s algorithm. This reduces defender reaction time and increases the effectiveness of weak or legacy cryptographic implementations. In practice, this could enable faster brute-force attempts against outdated encryption, quicker identification of exposed secrets or misconfigurations, and more efficient malware tuning and exploit development.

Recent demonstrations, such as Silicon Quantum Computing’s high-accuracy implementation on a four-qubit processor, remain limited in scale but reflect steady progress toward these capabilities. However, Grover’s algorithm is constrained by high hardware requirements and limited parallelization. As a result, modern symmetric algorithms such as AES-128/192/256 are expected to remain secure for the foreseeable future, while environments with poor cryptographic hygiene will be affected first.

Risk 4: Quantum- and AI-Enhanced Vulnerability Discovery

Quantum capability will not develop in isolation. As quantum systems improve optimization and search performance, and AI automates reconnaissance, exploit development, and lateral movement, adversaries are likely to operate at unprecedented speed and scale. Rather than identifying isolated weaknesses, attackers could rapidly map entire attack surfaces, chain misconfigurations, and deploy optimized malware variants in near real time. Research from 2024 demonstrates that machine-learning classifiers can already recover full cryptographic keys from PQC implementations using only a few hundred power traces, underscoring that even post-quantum algorithms will require hardened deployment.

This convergence of AI and quantum technologies could significantly increase an attacker's operational tempo and amplify the impact of individual security lapses. The risk is compounded by the fact that a rising number of organizations carry substantial security debt, with many reporting slow remediation cycles that leave vulnerabilities exposed for extended periods.

When Will CRQCs Arrive?

There is no definitive timeline for CRQCs. Most projections place their arrival in the mid-to-late 2030s, with credible breakthroughs possible earlier in the decade. These estimates should be treated with caution: forecasting is inherently uncertain because progress in quantum error correction and qubit scaling occurs in uneven advances rather than linear progression.

For security leaders, the precise date of “Q-Day” is less important than the lifecycle of deployed systems. Infrastructure implemented today may remain operational when CRQCs emerge. Current cryptographic decisions are therefore future-binding.

Under the HNDL model, quantum risk is already material for long-lived data. Preparedness, visibility, and cryptographic agility matter more than timeline prediction.

Figure 4: No definitive timeline for CRQCs
Figure 4: No definitive timeline for CRQCs (Source: Recorded Future)

How Should Organizations Prepare?

The transition to post-quantum cryptography (PQC) is no longer a theoretical exercise. It is increasingly driven by regulation, procurement requirements, and emerging industry norms. These developments should be interpreted as operational signals necessitating forward planning.

In the US, the Quantum Computing Cybersecurity Preparedness Act requires federal agencies to inventory quantum-vulnerable cryptography and develop migration plans. NIST’s 2024 PQC standards now set the baseline for federal procurement and are rapidly becoming global reference points. In parallel, Commercial National Security Algorithm (CNSA) 2.0 defines approved algorithms and transition timelines for national security systems, with full migration targeted by 2035. Similar momentum is building in Europe. The EU Cybersecurity Act and national quantum-preparedness strategies are accelerating early adoption, particularly across critical infrastructure sectors such as energy and transportation.

Although many of these mandates formally apply to public-sector systems, their practical impact extends well beyond government. Procurement requirements and supply-chain expectations are translating policy into commercial pressure. As a result, cryptographic inventory, structured migration planning, vendor alignment, and crypto-agility are likely to become baseline governance expectations rather than optional best practices. Boards are beginning to treat quantum risk as a strategic planning issue, not a distant technical concern, with some sectors allocating dedicated quantum-security budgets approaching 5% of total cybersecurity spend to support preparation.

Industry coordination further reinforces this direction of travel. Financial institutions, payment networks, and telecommunications providers are forming quantum-readiness working groups to align migration timelines and manage shared dependencies. SWIFT is developing PQC migration guidance for its global messaging network, and Mastercard has released a PQC migration white paper outlining practical transition steps.

Figure 5: Planning for the uncertain arrival of CRQCs
Figure 5: Planning for the uncertain arrival of CRQCs (Source: Recorded Future)

As the HNDL risk window narrows, organizations that begin structured preparation now are likely to manage transition risk deliberately and cost-effectively. Security leaders should ensure they understand where quantum-vulnerable cryptography resides, how regulatory obligations may cascade through customers and partners, and whether critical suppliers have credible PQC transition roadmaps. Those that delay risk compressed timelines, regulatory pressure, and materially higher transition costs later in the decade. Specific technical and governance steps are detailed in the Mitigations section.

Outlook

HNDL activity will continue to expand.
State-sponsored threat actors are highly likely to increase long-term interception and storage of encrypted data, particularly from sectors handling information with long confidentiality lifetimes. Even as storage economics fluctuate, scalable interception infrastructure and economically sustainable long-term storage models enable continued accumulation of high-value encrypted material. Demonstrated routing manipulation capabilities further support persistent collection at scale, ensuring exposure continues to build regardless of when CRQCs ultimately arrive.

Attacker operational tempo will increase.
The convergence of AI-enabled automation with quantum-accelerated search and optimization is likely to compress defender response windows and amplify the impact of existing security debt. Organizations reliant on legacy cryptography and slow remediation cycles will feel this pressure first.

Regulatory and procurement pressure will intensify.
Post-quantum readiness is increasingly likely to become a baseline requirement for regulated markets, government contracts, and high-trust supply chains. US and European initiatives are formalizing transition timelines, and these mandates will propagate through vendor ecosystems, reframing quantum preparedness as a competitive requirement rather than a discretionary control.

Migration risk will become a primary enterprise challenge.
Organizations that delay cryptographic inventories and crypto-agility investments are likely to face compressed transition timelines, higher costs, and greater operational disruption as standards mature and vendor dependencies shift.

Mitigations

Organizations should treat quantum resilience as a phased program aligned to visibility, flexibility, and systemic risk reduction, with leaders actively testing assumptions at each stage.

Short-term (2026): Establish visibility and prioritization

Security teams should maintain a comprehensive cryptographic inventory, identifying quantum-vulnerable algorithms across applications, infrastructure, and third-party dependencies, as well as public key infrastructure (PKI), operational technology, and IoT environments, and mapping them to data sensitivity and confidentiality requirements.

Leaders should be asking:

  • Do we have an enterprise-wide inventory of where quantum-vulnerable cryptography is embedded, including in legacy and third-party systems?
  • Which data assets must remain confidential for a decade or more, and are they currently protected by algorithms likely to be broken by CRQCs?

Medium-term (2026–2028): Enable flexibility

Organizations should design for cryptographic agility, ensuring that new systems and major upgrades allow algorithm replacement without architectural redesign. Vendors supporting long-lived products should provide credible PQC transition roadmaps aligned to emerging standards.

Leaders should be asking:

  • Are we continuing to deploy systems that hard-code cryptographic algorithms, thereby increasing future migration risk?
  • Do our critical suppliers have credible, time-bound PQC transition plans, and how exposed would we be if they fell behind?

Long-term (2028-onwards): Reduce systemic exposure

Migration should prioritize long-lived data and high-trust functions, including identity infrastructure, code signing, certificate management, secure build pipelines, and critical third-party software. Strengthening software and supply-chain integrity will be essential to minimizing cascading risk during transition.

CISOs should be asking:

  • Which enterprise trust anchors (for example, certificate authorities, signing keys, or hardware security modules) would create systemic impact if rendered vulnerable in a post-quantum scenario?
  • Can we rotate and replace cryptographic components at scale without operational disruption if migration timelines compress unexpectedly?

Recorded Future intelligence can support these efforts by tracking emerging cryptographic risks through our Threat Intelligence Module, identifying exposed dependencies through our Attack Surface Intelligence, and assessing third-party quantum readiness as standards and vendor capabilities evolve through our Third-Party Intelligence Module.

Risk Scenario

GridCore Systems is a US-based provider of industrial control systems (ICS) and grid-management software for electric utilities nationwide. The firm relies on quantum-vulnerable public-key cryptography (RSA/ECC) for remote access, software signing, and secure data exchange with utilities and regulators, and has not yet completed a post-quantum cryptographic transition.

First-Order Implications

Threat

Risk

Adversaries intercept GridCore’s encrypted communications and software-update traffic for long-term storage under a harvest-now, decrypt-later (HNDL) model, while exploiting an exposed support system to map cryptographic dependencies.
  • Legal or compliance failure: Exposure of regulated energy-sector data triggers scrutiny under North American Electric Reliability Corporation Critical Infrastructure Protection (NERC CIP) and federal cybersecurity requirements.
  • Operational disruption: Incident response and emergency access restrictions delay maintenance and update cycles for utility customers.
  • Brand impairment: Disclosure of quantum-readiness gaps undermines customer and regulator confidence.

Second-Order Implications

Threat

Risk

Attackers leverage harvested metadata and mapped trust relationships to position for future cryptographic compromise, focusing on software-signing infrastructure and authentication mechanisms.
  • Operational disruption: Utilities delay deployments and require additional validation of software integrity and access controls.
  • Brand impairment: Public concerns over update authenticity erode GridCore’s reputation as a trusted infrastructure provider.
  • Competitive disadvantage: Customers begin to favor vendors with demonstrable post-quantum migration progress.

Third-Order Implications

Threat

Risk

Following the emergence of cryptographically relevant quantum computers, previously harvested data is decrypted, exposing historical grid telemetry, credentials, and engineering documentation.
  • Operational disruption: Adversaries plan targeted intrusions or disrupt contingencies during periods of geopolitical tension.
  • Legal or compliance failure: Retroactive exposure of protected data leads to long-term regulatory action and contractual liability.
  • Competitive disadvantage: GridCore loses preferred-vendor status and future contracts to quantum-ready competitors.

Hacking Embodied AI

5 May 2026 at 02:00

Summary

Embodied AI has arrived.. Humanoid and quadruped robots are moving off factory floors and into everyday operations, military deployments, and critical infrastructure. Technological advances in large language models LLMs and robotics are enabling robots to perform complex tasks autonomously.

Security has not kept pace. Researchers have demonstrated that commercially available robots can be hijacked over Bluetooth, covertly exfiltrate audio, video, and spatial data to servers in China, and even infect neighboring robots wirelessly, forming physical botnets. If unaddressed, these security weaknesses are set to scale massively once humanoid robots are fully integrated into critical workflows.

The risks need to be taken extremely seriously. A robot should be treated less like a machine on the balance sheet and more like a cyber-physical endpoint with cameras, microphones, radios, cloud dependencies, and motors. That means tougher procurement, tighter network controls, continuous vulnerability monitoring, and a credible plan for operational continuity if a fleet has to be pulled offline.

Summary of Unitree G1 vulnerabilities, associated business risks
Figure 1: Summary of Unitree G1 vulnerabilities, associated business risks, mapped CVEs, and observed network activity (IPs and data exfiltration rates) (Source: Recorded Future)

Analysis

Market Drivers of Embodied AI Adoption

Embodied AI, intelligent systems in physical forms such as humanoid and quadruped robots, is moving from spectacle to staffing plans.

The shift is being driven as much by demographics as by technological progress. There are growing reports that the working-age population worldwide has begun to decline. China, an economic success story, has seen its population also decline again in 2025 as births hit a record low. These trends do not make large-scale automation inevitable, but they seriously strengthen the economic case for it in both corporate and government decision-making.

The International Federation of Robotics identifies labor shortages, real-world testing of humanoid robots, and increasing attention to safety and cybersecurity as defining trends for 2026. Some early deployments of embodied AI reinforce this trajectory. BMW reports that the Figure 02 humanoid robot has assisted in the production of more than 30,000 X3 vehicles, while GXO and Agility Robotics describe their partnership (established in 2024) as “the first formal commercial deployment of humanoid robots.” In high-risk environments, Sellafield is deploying quadruped robots to reduce human exposure in nuclear decommissioning.

Capital markets are also responding. Unitree filed for a reported $610 million initial public offering (IPO) in Shanghai in March 2026. Taken together, these signals suggest that robots are leaving pilot programs and becoming operational.

That transition makes the security question immediate rather than theoretical.

Expanding Attack Surface in Embodied AI Systems

Unlike traditional IT assets, embodied AI systems combine multiple high-risk components in a single platform: cameras, microphones, sensors, wireless radios, cloud connectivity, and physical actuation. This convergence creates a broad and under-secured attack surface.

A compromised robot can exfiltrate sensitive environmental and operational data, provide persistent remote access to internal networks, and interact physically with its environment, potentially causing unintended physical effects. This elevates robots from conventional endpoints to cyber-physical systems with both digital and real-world consequences.

The risk is compounded by architectural choices. Many platforms rely on cloud-dependent telemetry, wireless provisioning interfaces, and centralized control mechanisms. These design decisions create multiple entry points for attackers and increase the likelihood of compromise across entire fleets of embodied AI systems.

Demonstrated Vulnerabilities and Exploits

The risks are no longer theoretical. Documented vulnerabilities show that commercially available robots can be compromised with relative ease. Unlike traditional cyber threats, which mostly affect the digital world, exploiting robots enables attackers to manipulate the physical world, maximizing the potential for harm.

In 2025, researchers discovered an undocumented backdoor in Unitree’s Go1 quadruped robot that enabled remote access via the CloudSail service. Axios reported that an exposed web application programming interface (API) could allow attackers to locate devices globally and, if a robot was online, view live camera feeds without authentication. Where default credentials remained unchanged, full device control was possible. Whether described as a backdoor or a design failure, the implication is the same: robots may be reachable in ways operators do not anticipate, just like any other Internet of Things (IoT) device.

Summary of vulnerabilities affecting the Unitree Go1 robot with intelligence card insights
Figure 2: Summary of vulnerabilities affecting the Unitree Go1 robot, with Intelligence Card insights from the Recorded Future Intelligence Operations Platform (Source: Recorded Future)

Further research disclosed a critical vulnerability in the Bluetooth Low Energy and Wi-Fi provisioning interface used by multiple Unitree models, including the Go2, B2, G1, R1, and H1 robots. According to both the UniPwn research and IEEE Spectrum, the flaw combined hard-coded cryptographic keys, trivial authentication bypass, and command injection in the Wi-Fi setup process. An attacker within radio range could obtain root-level access without physical contact, giving them control over the robot.

Because the exploit propagates wirelessly, a single compromised device can enable lateral movement across nearby robots. This creates a fleet-level compromise scenario in which multiple units can be controlled simultaneously. The result resembles a physical botnet capable of both digital and physical actions.

Surveillance risks are equally significant. Researchers wrote that the Unitree G1 robot continuously exfiltrated multimodal sensor and service-state telemetry every 300 seconds without the operator’s knowledge. This included streaming data to external servers, potentially including audio, video, and spatial mapping. A robot operating inside a plant or laboratory may therefore be mapping the environment in real time.

Unitree G1 quietly transmitting audio, video and sensor data
Figure 3: Researchers found Unitree’s G1 quietly transmitting audio, video, and sensor data to the IP address (43[.]175[.]229[.]18) without user awareness (Source: Recorded Future)

The attack surface extends beyond firmware and networking layers. Researchers showed they could take control of a Unitree humanoid in about a minute, bypass its normal controller, and trigger physical actions. Demonstrations at GEEKCon in Shanghai indicated that both voice commands and short-range wireless exploits could hijack robots and propagate attacks to nearby units, including those not actively in use.

At the software layer, embodied AI systems introduce additional risks due to their reliance on large vision-language models. Researchers demonstrated that physical-world text can influence system behavior, as injected visual prompts were shown to steer autonomous driving, drone landing, and tracking tasks without compromising the underlying software. This would enable threat actors to take control of a self-driving car or turn a drone into their own surveillance feed by embedding a visual prompt in the environment, such as hiding a message on a stop sign.

Chinese robotic systems demonstrated during military training
Figure 4: Chinese robotic systems demonstrated during military training exercises (left) (Source: ABC YouTube); Concept rendering of the Atlas 2.0 robot operating in a next-generation factory environment (right) (Source: Boston Dynamics YouTube)

Systemic and Operational Risk Implications

The implications extend beyond individual devices to organizational and systemic risk. Embodied AI systems are already being deployed in environments where compromise has consequences beyond data loss. Manipulation or malfunction of robots during critical operations would have outsized economic or public safety consequences. Militaries are also experimenting with robotic systems (see Figure 4).

Droid TW 12.7 machine gun drone
Figure 5: Droid TW 12.7 machine gun drone, deployed by Ukrainian forces to capture Russian positions without ground troops (Source: The Telegraph)

In 2024, the Golden Dragon exercise between Cambodia and China featured robot dogs among the systems on display. Meanwhile, in the US, politicians have begun pushing for Unitree to be designated as a federal supply-chain risk, reflecting national security concerns about commercial robotics platforms. This is a very similar move to Poland’s ban on sensor-rich vehicles accessing military sites to limit surveillance risk. Ukraine has successfully deployed ground-based robots and drones in combat operations, marking a significant shift in modern warfare. In a landmark operation in April 2026, Ukrainian forces captured a Russian position using only unmanned systems — the first recorded instance of a robot-only assault in the conflict.

Flow Chart
Figure 6: A single vulnerability can simultaneously produce operational, data, safety, and strategic risks (Source: Recorded Future)

As adoption scales, these risks become interconnected. A vulnerability affecting one platform or vendor could propagate across fleets, sites, or sectors, creating systemic exposure.

At the same time, the pace of commercial development is outstripping regulatory oversight. Bank of America estimates that as many as three billion humanoid robots could be in operation by 2060. This convergence of demographic pressure, advancing AI capabilities, and falling production costs suggests that large-scale human-machine coexistence is highly probable.

Summary of the factors fueling growth in robotics production

Figure 7: Summary of the factors fueling growth in robotics production, illustrated by Bank of America data

(Source: Recorded Future)

Securing embodied AI systems is therefore not a peripheral technical issue. It is a strategic requirement that must be addressed before widespread deployment locks in insecure architectures at scale.

Risk Scenarios for the US’s Strategic Pivot

30 April 2026 at 02:00

Summary

The United States (US) is shifting toward a more force-driven security strategy primarily relying on military operations and economic pressure to counter transnational criminal organizations and limit Chinese, Russian, and Iranian influence in the Western Hemisphere.

Regional outcomes diverge across three core scenarios:

  • US-aligned authoritarian cooperation with fragile stability
  • Political fragmentation enabling criminal expansion and governance breakdown
  • A strategic realignment toward BRICS that reduces US influence and increases great power competition

Each scenario increases the risks of political instability, regulatory fragmentation, and cyber threats, including increased surveillance, cybercrime, and targeting of critical infrastructure and multinational businesses.

Chart of possible scenarios resulting from the US’s strategic pivot to Western Hemisphere security

Figure 1: Overview of possible scenarios resulting from the US’s strategic pivot to Western Hemisphere security

(Source: Recorded Future)

Analysis

The US 2025 National Security Strategy formalized a shift toward hemispheric priorities and narrower strategic objectives. This shift had been building throughout President Donald Trump’s first term:

  • January 2025: An executive order formally designates cartels as foreign terrorist organizations.
  • August 2025: The president signed a classified order directing military action against cartels beyond traditional law-enforcement frameworks.
  • September 2025: US forces carried out the first strike on alleged drug-trafficking vessels. Since then, more than two dozen kinetic strikes in the Caribbean and Eastern Pacific have resulted in over 100 fatalities.
  • December 2025: The US begins seizing oil tankers accused of sanctions evasion.
  • January 2026: The US launches a special operation to capture and extract Venezuelan President Nicolás Maduro to face drug trafficking charges in court.
  • March 2026: The US launches the “Shield of the Americas” initiative, intended to counter drug trafficking, transnational criminal networks, and illegal migration in the Western Hemisphere. In an address to Congress two weeks later, the commander of US Southern Command reinforced a greater military role in countering foreign terrorist organizations (FTOs) and managing other security priorities in the region.

Taken together, these moves suggest a shift from a law-enforcement-led regional security model toward more overt coercion driven by military intervention.

US military activity in Latin America has increased significantly since the August 2025 order directing chart
Figure 2: US military activity in Latin America has increased significantly since the August 2025 order directing action against cartels (Source: Recorded Future)

At a strategic level, US objectives remain centered on limiting transnational criminal activity and countering external competitors. Transnational criminal organizations are framed as a primary threat vector due to their role in narcotics trafficking and financial crime. China’s growing economic presence, anchored in trade and Belt and Road Initiative (BRI) infrastructure, is also seen as a threat to US interests. Russia and Iran maintain more targeted but persistent footholds, particularly through surveillance coordination in Nicaragua, Cuba, and Venezuela. US policy is oriented toward constraining adversary influence while reinforcing its own economic and security partnerships. The US is pursuing these objectives through a combination of expanded military operations, law enforcement activity, and coercive economic measures, including tariffs and sanctions tied to political alignment.

US naval and air assets have been deployed to the Caribbean
Figure 3: US naval and air assets have been deployed to the Caribbean to counter drug trafficking (Source: Newsweek)

Scenarios

The shift toward prioritizing US influence in the Western Hemisphere over other national security objectives will likely reshape the regional risk landscape. To assess the potential medium-term outcomes, Recorded Future identified key drivers and established baseline assumptions that underpin scenario development.

Drivers

Assumptions

● Increased US military interventions against alleged transnational criminal organizations TCOs and enablers

● Expanding role of TCOs and armed groups in regional instability

● Existing security cooperation between the US and Latin America LATAM governments

● Growing Chinese economic and infrastructure investment in LATAM

● Historical and ongoing relationships between Russia, Iran, and LATAM (notably Venezuela, Cuba, and Nicaragua)

● Increased adoption of commercial spyware and surveillance tools by LATAM governments

● US policy will prioritize countering malign influence and security threats within the Western Hemisphere over other regions

● Policy direction will remain sensitive to domestic political cycles in both the US and Latin America, creating potential for shifts following elections

● The US will favor limited-duration, high-impact interventions over prolonged military or large-scale nation-building efforts

● China will continue to expand its economic and diplomatic engagement in Latin America, positioning itself as an alternative partner (instead of the US

● Russia and Iran will seek to exploit opportunities to challenge US influence in the region, particularly through relationships with anti-US governments

● Regional governments will continue to leverage emerging surveillance and cyber capabilities to address internal security challenges

The following scenarios explore potential outcomes as the US reorients its security strategy toward the Western Hemisphere:

Scenario 1: Initial Authoritarian Stability

In this scenario, the US successfully asserts influence over historically adversarial authoritarian regimes, notably Venezuela and Cuba. These governments pivot toward cooperation with the US on trade, energy, and security, while maintaining repressive political systems domestically. US intervention has already reshaped Venezuela’s leadership and opened pathways for Western energy investment, while Cuba has responded to continued pressure by showing openness to economic reforms. Meanwhile, democracies like Colombia and Ecuador may adopt more coercive internal security postures, particularly in states facing cartel violence, in response to US pressure.

The US takes more aggressive measures to deter and counter non-Western infrastructure investments, leading to a relative diminishment in the influence of China and Russia as US engagement deepens. However, both powers will likely retain significant hemispheric influence and may pursue limited, asymmetric responses rather than direct confrontation.

interim Venezuelan president Delcy Rodriguez
Figure 4: US President Trump has praised interim Venezuelan president Delcy Rodriguez (Image source: Le Monde)

Organizational Risks

Cyber Risks

Operational disruption: This outcome may appear stable in the short term but is likely structurally fragile, as it depends on sustained coercive pressure and political alignment. Electoral changes will almost certainly bring in a new set of priorities and approaches to the region. This will create an operating environment at high risk of disruption.

Reputational damage: Companies seen as being too close to one political bloc or regime may face reputational damage as policies reverse.

Chinese and Russian state-sponsored actors will likely increase cyber operations against expanding US assets in the region, particularly in telecommunications and energy, to gather information or conduct strategic, limited disruption.

Surveillance, including the use of commercial spyware, will almost certainly increase as states escalate law enforcement operations against cartels and non-state armed groups.

Scenario 2: Fragmentation and Criminal Expansion

US intervention produces a political backlash, weakening democracies and fueling the collapse of transitional regimes. Inconsistent or heavy-handed military actions against alleged criminals increase public outrage, leading to electoral turnover and instability. As governments escalate repression to maintain control, resistance movements and localized violence intensify, further eroding state authority. This dynamic creates governance vacuums that strengthen TCOs, particularly in border regions. In this environment, cartels and armed groups re-emerge as dominant power brokers, reversing gains in regional security and leading to a resurgence in criminal activity and violence.

Organizational Risks

Cyber Risks

● Operational disruption: Violence and corruption will likely increase instability. Further, regime collapse in Cuba or Venezuela would provide a haven for criminal groups.

● Financial fraud: Expanding criminal influence increases the likelihood of cyber or violent crimes, such as fraud or extortion.

● Industrial-scale cybercrime operations, similar to the scam call centers in under-governed regions of Myanmar, may increase under cartel control. This would scale up fraud, cryptocurrency theft, and money laundering operations, likely targeting Spanish-, Portuguese-, and English-speaking populations.

● Internet blackouts are used as a weapon by governments struggling to maintain control, causing instability in communications and other infrastructure.

Chancay “megaport” in Chancay, Peru

Figure 5: Chancay “megaport” in Chancay, Peru, is funded under China’s Belt and Road Initiative

(Image source: China’s Global South Project)

Scenario 3: Accelerated Pivot to China

The US’s overreliance on military solutions at the expense of soft power enables China to position itself as an appealing alternative partner by offering positive incentives and stable, long-term policy-making. As a result, LATAM governments across the ideological spectrum quietly accelerate their pivot toward China, building on existing trade and investment ties. As this trend continues, LATAM governments feel emboldened to adopt more overt mechanisms to resist US influence, including legal challenges to military operations and regulations targeting US companies. Both China and Russia are able to increase their economic footprint and political influence in the region, especially if the US becomes less willing to maintain a consistent security presence.

Organizational Risks

Cyber Risks

● Competitive disadvantage: Expanding Chinese and Russian economic influence may displace US companies in key sectors such as energy, agriculture, telecommunications, and infrastructure, reducing market access and long-term competitiveness

● Legal and compliance failure: A more hostile regulatory environment could limit operations or force costly restructuring

● China and Russia gain a greater surveillance foothold, taking advantage of LATAM countriesʼ construction of telecommunications and “Smart Citiesˮ infrastructure using companies like Huawei, as well as the use of Russian digital surveillance technology, to ensure visibility.

● Increased data sovereignty and related technology regulations can disrupt regional and global business operations, particularly for cloud services, financial systems, and multinational supply chains.

Outlook

The scenarios are not mutually exclusive: multiple outcomes can play out in different countries or regions across Latin America. Below are key indicators to monitor to anticipate which outcome is more likely to emerge:

  • Election Outcomes: Colombia, Peru, and Brazil all have elections in the next year; a change in leadership may reflect popular dissatisfaction with the current government’s foreign policy, precipitating a policy shift. Furthermore, a decisive Republican defeat in the US midterms may reduce appetite for foreign intervention, leading to inconsistent policy.
  • US Intervention in Cuba: The US government is strongly signaling its intention to replace or significantly reform Cuba’s long-standing Communist regime. The success of the operation and the willingness of the US to back a transitional or reform government will determine which scenario described above plays out.
  • LATAM Security Cooperations: Criminal groups and militias thrive in contested or under-governed regions, such as along borders. Look for signed agreements and joint operations as signs of cooperation — or the lack thereof signalling potential breakdown in security coordination and a greater likelihood of criminal expansion.
  • The China Alternative: While China is likely to want to avoid direct confrontation over influence in the Western Hemisphere, the CCP may seek to offer more positive incentives to increase its economic footprint in the region, such as continued investments in ports, telecommunications, and other critical infrastructure.
  • The War in Iran: Even though it’s happening on the other side of the world, the Iran war is likely to shape how the US pursues military operations in the Western Hemisphere. Battlefield setbacks could decrease appetite for military intervention, or energy security pressures could increase the imperative to ensure influence.

Mitigations

  • Strengthen cyber resilience and third-party risk management: Enhance monitoring and defenses for critical infrastructure, telecommunications, and cloud environments. Use Recorded Future’s Geopolitical Intelligence module to understand the surveillance risk in countries where you operate. Conduct regular assessments of vendors and partners to reduce exposure to espionage, surveillance, and cybercrime.
  • Prepare for regulatory fragmentation and data localization requirements: Develop flexible compliance frameworks that can adapt to diverging data sovereignty laws, sanctions regimes, and trade restrictions. This includes establishing localized data storage where necessary and maintaining legal contingency plans for rapid policy changes.
  • Enhance crisis response and continuity planning: Build scenario-based contingency plans for political instability, violence, or infrastructure disruption (such as internet outages or supply-chain interruptions), which are routinely monitored in the Geopolitical Intelligence module. Contingency planning should include evacuation preparation, alternative logistics routes, and redundant communications systems to ensure operational continuity across volatile environments.

Further Reading

Critical minerals and cyber operations

23 April 2026 at 02:00

Summary

Critical elements and rare earth elements REEs are no longer commodities; they are strategic dependencies. Chinaʼs dominance in processing and refining provides it with enormous geopolitical leverage over other industrialized economies.

Geopolitical competition over mining and refining critical elements and REEs is accelerating. Competition to mine them will almost certainly expand into the Arctic, Greenland, Antarctica, the seabed, and space. These emerging arenas introduce legal ambiguity, environmental tension, and strategic rivalry, creating new geopolitical flashpoints.

Cyber operations are increasingly intertwined with resource competition. Insikt Group has identified state-sponsored and criminally aligned cyber threat actors targeting mining organizations to gain a strategic advantage. As critical mineral supply chains grow in importance, cyber activity targeting the sector is expected to increase, with criminal groups potentially serving as proxies or access brokers for state-backed operations.

Figure 1: Map of where critical elements and REEs are being mined or have been located, along with key findings in the report Source: Recorded Future)

Analysis

What Are Rare Earth Elements and Critical Elements?

Rare earth elements (REEs) are a group of seventeen metals that are essential to modern technologies. REEs are vital to the Fourth Industrial Revolution, a term for the current era of connectivity, advanced analytics, automation, and advanced manufacturing technology. REEs are used in small but essential quantities; they significantly impact the efficiency, precision, and reliability of equipment. They also differ from most other critical elements because they are difficult to process and refine. The refining process requires complex separation, making supply chains slow to build and capital-intensive.

Figure 2: Simplified REE production process from mining to refining (Source: Recorded Future)

Critical elements such as lithium, copper, nickel, cobalt, and graphite are primarily used as structural, conductive, or energy-storage materials and are consumed in much larger quantities. These elements form the physical backbone of products like batteries, wiring, and digital infrastructure. In simple terms, critical elements build the systems, and REEs enable the systems to perform at high levels.

Where Are REEs and Critical Elements Located?

On land, critical elements are unevenly distributed globally, with mining concentrated in a few countries. REEs are primarily mined in China, with significant deposits in Australia and the United States (US).

Figure 3: The distribution of where critical minerals were mined in 2023 Source: World Resources Institute)

The seabed is an emerging arena for mining due to vast critical mineral reserves that are believed to lie on the ocean floor. On the seabed, minerals are packed into potato-sized nodules, form hard crusts, accumulate in sediment layers, and are emitted from hydrothermal vents. In April 2025, the Trump administration issued an executive order directing the US to rapidly scale its capability to mine and process seabed critical elements. Meanwhile, China continues to expand its deep-sea mining capabilities. Japan is also accelerating its deep-sea mining program and, in February 2026, recovered REEs from 6,000 meters below the surface of the Pacific Ocean.

Figure 4: Diagram showing how minerals containing critical elements can be extracted from the seabed Source: US Government Accountability Office)

Arctic ice volume has declined by more than 70% since the 1980s, opening new shipping routes and exposing vast natural resources. As ice retreats, significant deposits of critical elements such as cobalt, tin, and REEs are becoming accessible, alongside oil and gas reserves. Mineral-rich seabed nodules are also being uncovered, attracting increasing interest from both nation-states and private investors.

Greenland contains 25 of the European Commission’s 34 designated critical raw materials as well as substantial oil and gas potential. Mining remains difficult due to harsh conditions and limited infrastructure, but continued ice retreat combined with sufficient capital investment could unlock resources of major economic and geopolitical importance.

Figures 5 and 6: Map showing critical minerals located on Greenland (left) Source: The Telegraph);Map showing critical minerals in the Arctic region (right) Source: The Economist)

Antarctica is currently off-limits to mining until at least 2048 under a 1991 environmental agreement that designated the continent as a natural reserve. Antarctica is believed to hold significant reserves of oil, coal, and iron ore, which are already attracting growing interest for the future. China and Russia have announced plans to expand their presence in Antarctica. China’s intentions appear to be focused on resource exploitation, which could open up a new geopolitical fault line, this time in the South Pole.

Space is quickly becoming the next frontier for critical resource extraction. Critical elements are abundant on asteroids and on the Moon. As companies move toward space mining, the US and China are simultaneously racing to establish a permanent presence in space by the 2030s, intensifying an already highly competitive astropolitical environment.

What Is the Geopolitical Importance of REEs and Critical Elements?

Because industrialized nations need critical elements and REEs to manufacture advanced technologies, global demand is rapidly accelerating. China’s control over critical elements and REEs stems primarily from its dominance of processing and refining rather than extraction. By controlling much of the world’s REE separation and refining capacity, China holds significant leverage over global supply chains and strategic technologies.

This reliance has heightened anxiety in the US over access to critical and rare earth elements. In 2025, China demonstrated its leverage by threatening to suspend REE exports to the US, which compelled Washington to back away from plans to restrict the transfer of critical semiconductor technology.

The US government has since accelerated international critical minerals deals and begun investing in US mining operations to minimize its reliance on China, where over 90% of the world’s REEs are processed. Furthermore, we are now seeing the US strategically stockpiling critical minerals and seeking to form “critical minerals trade blocs.”

Have Any Cyberattacks Been Linked to REEs and Critical Elements?

State-sponsored cyber capabilities are deployed to support national objectives linked to mining operations and the exploration of new critical minerals.

In 2021, Insikt Group identified infrastructure previously linked to APT15, a Chinese state-sponsored threat actor targeting a Canada-based mining company focused on mining zinc, copper, and lead. While there is no public record of Chinese investment in that specific mining company, Chinese firms invested approximately CAD 40 million (USD $30 million) in other Canadian lithium miners during the same period. Ottawa later forced those companies to divest on national security grounds.

In 2025, Insikt Group identified several Chinese state-sponsored threat actors targeting an organization focused on monitoring and regulating seabed mining. These cyberattacks occurred around the same time that China entered into seabed exploration and mining partnerships with nations such as the Cook Islands, Kiribati, and Tonga. This campaign was almost certainly driven by a desire to gain advanced insight into deep-sea mining rules and rival nations' positions, helping it protect its critical minerals dominance and secure strategic seabed access ahead of its competitors.

Between January 2021 and January 2026, Insikt Group identified multiple sophisticated cyber operations targeting Indonesia. While not every intrusion can be conclusively attributed to mining activity, these attacks align with China’s strategic interest in Indonesia’s natural resources; for example, Chinese companies control about 75% of Indonesia’s nickel refining capacity. Furthermore, Indonesia holds approximately 55 million metric tons of nickel reserves, which is over 40% of global reserves.

Figure 7: Timeline of Chinese cyber threat actor campaigns identified by Insikt Group targeting Indonesia from January 2021 to January 2026,alongside large mining deals Source: Recorded Future)

In 2025, a hacker group known as Silent Lynx (or YoroTrooper) was reported to be targeting Russia's mining sector. Security researchers assessed that Silent Lynx is likely Kazakhstan-based, due to its language fluency, use of local currency, and regional targeting.

Ransomware and criminal cyber groups frequently target the mining sector, primarily for financial gain. As the sector’s global economic importance grows, it may attract increased extortion efforts. Insikt Group has previously identified ransomware groups operating in close coordination with state actors, effectively using ransomware as a smokescreen; as a result, we cannot rule out criminal groups increasingly providing access to mining organizations for state-sponsored cyber operations.

Figure 8: Data from Recorded Futureʼs Ransomware Dashboard showing the top five ransomware groups targeting the mining and metals sector in 2025 Source: Recorded Future)

Figure 9: Timeline from January 2021 to January 2026 showing mining companies being named on ransomware extortion sites,

alongside mining company access being sold on dark web sites Source: Recorded Future)

In 2024, Northern Minerals, an Australian rare earths producer, was compromised by the ransomware group BianLian. They published stolen data on the dark web shortly after Northern Minerals ordered Chinese-linked investors to divest their 10.4% stake. BianLian is a financially motivated group that opportunistically targets multiple sectors and is believed to be operated by Russia-based threat actors. While this leak was likely financially driven, state collusion cannot be ruled out, as state-sponsored threat actors increasingly hide operations behind criminal activity.

Outlook

The US and its allies will almost certainly intensify efforts to reduce strategic dependence on China for critical minerals. This is because control of mineral supply chains will be a decisive factor in determining leadership in the Fourth Industrial Revolution.

Mining activity will almost certainly expand into new frontiers, including the deep sea, the Arctic, and Antarctica, permanently reshaping both economic competition and geopolitical risk.

Space will very likely emerge as the final frontier for resource extraction. The US and China will accelerate competition to secure access to lunar and asteroid-based minerals, extending terrestrial resource rivalries beyond Earth’s orbit.

State-sponsored cyber threat actors operating on behalf of industrialized nations will almost certainly increase their focus on targeting mining companies and governments operating in strategically significant mining regions.

Criminal cyber activity will very likely increasingly serve as a smokescreen or initial access vector for state-sponsored operations targeting critical mineral mining companies.

Recommended D3FEND Actions

Tighten who can access sensitive supply-chain data
Control access to key network systems
Reduce account takeover risk on the systems that hold this data
Recover quickly from ransomware or destructive attacks
Replace compromised credentials quickly at scale
Shorten the “useful life” of stolen credentials and keys

Further Reading

Mitigations

Know your exposure to changes in critical mineral supplies: Map the locations of critical minerals in your products and suppliers, and identify potential single points of failure.
Resilience question: Are there any single points of failure in critical products or business lines if China were to restrict the supply of REEs?

Build a fallback plan: Put backup suppliers, alternate materials, and realistic inventory buffers in place for the highest-risk supplies your organization relies on.
Resilience question: What is our Plan B for our top three critical electronic supplies, such as laptops?

Prepare for criminal and state-sponsored cyberattacks: If you operate in or supply the mining and critical minerals sector, treat criminal intrusions as potentially more than financially motivated. In some cases, they may serve as cover for espionage. Actively monitor the latest indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) associated with threat actors known to target the sector or government bodies responsible for nation-state mining interests. Use Recorded Future’s Threat Intelligence Module to monitor for dark web and closed-source mentions tied to mining targeting.
Resilience question: If we’re hit with ransomware, how quickly can we restore operations? Do we have backup systems and data?

Map out your supply-chain risks: If your organization operates in or near the mining industry, you might have robust security measures — but your suppliers might not. Use Recorded Future’s Third-Party Intelligence Module to identify risks in your supply chain.
Resilience question: Which supplier or contractor would cause us the most problems if they were hacked, and could they be easily hacked from what we can identify?

Monitor the new mining hotspots: Track developments in the Arctic, Greenland, Antarctica, deep-sea mining, and space, as rules and conflicts there can quickly affect supply and reputation. Use Recorded Future’s Geopolitical Intelligence Module to gain visibility into new mining contracts and potential geopolitical risks from new deals.
Resilience question: What early warning signs are we monitoring that could disrupt our supply chain in the next 6–12 months?

Evolution of Chinese-Language Guarantee Telegram Marketplaces

22 April 2026 at 02:00

Executive Summary

Chinese-language, Telegram-based “guarantee” marketplaces are increasingly popular among Chinese-speaking criminal groups despite the widely publicized shutdown of Huione Guarantee in 2025. Although these guarantee marketplaces operate similarly to Huione Guarantee, they differ in their focus on particular aspects of cybercrime and in their targeting of specific geographies. To better understand these Chinese-language guarantee marketplaces, Insikt Group observed and analyzed another increasingly popular guarantee marketplace, dubbed Dabai Guarantee (“大白担保”).

Given that guarantee marketplaces typically involve hundreds to thousands of public and private channels, this report outlines how Insikt Group analysts navigated through just one of the Telegram channels belonging to Dabai Guarantee’s large infrastructure. The channel is known as Dabai Guarantee Public Group 301 (@DBTM301), and its main objective is to conduct “sweeping” operations (using illicit techniques to make purchases of physical goods at retailers or to withdraw and transact at country-specific ATMs) in South Korea and Japan. This report also includes the visible organizational structure of Dabai Guarantee Public Group 301, key rules, staff, and customer service functions.

This report primarily serves as an introduction to understanding how Chinese-language, Telegram-based guarantee marketplaces work and how to navigate them. It also includes interpretations of multiple criminal terminologies used by Chinese-speaking criminals, which are pivotal to understanding how Chinese cybercrime evolves over time. The cyber and fraud campaigns being promoted and launched on Dabai Guarantee and other similar guarantee marketplaces can negatively impact retail, banking, contactless payment providers, insurance companies, and individuals vulnerable to scam-related campaigns.

Key Findings

  • Dabai Guarantee is a platform that enables multiple Chinese-speaking threat groups with strong presences across multiple countries to coordinate and launch global-scale fraud and cyber campaigns.
  • Chinese-speaking syndicates are using Dabai Guarantee as a platform to facilitate campaigns involving financial and retail fraud, such as ATM withdrawal and ghost-tapping.
  • Criminal groups participating in campaigns are often siloed, acting independently, and restricting the sharing of information, resources, and goals, thereby creating barriers to tracking their activities.
  • Unlike conventional ghost-tapping campaigns that mainly target luxury businesses, “sweeping teams” typically purchase goods that are less expensive but still considered valuable to criminal groups and are relatively easy to transport (such as women’s cosmetics and tobacco products), likely to avoid detection by law enforcement. The sweeping teams eventually resell them in other markets for cash.
  • Dabai Guarantee’s bot search function makes it easy for Chinese-speaking criminals to enter specific search terms and be matched with existing public groups running those campaigns.

Background

Chinese-language guarantee marketplaces first emerged around 2021 with the launch of Huione Guarantee, serving as reliable alternatives to traditional dark web marketplaces accessible via the Tor network. Owners of traditional dark web marketplaces, such as Exchange Market and Chang’An Sleepless Night, have close to full control over advertisements and transactions. These guarantee marketplaces seek to eliminate distrust stemming from criminal groups scamming one another, dark web marketplaces shutting down, potential exit scams, and parties failing to honor terms that were previously agreed upon. Furthermore, guarantee marketplaces operate on publicly accessible Telegram channels by design; these public channels are meant to be found and appeal to a wider Chinese-speaking audience that uses Telegram, noting that most Chinese criminals still use Telegram rather than Tor for communication.

Guarantee marketplaces are often different from typical peer-to-peer (P2P) transactions between threat actors. Guarantee marketplaces are one-stop shops that handle and facilitate all cryptocurrency transactions (typically Tether/USDT) and mediation services between parties, whereas P2P transactions typically take place directly between users or through a third-party escrow service. The preferred cryptocurrency of Chinese-speaking threat actors is USDT, a stablecoin pegged to the US dollar that maintains anonymity. Stablecoins are a type of cryptocurrency designed to maintain a stable value by pegging themselves to reserve assets, most commonly the US dollar, to mitigate the volatility of cryptocurrencies like Bitcoin. According to Chainalysis’s 2026 Crypto Crime Report, stablecoins have come to dominate the landscape of illicit transactions, accounting for 84% of all illicit transaction volume in 2025. Chinese cybercriminals prefer using stablecoins such as USDT due to their combination of price stability, ease of border transfer, and relative anonymity. USDT also helps Chinese cybercriminals bypass China’s strict capital controls and traditional banking scrutiny to move money across borders.

In January 2025, Insikt Group published a report on the Chinese-language guarantee marketplace Huione Guarantee, “Huione Guarantee Serves as a One-Stop Shop for Chinese-Speaking Cybercriminals.” The report described the activities facilitated by Huione Guarantee, which include investment fraud, money laundering, and various online scams. Despite Huione Guarantee’s shutdown on May 13, 2025, Insikt Group observed that other guarantee marketplaces, such as Tudou and Xinbi, stepped in to fill the void left by Huione Guarantee's closure. According to Elliptic, Tudou Guarantee also shut down its operations in January 2026, after processing $12 billion in transactions. Even though Xinbi Guarantee was previously reported to have shut down, it has since been rebuilt and maintains a presence on Telegram as of this writing. Other, but not widely reported, active Chinese-language guarantee marketplaces operating on Telegram (besides Dabai Guarantee) are Yinuo, BoChuang, and Ouyi.

Guarantee marketplaces can also facilitate new attack vectors such as ghost-tapping. In July 2025, Insikt Group published a report titled “Ghost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem,” which details how Chinese-speaking cybercriminals and syndicates work together to conduct retail fraud using near-field communications (NFC) relay tactics. As of February 2026, Insikt Group observed that Dabai Guarantee has emerged as a major player in Chinese-language cybercrime, with its Telegram-based infrastructure resembling that of Huione Guarantee and offering malicious services similar to those advertised on Huione Guarantee, which is now defunct.

Dabai Guarantee Overview

Dabai Guarantee is a Telegram-based marketplace, consisting of thousands of public and private Chinese-language Telegram groups, that operates in a manner similar to Huione, Tudou, and Xinbi guarantees; many of these services cater to “small to medium-sized clients.” However, the operators of Dabai Guarantee do not maintain a clearnet website; they operate solely on Telegram, likely due to operational security (OPSEC) concerns. Operators of Dabai Guarantee likely chose not to have a clearnet website in light of Huione’s “bad OPSEC” practices — Huione Guarantee’s clearnet website made tracking much easier for law enforcement officials and researchers, which likely contributed to FinCEN sanctioning the organization in May 2025. The Dabai platform is populated with third-party vendors providing various services that facilitate cybercriminal and fraud activities, including money laundering methods and services, compromised social media and e-commerce accounts, SIM cards, personally identifiable information (PII), malware-as-a-service (MaaS), deepfake technology, know-your-customer (KYC) bypass services, and more.

Dabai Guarantee was likely founded in December 2024, based on its Telegram Channel’s creation date. There are currently six known official main Telegram channels:

  • “公群导航 @dabai” (@dabai_a): “Public Group for Navigation Purpose”, 15,372 subscribers, as of this writing
  • “大白担保大群” (@dabai_c): “Dabai Guarantee Big Group”, 19,225 members, as of this writing
  • “大白供需频道” (@dabaiyajing): “Dabai Supply and Demand Channel”, 17,085 subscribers, as of this writing
  • “大白担保规则” (@dabai_e): “Dabai Guarantee rules”, 428 subscribers, as of this writing
  • “大白担保客服人员名单” (@dabai_f): “Dabai customer service list”, 527 subscribers, as of this writing
  • “大白担保 @dabai” (@dabai): “Dabai Guarantee bot channel”

Dabai Guarantee’s public navigation channel, 公群导航 @dabai, is used to direct threat actors to different private/public Telegram channels to coordinate and collaborate on campaigns targeting both Chinese-speaking and non-Chinese-speaking victims. Below is a list of the service categories offered on the public Telegram groups on Dabai Guarantee. Each category has subcategories for more specific services. Each public Telegram group has a unique group number, the amount of the deposit made to Dabai Guarantee in USDT, the handles of group administrators and customer service representatives, the transaction rules, and a dedicated cryptocurrency wallet. More information can be found in Figure 1. These specialized channels include the following:

  • “海外钓鱼类” (“Overseas Phishing”) — Coordinate phishing campaigns against individuals residing outside of China
  • “买卖类” (“Trading”) — Buy and sell gift cards, databases, SIM cards, social media burner accounts, IP addresses, and physical goods
  • “引流类” (“Traffic generation methods”) — Overseas SMS blasts, Baidu promotions, chat scripts, and other services
  • “承兑类” (“Acceptance methods”) — Payment methods accepted by merchants include Alipay, WeChat Pay, and cryptocurrencies
  • “通道合作类” (“Cooperation Channels”) — Motorcade teams to conduct overseas operations such as collecting or making payments via cash and cryptocurrencies, and logistic operations to move physical goods
  • “短视频类” (“Short Videos”) — Short Douyin videos for promotions
  • “合作类” (“Cooperation”) — ID Loans, Apple IDs, courier delivery services, and burner mobile phones
  • “服务类” (“Services”) — SMS verification, file lookup, and graphic design services
  • “卡商类” (“Carding Merchants”) — Money laundering through bank cards and contactless cash withdrawal without cards
  • “搭建类” (“Developers”) — Software and bot setup services, and Apple signing/server/VPN/domain setup services
  • “其他类” (“Others”) — Other miscellaneous fraud services, social escort services, police impersonation, artificial intelligence (AI), and search engine optimization (SEO)-related services
  • “游戏类公群” (“Gaming-related public groups”) — Online gambling and video games
Figure 1: Dabai Guarantee’s public navigation purpose Telegram channel “公群导航 @dabai”, with listed categories (Source: Telegram)

Dabai Guarantee’s Rules (@dabai_e)

Dabai Guarantee’s rules channel (@dabai_e) has posted rules to prevent impersonation of the marketplace and to prevent users from creating their own “public groups” that are not officially regulated by Dabai Guarantee’s administrators. Some of the rules also showcase Dabai Guarantee’s OPSEC measures to prevent scamming and impersonation. The original Chinese text is in Appendix B. The following are some key rules:

  • Members are not allowed to create their own public group channel without Dabai Guarantee`s approval.
  • Members are not allowed to have private dealings with other parties or platforms, as Dabai Guarantee only guarantees transactions conducted on its platform. Dabai Guarantee also does not provide assurances for transactions with the Public Group “boss” or any other administrator. This means that no individual should have any transactions with the boss directly and should instead use Dabai Guarantee’s funds transfer mechanism.
  • Individuals who initiate a chat session with you are 100% scammers; members are to block and refrain from chatting with them.
  • The cryptocurrency address belonging to Dabai Guarantee is unique, and anyone sending other deposit addresses is a scammer.
  • After members have staked their cryptocurrency as deposits, they are required to send Dabai Guarantee’s leadership screenshots of the deposit to @dabai for verification and confirmation. Any losses resulting from failure to contact @dabai will be the member’s responsibility.

Case Study: Public Group 301

Group Structure

For this report, we will use the Telegram channel “Public Group 301,” which belongs to Dabai Guarantee, as a case study. This is not meant to be a comprehensive analysis of Dabai Guarantee’s massive infrastructure and that of other Chinese-language guarantee marketplaces. It is difficult to accurately quantify how many “Public Group” channels and threat groups are on Dabai Guarantee, as the numbers tagged to Public Groups are not assigned in chronological order, resulting in a lack of visibility — unlike Huione Guarantee, which had a clearnet website that listed the Public Group channels to redirect threat actors. Although there are thousands of channels belonging to Dabai Guarantee alone, understanding Public Group 301’s structure can at least provide insight into how threat actors use Dabai Guarantee in their campaigns.

In guarantee marketplaces, threat actors looking to launch campaigns typically deposit USDT to start a public Telegram group approved by Dabai Guarantee. This model ensures that criminal syndicates do not have to deal with other threat actors directly, but have Dabai Guarantee as a mediator. In the case of Dabai Guarantee’s Public Group 301, affiliate threat groups do not have to engage directly with the group’s leader, @J0hnNo1, and instead receive payments from Dabai Guarantee after the completion of tasks required by @J0hnNo1. Guarantee marketplaces such as Huione, Tudou, Xinbi, and Dabai seek to eliminate the “lack of trust” among Chinese-speaking threat actors. These marketplaces are designed to become trusted platforms that foster coordination and cooperation between different Chinese-speaking criminal groups to achieve their objectives.

Insikt Group navigated through Public Group 301’s Telegram infrastructure in order to identify the redirection flow. As shown in Figure 1, each category contains a hyperlink that redirects to other channels. From Figure 1, selecting category 5, sub-category 2 (“海外扫货车队”, or “Overseas Goods Sweeping Team”) redirected to a pinned message as seen in Figure 2. This message lists four different public channels (“公群”) containing campaigns targeting the US, Canada, South Korea, and Japan.

Figure 2: Selecting “海外扫货车队” (Overseas Goods Sweeping Team) redirects users to four different Telegram groups, where threat actors are seen discussing and showing off their financial crime-related achievements in countries such as the US, Canada, South Korea, and Japan (Source: Telegram)

As seen in Figure 2, “公群” refers to unique Public Group channels for specific purposes or operations. Each public channel here contains a numerical group identifier and a “U” deposit amount, where “U” refers to USDT. For example, “公群935已押2000U” refers to Public Group Number 935, with 2,000 USDT already being deposited in Dabai Guarantee to start the campaign. The naming convention for these Public Groups is ”dbtmxxx”; in this case, Public Group Number 935 will have the Telegram channel @dbtm935. When selecting the second option, “公群301已押1000U韩国,日本扫货组”, which means Public Group Number 301, with 1,000 USDT already deposited to “sweep goods” in South Korea and Japan, the corresponding Telegram channel is @dbtm301.

Upon further investigation and analysis of the channel, Insikt Group assesses that “sweeping goods” refers to the use of illicit means, such as ghost-tapping, to purchase physical goods at physical retail stores (in this case, in South Korea and Japan). This activity also includes ATM cash withdrawals at Japanese or South Korean ATMs.

Key Personnel Involved in Public Group 301

The following terms are important for understanding the operations of criminals involved in Public Group 301, and the entire Dabai Guarantee infrastructure more broadly:

  • Boss (“群老板”): The main coordinator overseeing a group’s operations. These individuals are not directly related to Dabai Guarantee and operate more like customers, making use of Dabai Guarantee’s infrastructure to lay out tasks and promising payouts in USDT upon completion. The boss will typically start a campaign by placing significant deposits into Dabai Guarantee’s USDT cryptocurrency addresses (“上押地址”) in order to get Dabai Guarantee’s administrators to approve the creation of a Public Group channel. In Dabai Guarantee’s Public Group 301 (@dbtm301), @J0hnNo1 is the boss of the channel. We observed that this threat actor intends to conduct ghost-tapping and fraud campaigns in Japan and South Korea, with the key objective of obtaining physical goods, cash, and funds through unauthorized transactions. Once the boss confirms receipt of the items and is satisfied with the outcome, they can ask Dabai Guarantee to release the payment to the criminals who participated in the requested task.
  • Channel Administrators (“管理员”): Dabai Guarantee’s personnel who act as intermediaries between the boss and other Chinese syndicates, ensuring that the boss gets the items and physical cash, while the Chinese syndicates are paid in USDT. These are the people who will process the payments. Channel administrators will also inspect video evidence provided by sweeping and “goods-receiving” teams and wait for confirmation from the boss that everything is satisfactory before releasing payments to the various Chinese-speaking criminal groups.
  • Chinese Syndicates (“犯罪组织”): Teams in charge of providing the people (“mules”) to form sweeping and goods-receiving teams. These syndicates will coordinate with the boss and receive payment in USDT after completing the required jobs.
  • Sweeping Teams (“扫货队”): Personnel tasked by the boss or other administrators with obtaining physical goods or conducting ATM cash withdrawals, typically through illegal methods such as ghost-tapping or financial fraud, and to eventually transfer the goods to “goods receiving” teams.
  • Goods Receiving Teams (“收货队”): Personnel tasked by either the boss or their respective Chinese syndicates with receiving goods from sweeping teams; the items will eventually have to reach the “goods inspection teams.”
  • Goods Inspection Teams (“检货队”): Personnel tasked with physically inspecting the goods and cash being delivered by the sweeping or goods-receiving teams, typically appointed by bosses. When the “goods receiving” team is appointed by the boss, it is also possible that the “goods receiving” and “goods inspection” teams are composed of the same personnel, each fulfilling multiple roles. These teams will inform the boss whether the physical goods are satisfactory, and the boss will proceed to ask Dabai Guarantee to release the payment to the sweeping and goods-receiving teams.

Insikt Group assesses that individuals in the sweeping, goods receiving, and goods inspection teams act as mules, and these teams likely consist of Chinese-speaking tourists who can amass large quantities of physical goods and cash and exit the targeted countries as soon as possible. It is also likely that Chinese-speaking groups have members who are long-term residents of the countries targeted by the operations, such as South Korea and Japan.

Figure 3: Simplified illustration of Dabai Guarantee Public Group 301’s structure (Source: Recorded Future Data)

Figure 3 is a simplified illustration of Dabai Guarantee’s Public Group 301’s organizational structure. The barrier to entry for participating in “sweeping operations” is low, as participants just need to have the legal right to enter Japan or South Korea, pose as tourists, and follow the instructions given by the boss and other administrators. We estimate that there are likely more than a dozen sweeping teams linked to Dabai Guarantee operating in Japan and South Korea alone. Sweeping teams are likely assigned to obtain certain goods and cash in very specific areas and do not coordinate with one another because they are being deployed by different Chinese syndicates. This model suggests that operations are siloed, where teams act as independent, isolated units that restrict the sharing of information, resources, and goals.

Figure 4 shows the Telegram structure of Public Group 301, where @J0hnNo1 is the channel's boss. The channel is also composed of multiple Dabai Guarantee customer service staff, who serve as administrators. The original creator of the channel is @dbwb22; the Telegram account is no longer active, and @dbwb22 is no longer listed as one of Dabai Guarantee’s official customer service agents.

Figure 4: List of key personnel in Dabai Guarantee’s Public Group 301 (@dbtm301); @J0hnNo1 is listed as this group’s public channel boss (Source: Telegram)

The distribution of these teams significantly complicates efforts by researchers and law enforcement agencies to track and deter such criminal activities. For example, if members of “Sweeping Team A” are arrested for retail or financial fraud, law enforcement agencies will still need to locate the members of the “Goods Receiving Teams” and “Goods Inspection Teams” before they can even get close to decoding the identity of the boss, who is most likely coordinating operations from a location outside Japan or South Korea’s jurisdiction, such as Cambodia or Myanmar. Additionally, these sweeping teams most likely consist of low-level mules who are considered “expendables” by their Chinese syndicate recruiters. The screenshots in Figures 6, 7, 8, 9, and 10 illustrate the siloed operations conducted by different sweeping teams.

Figure 5 shows Dabai Guarantee customer service personnel @dbtm9 helping to set up public Telegram channel 301 on March 21, 2025, and serving as the channel’s key administrator. This individual serves as a mediator to facilitate transactions and dealings between the boss and other threat actors. The total amount of USDT deposited on that date was 485 USDT; as of this writing, it has risen to 1,000 USDT. The purpose of this channel is to encourage other threat actors to cooperate by taking part in sweeping and goods-receiving operations in Japan and South Korea. In the conversation below, the boss stated that the deposit amount will increase in proportion to the transaction amount. Insikt Group assesses that this would mean the sum of deposit scales with the size of operations in Japan and South Korea.

Figure 5: Screenshot of Public Group 301’s (@dbtm301) administrator (@dbtm9) establishing a group for “sweeping goods” and “receiving goods” operations in South Korea and Japan

Figure 6 shows that the boss is looking to recruit sweeping teams to conduct operations in Seoul, South Korea. The main objective is to purchase cosmetics, and once the goods have been delivered, the rewards will be “high.” The final sentence uses the term “速度快”, which means that the boss welcomes any sweeping team that can conduct and complete these operations quickly.

Figure 6: Screenshot of Public Group 301 “boss” @J0hnNo1 recruiting sweeping teams to purchase cosmetics in Seoul, South Korea (Source: Telegram)

Figure 7 features a sweeping team involved in purchasing tobacco-related products from the Terea brand at a CU store, a South Korean convenience store chain in Seoul, South Korea. It is clear that the boss has goods from specific brands they wish to obtain, and such goods may be resold for cash in other foreign markets at a later date, likely at a lower price to obtain hard currency as soon as possible. Insikt Group assesses that the items are very likely purchased using the ghost-tapping attack vector or through stolen payment card information. This reflects a shift from targeting luxury retailers to smaller-sized businesses, likely to avoid arousing suspicion from law enforcement authorities

Figure 7: Public Group 301’s boss @J0hnNo1 showing a CU receipt of tobacco sticks belonging to the Terea brand totaling 288,000 won, worth approximately $196 on March 25, 2025 (Source: Telegram)

Figure 8 shows an Apple Store receipt listing unspecified Apple products totaling 499,600 yen (approximately $3,145.66, as of this writing). Public Group 301’s boss @J0hnNo1 also stated, “Who said there are no large transactions in Japan? Just a single receipt amounted to 500,000 Yen.” This is likely a post encouraging syndicates to send more sweeping teams to acquire as many Apple products as possible, while hinting that the rewards could be lucrative.

Figure 8: Public Group 301’s boss @J0hnNo1 showing an Apple store receipt of items totaling 499,600 yen, approximately $3,145.66 on December 28, 2025 (Source: Telegram)

Figure 9 provides some evidence that Vietnamese individuals are also involved in sweeping operations. In the top-left corner of the iPhone in the image, the Vietnamese phrase "Không có SIM" means "No SIM card." This indicates that the person holding the phone is very likely a Vietnamese-speaking individual conducting unauthorized banking transactions using burner iPhones. Every single burner phone appears to be tagged with a label, which is very similar to the tactics, techniques, and procedures (TTPs) we documented in our Insikt Group report on ghost-tapping. It is also likely that this individual understands Japanese in addition to Chinese, as they were observed interacting with a Japanese banking application that displayed processed transactions. The transactions shown in the screenshot are dated between July 30, 2025, and August 28, 2025. The ability to use Japanese banking applications is an indicator that this individual is legally residing in Japan. In general, most Japanese banks require foreigners to close their bank accounts before leaving permanently; these regulations are implemented by major Japanese banks such as Shinsei Bank.

Figure 9: Image posted by Public Group 301’s boss @J0hnNo1 involving multiple unauthorized banking transactions from July 30, 2025, to August 2025. Insikt Group assesses that this is indicative of a ghost-tapping campaign targeting Japanese retail businesses involving multiple Apple burner iPhones on August 28, 2025 (Source: Telegram)

Figure 10 shows what appears to be an ATM cash withdrawal or transfer attempt at a Japanese ATM at an unspecified bank. This screenshot is also likely shown as an example of what sweeping teams in charge of withdrawing and transferring cash are expected and required to do.

Figure 10: Public Group 301’s boss @J0hnNo1 posted an image of what Insikt Group assesses to be an ATM cash withdrawal/transfer using a Japanese ATM machine on April 23, 2025 (Source: Telegram)

Figure 11 shows a cryptocurrency transaction of 10,629 USDT via the Tron (TRX) network to a sweeping team for the successful completion of the “mission.” The boss @J0hnNo1 thanked the sweeping team coordinator without identifying them. The exact phrase used while posting the image was “感谢老板信任”, which translates from Chinese to “Thank you boss for trusting me.” Boss, in this context, refers to the Chinese syndicates that provide the sweeping teams for successful operations. In the entire Dabai Guarantee Public Group 301 channel, there were many screenshots of such cryptocurrency transactions being sent to teams that participated in sweeping operations. The boss redacts recipients' cryptocurrency wallet addresses to prevent law enforcement agencies from tracking them. The TRON wallet address used by Public Group 301 is TByDzGWCirpCABaUorkhz5eWhjyDdYWgSo, as shown in Figure 11; this wallet address has facilitated a total of 2,943 transactions as of this writing.

Figure 11: Multiple screenshots involving USDT transactions are posted on the channel, likely for transparency and to reassure the sweeping teams (Source: Telegram)

Dabai Guarantee’s Staff and Customer Service Functions (@dabai_f)

Dabai Guarantee maintains a list of its official staff and customer service agents on its Telegram channel @dabai_f to facilitate the creation of Public Group channels and transactions. This system also helps prevent impersonation and scamming. Members are to contact customer service agents directly for any queries or concerns. The staff and customer service teams usually provide the functions listed in Tables 1 and 2; the customer service agents are listed in Figure 12 by their functions and Telegram handles.

Chinese Term
English Term
Explanation of Function
Telegram Moniker/Channel
大白公群
Main Dabai Public Group
Dabai Guarantee’s directory, to help threat actors navigate through different aspects of cybercrime
@dabai_a
供求信息
Supply and demand information
A channel where Dabai Guarantee’s administrators post advertisements on behalf of their customers (other threat actors)
@dabaiyajing
核心大群
Core group
A channel where other threat actors can post their own advertisements and URLs for their websites, as well as key contact information, such as Telegram monikers
@dabai_c
客服频道
Dabai Guarantee’s official customer service channel
A channel for individuals to reach out to customer service officers who cater to different categories of cybercrime
@dabai_f
人工客服 @dabai 咨询、拉群、广告
Human customer service agents for consultation, group chat, and advertising
A bot channel that redirects individuals to human customer service agents for consultation, group chat, and advertising
@dabai
人工客服 @dabai 会员、解封、投诉
Human customer service agents for membership queries, unblocking accounts, and complaints
A bot channel that redirects individuals to human customer service agents for membership queries, unblocking accounts, and complaints
@dabai
人工客服 @dabai 验群、丢失群恢复
Human customer service agents for group verification and lost group recovery

This is to prevent impersonation, such as threat actors starting their own Public Group that is not officially approved by Dabai Guarantee.

There may be instances where Telegram deletes public channels for violating the terms of service, and the customer service team offers a service to restore them (This happened to Huione and Xinbi Guarantee; many of their channels were deleted by Telegram).

@dabai
人工客服 @dabai 纠纷仲裁、资源对接
Human customer service agents for dispute arbitration and resource matching

Customer service agents will attempt to resolve disputes between criminal groups when an unsatisfactory outcome is reached for one or more parties. They can also moderate disputes on transactions between buyers and sellers.

Resource matching refers to customer service agents attempting to match criminal groups to certain existing groups that are already participating in specific campaigns. In addition, customer service agents can connect buyers with sellers of goods and services.

@dabai
24小时客服机器人
24-hour customer service bot
@dabai
公群报备机器人
Public Group reporting bot
A bot that assists members in reporting violations of the terms of service
@dbhwbb_BOT
公群记账机器人
Public Group accounting bot
A bot that can help to look up transactions, real-time USDT pricing in relation to Chinese Renminbi (RMB), and cryptocurrency wallet monitoring
@dbjz_bot

客服人员名单 (@dbtm0 - @dbtm10 )

所有号标配 +888 虚拟号 没有一律骗子

Customer service staff lists (@dbtm0 – @dbtm10)

All customer service numbers come with a +888 virtual number. Any number without this is a scam.

@dbtm0 – @dbtm10

Table 1: List of Dabai Guarantee’s official staff and functions (Source: Telegram, Recorded Future)

Chinese Term
English Term
Explanation of Function
Telegram Moniker/Channel
业务号(大白)
Business account (Dabai)
A business account belonging to a person called Dabai, with no specific function stated
@dbtm1
业务号(萌萌)
Business account (“Mengmeng” — Admin’s moniker)
A business account belonging to a person called Mengmeng, with no specific function stated
@dbtm9
专群交易员
Specialist traders
A group of agents well-versed in certain types of trade to facilitate coordination and cooperation in the public channels

@dbtm0

@dbtm3

@dbtm4

公群交易员
Public Group traders
A group of agents who facilitate cryptocurrency transactions, receive deposits, and release payments to other criminal groups

@dbtm7

@dbtm8

@dbtm10

公群巡查号
Public Group patrol account
A group of agents who direct individuals to specific Public Group channels based on what they are looking for
@dbtm2
担保仲裁号
Guarantee arbitration number
A case reference number assigned by agents for any disputes between parties
@dbtm5
资源对接号
Resource docking number
A unique number is assigned to a case or transaction to track conversational and transaction records
@dbtm6

Table 2: List of Dabai Guarantee’s customer service agents (Source: Telegram, Recorded Future)

Figure 12: Dabai Guarantee customer service Telegram channel “大白担保客服人员名单” (@dabai_f) provides a list of customer service agents (Source: Telegram)

Automated Bot System Directs Chinese Syndicates to Relevant Public Groups for Existing Campaigns

Insikt Group analyzed the public administrator bot @dbdbqg_bot to observe how a Dabai Guarantee user would be routed by the platform to participate in cybercriminal activities. To use this functionality, individuals must enter search terms in Mandarin. We used the terms 远程 (remote) and 数据 (data), which returned three and ten public channels, respectively. When querying for the term “远程” (remote), which typically refers to ghost-tapping campaigns involving NFC relay methods, three Public Group channels appeared as relevant results. When querying for the term “数据” (data), which typically refers to databases, ten Public Group channels specializing in datasets appeared in the results. In addition, using a country as a search term, such as 美国 (US), will also return results that show fraud or cyber campaigns targeting the US. This bot function demonstrates how easy it is for criminal groups to search for relevant groups, determine which campaigns they wish to participate in, and identify the types of datasets they are interested in procuring. Table 3 shows the number of Public Group channels involved in fraud or cyber campaigns for the search terms; specific details are not listed due to certain global entities named in the Public Group channels belonging to Dabai Guarantee.

Figure 13: Dabai Guarantee’s public administrator bot @dbdbqg_bot has a search function that will return results relevant to the individual’s search (Source: Recorded Future Data)
Chinese Criminal Lingo and Corresponding English Meaning
Number of Channels Returned as Search Results
Explanation of Function
Telegram Channels
远程 (Remote)
3
Ghost-tapping/remote NFC-related payment card fraud involving point-of-sale (POS) terminals

@dbtm153 (64 members, 800 USDT deposit as of writing)

@dbtm439 (49 members, 777 USDT deposit as of writing)

@dbtm307 (268 members, 500 USDT deposit as of writing)

数据 (Data)
10
Threat actors buying and selling databases

@dbtm123 (519 members, 888 USDT deposit as of writing)

@dbtm99 (49 members, 500 USDT deposit as of writing)

@dbtm688 (151 members, 500 USDT deposit as of writing)

@dbtm369 (65 members, 500 USDT deposit as of writing)

@dbtm567 (80 members, 2,888 USDT deposit as of writing)

@dbtm449 (177 members, 500 USDT deposit as of writing)

@dbtm298 (145 members, 500 USDT deposit as of writing)

@dbtm327 (89 members, 500 USDT deposit as of writing)

@dbtm211 (836 members, 500 USDT deposit as of writing)

@dbtm816 (851 members, 500 USDT deposit as of writing)

美国 (US)
2
Fraud or cyber campaigns targeting US entities

@dbtm322 (338 members, 500 USDT deposit as of writing)

@dbtm932 (956 members, 500 USDT deposit as of writing)

钓鱼 (Phishing)
1
Phishing campaigns
@dbtm142 (234 members, 500 USDT deposit as of writing)
账号 (Account)
2
Burner accounts being used for fraud campaigns

@dbtm322 (338 members, 500 USDT deposit as of writing)

@dbtm425 (60 members, 500 USDT deposit as of writing)

银行 (Bank)
2
Fraud campaigns targeting or involving banks worldwide

@dbtm420 (117 members, 500 USDT deposit as of writing)

@dbtm138 (50 members, 1,000 USDT deposit as of writing)

Table 3: Search results of Dabai Guarantee’s Public Group channels using their bot function (Source: Telegram, Recorded Future)

Outlook

Even with guarantee marketplaces such as Huione Guarantee being shut down, many Chinese criminals are likely turning to these Telegram-based guarantee marketplaces to sell illicit goods and to offer their services. Guarantee marketplaces such as Dabai Guarantee have demonstrated their ability to coordinate operations in countries such as Japan, South Korea, Canada, and the US by using Chinese-speaking individuals who are traveling or residing in those geographies to conduct retail and financial fraud. Over time, Dabai Guarantee may be able to establish itself as a trusted escrow platform for Chinese syndicates to rely on, despite the growing competition from existing and new guarantee marketplaces. There is also a possibility that operators of other guarantee marketplaces could execute an exit scam, leading to a loss of trust in guarantee marketplaces as a whole among Chinese criminals.

Threat actors such as @J0hnNo1, the leader of Dabai Guarantee Public Group 301, seek to obtain physical goods and foreign currency through illegal means, giving specific instructions to different syndicates to complete their objectives. Such operations are scalable on demand and will become harder to track and disrupt over time due to the siloed nature of the sweeping and goods-receiving teams. This report showcases the activities and structure of a single group (Public Group 301), which is only one group among hundreds under Dabai Guarantee’s decentralized and growing infrastructure. Ghost-tapping and ATM withdrawals are commonly used by Chinese-speaking criminals for money laundering, and we will likely continue to see more threat actors facilitating such financial and retail-related crime on multiple guarantee marketplaces.

Insikt Group assesses that Chinese syndicates will continue to recruit and deploy non-Chinese individuals with specific language skills to participate in campaigns, as exemplified by the Vietnamese individual mentioned in Figure 9.

Insikt Group assesses that guarantee marketplaces have solidified themselves as a major alternative to traditional Chinese-language dark web marketplaces. This decentralized model is becoming increasingly popular among the global Chinese-speaking criminal diaspora, enabling criminals without sophisticated skillsets to coordinate with syndicates and participate in operations that require physical elements.

Appendix A: Glossary of Terms

Chinese
Direct Translation
Definition with Relevant Context
公群
Public Group
Public Telegram channel/group facilitates a specific campaign, usually ending with a number; for example, 公群 1025 means Public Group 1025
飞机
Plane
Cryptocurrency
退押
Backing down
Withdrawal of funds from a Public Group
交易所地址
Transaction address
Cryptocurrency transaction wallet address
上押地址
Betting/Staking Address
Unique cryptocurrency addresses owned by Dabai Guarantee are usually listed in Public Groups. Threat actors who wish to launch a specific campaign must stake enough cryptocurrency as a deposit to create a Public Group channel; they will become the channel's “boss.”
私下拉群做单
Privately soliciting orders
拉黑
Blackmail
When an individual blocks someone who contacts them directly (Dabai Guarantee’s staff will never initiate private chats with any individual)
拉群
Pull the crowd
Start a new public Telegram group and get people to join it so other criminal groups can participate in a new, specific campaign
扫货
Sweep goods
To obtain physical goods or conduct ATM cash withdrawals, typically through illegal methods such as ghost-tapping or financial fraud
收货
Receive goods
To receive goods, typically obtained by sweeping teams via illegal means
群老板
Group boss
Main coordinator to coordinate with other Chinese-speaking criminal groups for cyber and/or fraud campaigns; individuals who staked USDT to get approval to start a Public Group channel on Dabai Guarantee
冒充
Impersonate
Some scammers may impersonate group bosses or create Telegram groups with the intention of scamming other Chinese syndicates.
钱包监听
Wallet monitoring
To monitor cryptocurrency transactions in real time
实时U价
Real-time USDT value in relation to the Chinese Renminbi

Appendix B: Key Rules Written in Mandarin

(Translation available on p. 7)

⚠️交易注意事项⚠️

1.进群交易请先看置顶里面的群规则,交易过程请严格按照交易规则进行,群内所有事情请联系群内交易员 ,私下交易或者其他地方交易,后果自负,大白担保只担保本群内的交易。

2.大白担保业务只担保我们的公群内已经报备过的交易,我们不为公群老板或者其他管理员个人做担保,公群群老板对自己的业务员负责,如果群内业务员违规操作,由公群老板负责。

3.禁止以公群名义私下拉群做单,禁止金额不透明,如被用户举报后果自负。

4.大白担保工作人员不会主动私聊你,主动私聊你的100%都是骗子,请直接拉黑。

5.大白担保的上押地址是唯一的,发其它上押地址的一定是骗子,请大家远离骗子。

6.客户上押后,请及时发送上押截图与我们 @dabai 核实确认,如长时间未找 @dabai 核实确认押金而造成的损失由自己负责。

Emerging Enterprise Security Risks of AI

21 April 2026 at 02:00

Summary

Agentic AI adoption is accelerating rapidly as enterprise software and applications increasingly incorporate task-specific AI agents, enabling autonomous execution of complex tasks at machine speed.

The autonomy and scale of AI agents introduce significant enterprise risk, as errors, misconfigurations, or malicious manipulation can propagate quickly across interconnected systems, amplifying the potential impact of incidents.

Agentic AI will exacerbate existing weaknesses in software supply chains, as vulnerable or malicious open-source components can be deployed faster and at scale.

Identity and access management risks will also expand dramatically, as agents require broad, cross-environment permissions; compromised credentials, SSO platforms, or agent identities could enable large-scale service disruption or data exfiltration.

Prompt engineering enables threat actors to manipulate agents into carrying out malicious actions, underscoring the importance of layered security controls, zero-trust principles, and human-in-the-loop checkpoints to mitigate agent-driven threats.

Figure 1: AI agents have the potential to improve efficiency, reduce costs, and improve decision-making. However, the same features that make them so powerful will bring new security risks, and scale up old ones, if not managed effectively. (Image source: Recorded Future)

Analysis

Agentic Artificial Intelligence Is Set to Expand Rapidly

“Agentic artificial intelligence” refers to AI systems that can do things with limited human intervention. For example, traditional AI can draft code for a user who wants to build a website; agentic AI not only writes the code, but registers the domain and sets up hosting to launch the site.

Gartner predicts that as many as 40% of enterprise applications will incorporate task-specific AI agents by the end of 2026. A Deloitte report anticipates that at least 75% of companies will use agentic AI to some extent by 2028. The benefits of AI agents are that they can carry out complex tasks independently and at machine speed, working individually or as part of a multi-agent system.

However, the same features that make these systems powerful also introduce significant security risks. To operate effectively, agents need to seamlessly interact with other agents, humans, and software. This requires high degrees of trust, which can be exploited by malicious actors. Security best practices, notably zero-trust principles, are specifically designed to slow down these interactions, creating an inherent tension between AI agent implementation and security.

Agents Amplify Systemic Cybersecurity Weaknesses

Software engineering teams account for nearly 50% of AI use, demonstrating that AI is already deeply integrated into software development processes. This suggests that AI agents will likely play a significant role in future software development, working alongside human developers to generate, test, and deploy code.

The introduction of agents will amplify software supply-chain security weaknesses, allowing threat actors to take advantage of vulnerable or intentionally manipulated code to embed exploits in enterprise software. While these issues have existed long before AI or AI agents, the introduction of agents will cause these mistakes to be carried out faster and at scale. Initial studies suggest that AI-generated code is less secure than human-generated code, though AI coding performance is improving rapidly. Ensuring transparency and documentation in agent coding workflows is critical to ensuring a rigorous, secure development operations (SecDevOps) process.

Identity and access are additional enterprise security issues that AI agents are likely to amplify. For AI agents to operate effectively, they will also need access to various cloud applications and environments. This increases the complexity of identity management, as identity and permissions will need to extend to virtual agents.

Currently, many AI tools that connect to external data or to other tools operate in a trust-by-default mode, creating significant vulnerabilities. If this is extended to agentic AI, the potential harms from exploitation could increase significantly, as agents are capable of acts such as sending emails, deleting files, or authorizing payments. Defenders will need to ensure access permissions are properly managed and tracked for agentic users in the same way they manage permissions for traditional software and human users.

Figure 2: How AI agents may amplify current security weaknesses

(Image source: Recorded Future)

Prompt Engineering Remains a Pervasive Threat to Agents

While AI agents will accelerate existing enterprise security problems, they also introduce risks unique to artificial intelligence. Threat actors can deliver malicious instructions to AI agents via prompt engineering, causing the agents to act in alignment with the threat actors rather than with their legitimate users. Prompts can be delivered directly (through a chat interface), encoded in malware, or hidden in emails or other innocuous communications.

With the increased adoption of AI agents, threat actors may move further away from traditional malware and prioritize manipulating agents to scale and enhance operational efficiency. Targeting agents directly enables threat actors to leverage the speed and scale of AI agents, causing greater harm with a lower chance of detection or mitigation.

Figure 3: Potential attack scenarios weaponizing AI agents (Image source: Recorded Future)

Completely securing agents against prompt engineering is likely impossible. The need for AI agents to be useful will likely prevent developers from imposing fully effective guardrails against prompt engineering. This risk is similar to the difficulty of making humans resilient to social engineering operations. While training and awareness may help mitigate the effectiveness of some scams, threat actors continually find new ways to use people’s incentives against them.

Defenders can make AI agents more resilient to prompt engineering attacks by implementing layered security. Building in checkpoints where a human or another agent can assess or approve an action will help detect misaligned behavior and limit the potential harm. This is similar to fraud prevention or mitigation for human employees, such as procedures requiring additional approvals for transferring large sums of money.

Multi-agent AI Increases Unpredictability

As AI agents become more common, they will increasingly interact independently with each other to complete tasks. Multiple agents are susceptible to both intentional and accidental manipulation, which can manifest in unpredictable ways. Researchers have categorized these outcomes as:

  • Miscoordination: Agents cannot align behaviors to achieve an objective
  • Collusion: Unwanted cooperation between AI agents
  • Conflict: AI agents act to enhance their position at the expense of others

These outcomes can occur accidentally due to misaligned incentives and safety guardrails, or they can be programmed or intentionally manipulated. Despite safety guardrails, agents have been observed engaging in behavior they would otherwise have avoided. For example, AI agents on MoltBook, a social media network for bots, were observed disclosing potentially sensitive information about their users, including names, hobbies, hardware, and software (in addition to serious security failures associated with the site itself). Unwanted or unanticipated outcomes can occur when agents have free will to decide how they will carry out an objective.

Outlook

The first agentic data breach will very likely be the result of overly permissive environments: When threat actors succeed in using AI agents to carry out a breach, it will very likely be the result of an enterprise environment that operated using default permission settings.

Identity security will very likely shift toward “agent identity governance”: Enterprises will very likely expand identity and access management (IAM) frameworks to treat AI agents as priority digital identities, requiring lifecycle management, least-privilege enforcement, behavioral monitoring, and dedicated audit controls similar to (or stricter than) those in place for human users.

Prompt injection will likely evolve into a mainstream enterprise attack technique: Threat actors will likely increasingly prioritize manipulating AI agents over deploying traditional malware, using prompt injection, poisoned data inputs, and agent swarms to scale financial scams, cyber-physical disruption, and market manipulation — driving demand for layered guardrails and human-in-the-loop validation controls.

AI will likely reshape cyber insurance risk modeling and pricing: As AI agents become embedded across enterprise environments, the cyber insurance industry will likely face greater uncertainty in modeling risk exposure. Insurers are likely to respond by tightening underwriting standards around AI governance, requiring demonstrable controls such as agent identity management, human-in-the-loop safeguards, and prompt injection resilience.

Further Reading

Mitigations

Enforce zero-trust for agent identities: Treat AI agents as privileged digital identities subject to least-privilege access controls. Use Recorded Future Identity Intelligence to monitor for data breaches that expose agentic identities as well as human identities.

Resilience Question: Do we have a strategy for onboarding virtual identities into our IAM solution?

Ensure visibility into agent behavior: Deploy continuous monitoring tailored to agent behavior, including logging agent decisions, prompts, and actions, and setting up detections for anomalous task execution patterns.

Resilience Question: Do we understand how and why agents are making decisions, and can we quickly detect misaligned actions?

Strengthen supply-chain and code governance: Extend SecDevOps controls to AI-generated and agent-modified code. Assess AI-generated code for vulnerabilities and monitor for hallucinated or typosquatted dependencies. Use Recorded Future’s Third-Party Risk to monitor for downstream vulnerabilities in third-party software.

Resilience Question: Have we adapted SecDevOps to account for agentic coding?

Harden against prompt injection and input manipulation: Treat all external inputs as untrusted. Increase layered defenses to include multiple validation points and guardrails to minimize the impact of actions due to malicious prompts or inadvertent misalignment.

Resilience Question: What detections are in place to monitor for suspicious prompts?

Recommended D3FEND Actions

Verify agent identities to ensure they are authorized
Analyze resources accessed by users (human and agentic) to detect unauthorized activity
Ensure all software components are up to date
Modify an application's configuration to reduce its attack surface
Analyze the reputation of the identifier based on third-party threat intelligence
Verify agent identities to ensure they are authorized

Iran War: Future Scenario and Business Implications

14 April 2026 at 02:00

The Iran situation remains volatile and uncertain, with material impacts for organizations.

Leaders should plan for multiple future scenarios, prioritizing resilience and effective decision-making

Current State (April 10)

  • Severe tensions persist despite a two-week ceasefire:
    The agreement remains fragile and conditional on reopening the Strait of Hormuz; each side has already accused Iran War: Future Scenarios and Business Implications the other of violations.
  • Maritime flows partially resume but remain uncertain:
    Disruptions and elevated security risks persist. President Trump has signaled readiness to resume strikes on Iranian infrastructure if ceasefire conditions are not met.
  • Economic conditions remain unstable:
    Energy markets remain volatile, with continued pressure on supply chains. Shipping, insurance, and aviation activity are only partially restored. Inside Iran, infrastructure damage is driving power shortages and industrial disruption.
  • Cyber activity has intensified:
    Operations targeting energy and critical infrastructure are increasing, reinforcing systemic risk across key sectors.
Figure 1: An explosion in Tehran, February 28, 2026 (Source: PBS)
Figure 2: Cone of Plausibility Overview: Iran Conflict (Source: Recorded Future)

Framework Overview

To assess how the Iran conflict could evolve over the next 6–12 months, Insikt Group analyzed regional and global dynamics using the PESTLE-M framework, covering Political, Economic, Social, Technological, Legal, Environmental, and Military domains, with a focus on Iran, the United States, Israel, and Gulf States.

Figure 3: PESTLE-M Framework (Source: Recorded Future)

This analysis informed a scenario generation exercise using a Cone of Plausibility (CoP) method. The objective was not to predict a single outcome, but to explore a range of alternative futures based on observed signals and emerging trends.

Wildcard

Plausible

Baseline

Plausible

Figure 4: Cone of Plausibility Framework (Source: Recorded Future)


Methodology

For each PESTLE-M category, we identified key drivers that could increase or decrease the likelihood of escalation, de-escalation, or sustained instability, and assessed how these dynamics may evolve under different assumptions. These were combined to develop six scenarios: one baseline, two plausible (best and worst case), and three wildcard scenarios, enabling organizations to evaluate how the conflict may unfold and the potential impacts on their operating environment.

Within the CoP framework:

  • Drivers are signals and trends that could shape future developments
  • Assumptions reflect how those drivers may evolve over time
  • Scenarios describe how these dynamics could combine to produce distinct future states

We define scenarios as follows:

  • Baseline: A forward projection of current trends and conditions
  • Plausible: A realistic alternative outcome based on evolving drivers and assumptions
  • Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Baseline Scenario: Fragile Ceasefire with Sustained Economic Disruption

Key Drivers and Assumptions

  • Conditional ceasefire -> Underlying conflict causes unaddressed
  • Maritime coercion -> Economic warfare persists
  • Infrastructure targeting -> Energy disruption continues
Figure 5: Brent oil prices and projections (Source: Oxford Economics)
Figure 6: Iran is also threatening maritime traffic through the Bab al-Mandab, another key route (Source: Times of India)

Baseline: A forward projection of current trends and conditions

Ceasefire holds, but conflict shifts into sustained economic warfare.

A fragile ceasefire reduces the pace of direct military exchanges strikes, but the drivers of conflict remain unresolved. Iran lacks the capacity for decisive escalation but retains asymmetric leverage, while the US prioritizes energy market stability and conflict containment. The Strait of Hormuz reopens only intermittently, with recurring disruptions, inspections, and security incidents, keeping shipping, insurance, and energy markets under sustained pressure. Gulf financial, logistics, and technology sectors operate intermittently, airlines maintain some route suspensions, and cyber activity remains elevated against regional infrastructure and Western-linked organizations. The conflict evolves into economic coercion as a primary tool, driving elevated oil and gas prices, persistent market volatility, and tighter financing conditions. Supply chains gradually reconfigure away from high-risk routes, increasing costs and reducing efficiency. Russia benefits from sustained high energy prices and reduced Western focus, strengthening its position in Ukraine. China capitalizes on fragmentation by expanding alternative trade and financial networks, reinforcing a more bifurcated global system.

Likelihood

Most likely if ceasefire holds without resolution: Conflict remains below full-scale war, but economic disruption persists as the dominant mode of competition.

Business Implications
Priority Actions (0-90 days)
Operational: Intermittent shipping, route, and supplier disruption increases cost and complexity
Stress-test exposure to Hormuz-related shipping and energy disruption
Financial: Elevated energy prices and volatility sustain margin pressure and tighter financing
Harden resilience for energy, logistics, and cyber-dependent operations
Competitive: Firms with diversified routing and lower energy exposure gain advantage
Review sanctions, insurance, and counterparty risk across key jurisdictions
Legal: Evolving sanctions and emergency measures raise compliance burden and enforcement risk
Reputational: Scrutiny over pricing, shortages, and regional exposure increases brand risk

Plausible Scenario (Best Case): Managed Stalemate

Key Drivers and Assumptions

  • US threats and military strikes fail to coerce Iran into concession -> Limited appetite for sustained conflict
  • Significant economic disruption -> Economic costs drive political decisions
  • US military footprint in region -> Potential for re-escalation
Figure 7: US President Trump delivers a warning to Iran at a White House Easter event (Source: PBS News)
Figure 8: Iran has used maritime traffic through the Strait of Hormuz as leverage in the conflict (Source: CNBC)

Plausible: A realistic alternative outcome based on evolving drivers and assumptions

The US portrays its leadership decapitation campaign as successfully facilitating “regime change,” creating space for diplomatic engagement with “new” leadership. Iran maintains increased level of oversight over the Strait of Hormuz, while internally the IRGC plays a greater role in strategic decision-making.

Domestic economic and political pressure leads to the US to scale back military operations without clear resolution of key regional security issues, including Iran’s right to nuclear enrichment, ballistic missile program, and support to regional proxies. Maritime traffic slowly returns to pre-war levels, with a new protocol for vessel traffic under an internationally accepted mandate. Iran retains an increased level of oversight over the Strait of Hormuz passages and profits from the traffic. This relieves some economic strain, though lingering supply chain effects remain. Cyber attacks persist as a means of asymmetric coercion. The US lifts some sanctions against the “new” regime, but other sanctions remain in place, complicating the regulatory environment. Interest in renewable energy increases as companies seek to mitigate against future disruption, though oil demand returns to pre-conflict norms. Israel continues limited, highly targeted strikes, while the US retains its military presence in the region, keeping the possibility for re-escalation open.

Likelihood

Less likely as conflict continues: This scenario assumes the US’s limited appetite for full-scale war, but the opportunities for de-escalation diminish as the conflict persists.

Business Implications
Priority Actions (0-90 days)
Operational: Recurring disruption risk for regional transport corridors, ports, and cross-border trade
Keep sanctions, export-control, and third-party due diligence on heightened alert
Financial: Long-term effects of recovery
Build redundancy into critical suppliers
Competitive: Competitors with diversified sourcing, redundancy, and mature sanctions controls are best positioned to withstand ongoing shocks
Maintain an elevated cyber posture
Legal: Continued tensions mean sanctions and export controls may tighten again with little notice
Tighten executive decision rights and trigger points for regional exposure
Reputational: Price increases tied to lingering supply-chain effects may trigger accusations of profiteering
Accelerate resilience investments with strategic upside, especially energy efficiency, renewable sourcing, and inventory visibility

Plausible Scenario (Worst Case): Regional Conflict with Gulf Involvement

Key Drivers and Assumptions

  • Conditional ceasefire -> Continuing provocation re-escalates conflict
  • Strait of Hormuz chokehold effective -> Asymmetric advantage to disruption
  • Gulf infrastructure targeted -> Multi-state escalation
Figure 9: The Saudi crown prince reportedly urged President Trump to continue war (Source: NYT)
Figure 10: The UAE has been proactive in the conflict, taking nonmilitary measures against Iran (Source: South China Post)

Plausible: A realistic alternative outcome based on evolving drivers and assumptions

Ceasefire collapses, triggering multi-state regional war.

A temporary ceasefire breaks down following renewed strikes and failure to secure maritime access. Iran escalates missile and proxy attacks, including targeting Gulf energy infrastructure. With critical thresholds crossed, Saudi Arabia, the UAE, and Bahrain enter the conflict directly to protect economic and political stability. The Strait of Hormuz and Bab al-Mandab become sustained conflict zones, with repeated attacks, mining, and vessel seizures. Shipping and insurance markets withdraw at scale, severely constraining global energy flows. Energy prices surge, driving inflation and recession risk globally. Fuel shortages emerge in import-dependent economies, triggering industrial slowdowns, reduced mobility, and rolling outages. Cyber operations escalate into coordinated campaigns targeting energy, logistics, and financial systems. Legal fragmentation accelerates, with overlapping sanctions regimes, asset controls, and enforcement actions constraining cross-border operations. Russia exploits elevated energy revenues and reduced Western focus to press its advantage in Ukraine. China remains indirect but leverages Western overstretch to increase pressure on Taiwan.

Likelihood

More likely if ceasefire collapses and Gulf assets are targeted: Escalation becomes self-reinforcing once regional actors are drawn into direct conflict.

Business Implications
Priority Actions (0-90 days)
Operational: Supplier and production relocation, increased redundancy, and higher cost and complexity
Harden critical infrastructure dependences (energy, logistics, third parties)
Financial: Energy costs and inflation drive margin pressure, while financing becomes tighter and more expensive
Test business continuity under outage scenarios
Competitive: Resilient, energy-secure firms gain advantage; exposed firms lose share
Segment and isolate high-value systems; prioritize offline backups and rapid recovery
Legal: Fragmented, fast-changing sanctions increase compliance burden and legal risk
Review third-party and regional concentration risk, particularly for Middle
Reputational: Scrutiny over pricing, shortages, and exposure drives brand and trust risk
Establish crisis governance and decision cadence

Wildcard Scenario 1: Lasting Peace Agreement

Key Drivers and Assumptions

  • Severe degradation of Iranian infrastructure -> Iran compelled to concede
  • Global economic disruption → International support for peace process
  • Sustained disruption to Hormuz and energy markets → Mutual incentive to stabilize
Figure 11: Pakistan has offered to host talks to broker peace between US, Iran (Source: Time)
Figure 12: Traffic through the Strait of Hormuz dropped significantly since conflict began (Source: Lloyd's List)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Negotiated settlement reached between the US and Iran, allowing for longterm drawdown of conflict.
Significant degradation of Iran’s energy, military, and industrial infrastructure, combined with mounting economic strain, power shortages, and reduced capacity to sustain conflict, compels Tehran to reassess its position and signal willingness to accept concessions. In parallel, the United States faces rising economic costs from prolonged energy disruption, inflation, and market instability, increasing pressure to stabilize conditions. A negotiated settlement emerges through indirect talks, mediated by Oman, with Iran accepting concessions on maritime security and nuclear constraints in exchange for phased sanctions relief and assurances against further strikes. Iran seeks a revised Strait of Hormuz security framework and limited economic concessions, though broader demands such as reparations are only partially addressed. The Strait of Hormuz fully reopens under agreed security mechanisms, restoring stable shipping and energy flows. Sanctions ease gradually, enabling reintegration of Iranian energy exports and limited foreign investment. Military activity declines sharply, cyber operations reduce, and global energy markets stabilise, easing inflationary pressures and improving financial conditions.

Likelihood

Low probability: Requires significant concessions from one side under sustained pressure.

Business Implications
Priority Actions (0-90 days)
Operational: Supply chains stabilize, enabling efficiency gains and reduced redundancy
Monitor stabilization signals and time market re-entry strategically
Financial: Lower energy prices ease margin pressure and improve access to capital
Secure long-term energy and supply contracts at favorable prices
Competitive: Early movers capture growth opportunities in recovering markets
Re-optimize supply chains and reduce excess redundancy
Legal: Sanctions easing reduces compliance burden and enables cross-border activity
Reassess sanctions exposure and compliance frameworks
Reputational: Stabilization and reinvestment strengthen stakeholder trust
Align growth and investment strategy to recovering regional markets

Wildcard Scenario 2: Iranian Regime Collapses

Key Drivers and Assumptions

  • Decades of political repression -> No viable alternative to Iranian regime
  • Sectarian and political unrest -> Protracted internal conflict
  • Targeting of leadership -> Regime instability and eventual collapse
Figure 13: Mass protests against the regime in December 2025 were brutally repressed (Source: Le Monde)
Figure 14: Displaced Syrians have lived in refugee camps for ten years, demonstrating the long-term impacts of internal conflict (Source: UNHCR)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

The Islamic Republic collapses, plunging the country into a civil war and complex humanitarian crisis.

The US and Israel’s persistent “decapitation strategy” weakens the regime to the point where it is no longer able to assert internal control. With no viable alternative, the country falls into a multiparty civil war made up of pro-regime, pro-democracy, and assorted regional and ideological militias. Food and fuel shortages are severe in certain regions. Refugee camps are built in Iraq while Europe’s asylum system faces overwhelming demands. The US claims Kharg Island in the chaos and asserts control over the Strait of Hormuz, mitigating international economic damage. However, the political instability gives pro-regime and other ideological groups a base for asymmetric operations, leading to persistent regional disruption. Cyber capabilities degrade amid internal fighting, though some hacktivist operations persist against a wider variety of ideological enemies. Damage to water and energy facilities sustained during the conflict exacerbates humanitarian crisis and slows recovery. Russia supplies military support to pro-regime factions, but not enough to significantly tilt the balance of power.

Likelihood

Long-term resilience of regime and viability of alternatives is unknown, making it difficult to assess likelihood with confidence.

Business Implications
Priority Actions (0-90 days)
Operational: Reduced reliability of just-in-time inventory models, especially for firms dependent on Gulf maritime corridors
Segment critical operations
Financial: Long-term increase in operational and energy costs
Harden sanctions and third-party controls
Competitive: Larger firms use stronger government relationships or balance sheets to secure logistics
Require an immediate review of regional dependencies, with backup routing and alternate sourcing plans for critical business lines
Legal: Export-control failures involving dual-use goods, technology, industrial inputs, or cyber tools
Ensure employee protection measures are ready across the region
Reputational: Activist or online campaigns tying the firm to foreign intervention or opportunism
Create a 90-day resilience plan including decision triggers for escalation or market withdrawal

Wildcard Scenario 3: Nuclear Crisis

Key Drivers and Assumptions

  • Protracted high-intensity conflict -> Increased likelihood of miscalculation
  • Location of facility -> Risks of radiological contamination spread by air and water
  • Diplomatic failures -> Inability to coordinate on response
Figure 15: Bushehr has not yet been a direct target, though missiles have landed near it (Source: Development Aid)
Screenshot 2026-04-08 at 4.38.23 PM.png
Figure 16: Weather patterns following the Chernobyl nuclear disaster spread radiological material affecting up to 6 million people (Source: UNSCEAR)

Wildcard: A low-probability, high-impact scenario that challenges existing assumptions

Missile strikes hitting a nuclear facility lead to a radiological incident, causing immediate global shock and rapid escalation.

A missile strike causes extensive damage to Iran’s Bushehr civilian nuclear power facility, causing radiological release with cross-border contamination. This occurs due to escalation, miscalculation, or degraded command and control. Immediate impacts include evacuation zones and disruption to regional energy supply. Emergency response efforts are delayed by ongoing conflict, limiting containment and extending environmental and economic damage. As a result, southern Iran and Gulf States experience long-term harm to drinking water supply and maritime food sources. The conflict also prevents long-term monitoring in Iran, which extends the long-term health and environmental damage from inadvertent exposure. Contamination further restricts maritime trade routes in the Gulf, while energy markets react sharply to both supply disruption and elevated systemic risk. Cyber and information operations amplify panic and misinformation.

Likelihood

Low probability, high impact: Risk of intentional or unintended strike increases under sustained conflict.

Business Implications
Priority Actions (0-90 days)
Operational: Disruption to regional operations and supply chains; site closures
Activate crisis management and continuity protocols
Financial: Extreme market volatility and energy price spikes
Protect personnel and account for regional workforce exposure
Competitive: Firms with geographic diversification gain advantage
Secure critical systems and prepare for sustained disruption
Legal: Emergency regulations, sanctions, and liability exposure increase
Identify alternative routes and supply chain contingencies
Reputational: Heightened scrutiny around safety, workforce protection, and response
Manage disinformation through strong crisis communications process

Understanding and Anticipating Venezuelan Government Actions

8 April 2026 at 02:00

Executive Summary

Venezuelan Acting President Delcy Rodríguezʼs policy decisions will affect economic and political stability in Venezuela in the coming months. Her approach will likely be shaped by a deep familiarity with the state security apparatus, her revolutionary identity, a demonstrated willingness to break from orthodoxy and seek coordination with Washington, an interest in restoring support for the ruling United Socialist Party of Venezuela PSUV, and a long memory for perceived slights. These principles, paired with changing local power dynamics after the January 3, 2026, United States US special operation to capture former Venezuelan President Nicolás Maduro and his wife, Cilia Flores, suggest Rodríguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning. At the same time, she will likely find ways to cooperate with the US in ways designed to preserve the rule of PSUV and her credibility with other members of the ruling coalition. Rodríguezʼs core objectives are very likely to preserve PSUV rule and resist an opposition-led transfer of power, while maximizing the economic benefits of reengagement with Washington, including sanctions relief, investment, and a possible economic recovery. This will likely contribute to Rodríguez governing in a manner that avoids high-risk moves that could fracture her coalition or trigger instability that undermines her utility to the White House. In this approach, the biggest internal threat she faces in the short term is very likely PSUV rivals, including Interior Minister Diosdado Cabello, and other military and economic elites who perceive US engagement as a direct threat to their interests. While it is impossible to predict every move the Venezuelan government may take, public and private organizations can better anticipate risks to stability and investments — such as resistance to US-supported reforms or evidence of internal divisions in the regime — by systematically monitoring the rhetoric and actions of Delcy Rodríguez, Diosdado Cabello, and other senior officials using the Recorded Future® Intelligence Operations Platform

Key Findings

  • The January 3, 2026, US operation provoked panic among Venezuelan elites and fueled deep uncertainty regarding the plan to succeed Maduro, which was only resolved when US signaling prompted Venezuelan institutions to confirm that Rodríguez would assume presidential duties.
  • Rodríguezʼs hold on power is threatened internally by rival PSUV figures, chief among them Interior Minister Diosdado Cabello and his network of allies across Venezuelaʼs security apparatus and among pro-government armed groups.
  • Externally, the main threats to Rodríguezʼs power stem from US leverage over Caracas, including US geopolitical aims to bring Venezuela further under Washingtonʼs influence as well as US officialsʼ stated pursuit of a transition and support for the opposition faction led by María Corina Machado.
  • To avoid a destabilizing rupture that could trigger US backlash, Delcy Rodríguez will very likely prioritize internal governability and economic stabilization, cooperating with Washington enough to see sustained sanctions relief while seeking to manage rather than expel hardline rivals from her coalition.
  • To preserve her own credibility and influence in Venezuela, Rodríguez is likely to pair compliance with Washingtonʼs demands with “face-savingˮ gestures that assert Venezuelan sovereignty, and to resist genuinely competitive elections unless economic gains materially improve the PSUVʼs electoral odds.

Assessing Current Dynamics in Venezuela

Over the past 25 years, US-Venezuela relations have worsened as Venezuela’s government actively sought to oppose US interests in the Western Hemisphere, deepened relations with US rivals around the globe, and became increasingly authoritarian. This began under the deceased former president Hugo Chávez, whose movement, known as “Chavismo,” has governed the country since 1999. After Nicolás Maduro took power in Venezuela following Chávez’s death in 2013, he accelerated the consolidation of power and the erosion of democratic institutions begun by his predecessor. The US responded by imposing financial and oil sanctions meant to limit Venezuela’s ability to profit from its vast oil reserves and sanctioning over 200 members of the Venezuelan elite. The US pressure campaign on Venezuela accelerated in late 2025 under President Donald Trump, who deployed a historic number of naval assets to the Caribbean.

This military campaign culminated at around 02:00 Venezuelan Standard Time (VET) on January 3, 2026, when US special forces carried out airstrikes and a surgical intervention into Venezuela as part of an operation to capture and extract Maduro and his wife, Cilia Flores, to face drug trafficking and terrorism charges in New York. These events were the most significant US military operation in Latin America since the 1989 invasion of Panama, and ratified a new US doctrine that emphasizes primacy and willingness to use all available tools (economic, diplomatic, and military) to advance US interests in the Western Hemisphere, as laid out in the 2025 National Security Strategy. In Venezuela, the events of January 3 precipitated the most impactful shakeup of the country’s political order in decades.

While Acting President Delcy Rodríguez has signaled an openness to working with US priorities, this cooperation is affected by active tensions among the ruling elite and longstanding mistrust between Washington and Caracas. Understanding the events of January 3, 2026, and the immediate aftermath is crucial to evaluating the state of play on the ground and in the bilateral relationship.

Uncertainty in the Immediate Aftermath of the US Operation

In the immediate aftermath of the January 3 operation, there was widespread uncertainty in Venezuela regarding the future of PSUV rule. While the constitutional line of succession makes clear that the vice president should assume power in the president’s absence, initial messages from Venezuelan officials emphasized solidarity with Maduro and Flores rather than offering clarity on the future of PSUV governance. There was no official public reaction to the operation from the Venezuelan government until 04:14 VET, when former Defense Minister Vladimir Padrino López published a video on social media condemning the attack. He stated that Venezuela’s military — the Bolivarian Armed Forces (FANB) — was declaring a national emergency and deploying at strategic points around the country and called for unity against “imperialist threats.” Statements from Venezuelan officials since then confirmed the raid but did not clarify the makeup of the Venezuelan government.

Figure 1: Venezuelan state TV broadcast showing Rodríguez presiding over a meeting of the

Council of National Defense (Source: Telesur)

The first clarity on Venezuela’s future leadership came from Washington. At roughly 11:50 EST (12:50 VET), US president Donald Trump gave a public address in which he explicitly stated that Washington would work with Rodríguez as it assumed a more direct role in overseeing the country’s energy and security policies. Trump also said that María Corina Machado, the most popular opposition figure in the country (who had been outside the country since December 2025 and is currently in Washington) did not “have the support within or the respect within the country” to rule. While Trump claimed that Rodríguez had been "sworn in," Rodríguez’s hold on power was not publicly ratified until 15:20 VET. At that time, state television aired footage of the Council of National Defense, a body made up of the main institutional leaders of the country, featuring Rodríguez chairing the meeting and Cabello, López, and National Assembly President Jorge Rodríguez (Delcy Rodríguez’s brother) present. It was not until roughly 22:00 VET that state media began circulating a decision from the Constitutional Chamber of the Venezuelan Supreme Tribunal of Justice (TSJ) that made clear that Rodríguez would assume the duties of the president. In its ruling, the TSJ invoked a Chávez-era precedent to overrule constitutional language that would otherwise require her to schedule an early election, effectively indicating that Rodríguez is very likely seeking a mandate until Maduro’s term ends in January 2031. Neither Rodríguez nor any other official has yet made this claim explicit, and US officials have suggested that new elections should be held before then. On January 5, she was officially sworn into office in a televised ceremony held in the National Assembly in the presence of key figures in the regime and diplomats from China, Iran, Russia, and Cuba.

US-Venezuela Relations Since January 3

Since January 3, the US has generally signaled support for a working relationship with Delcy Rodríguez, while making clear that Washington expects full cooperation with its energy and security priorities. In the immediate aftermath of the operation, President Trump told reporters that he might consider a second strike if Rodríguez did not cooperate, but then, on January 9, announced on Truth Social that he had “cancelled the previously expected second Wave of Attacks” in response to the Venezuelan government releasing a number of political prisoners. Since this announcement, Trump has sought to 1 convey that he and Rodríguez work closely together. On March 5, 2026, Trump posted on social media that Rodríguez is “doing a great job, and working with US Representatives very well.”

US Secretary of State Marco Rubio has also expressed a willingness to work with Rodríguez’s interim government, but provided more explicit emphasis on a transition as the ultimate end goal of US policy. Speaking to reporters on January 7, Rubio described the US approach as consisting of three main phases: stabilization, recovery, and transition. Stabilization, he stated, is needed to prevent Venezuela from “descending into chaos,” which would be avoided by US control over oil-sale proceeds. Rubio clarified that the “recovery” phase would be aimed at reopening the oil sector to US and other Western firms, and it would ultimately be followed by a “process of transition” that would include reconciliation among Venezuelans. This three-phase framing has been echoed by other US officials, although to date, no fixed timeframe for a transition has been made public. US officials have also said that severing Venezuela’s ties to Russia, China, Cuba, and other US geopolitical adversaries is a top priority in the relationship.

US-Venezuela coordination on energy policy appears to be advancing rapidly. On January 29, Venezuela’s PSUV-controlled National Assembly passed a reform to the country’s Organic Hydrocarbons Law, aimed at increasing autonomy for private companies involved in the country’s oil and gas industry. While the revised law continues to assert state ownership over hydrocarbon reserves, it broadens the mechanisms through which private companies can participate in upstream activity, including allowing private operators — via contracts with state-owned energy company Petróleos de Venezuela S.A. (PDVSA) or joint ventures — to assume operational control while retaining a share of production. The reform also introduces a much more flexible framework for royalties and taxes, which can be set on a case-by-case basis by the Ministry of Energy, with royalties of up to 30% and taxes of up to 15%. Previous windfall taxes have been eliminated in this reform.

US support for revitalized energy cooperation with Venezuela has been enthusiastic, and President Trump has actively encouraged US and other Western oil companies to invest as much as $100 billion in Venezuela. Two days after the passage of the Organic Hydrocarbons Law reforms, the US sent Chargé d’Affaires Laura Dogu, who leads the Venezuela Affairs Unit out of the US Embassy in Colombia, to Caracas, where she is tasked with overseeing the restoration of diplomatic ties with Venezuela. While Dogu has conveyed US support for closer relations, she has reiterated US support for an eventual transition. On February 2, she met with Rodríguez, and afterward posted on X that in the meeting she reiterated “the three phases that Secretary Rubio has outlined for Venezuela: stabilization, economic recovery and reconciliation, and transition.”

In the wake of the Organic Hydrocarbons Law reform, the US Treasury Department’s Office of Foreign Assets Control (OFAC) issued a series of general licenses allowing US and other Western companies to produce, refine, transport, and sell oil without seeking individual exemptions, effectively lifting sanctions that had previously restricted these activities (see Appendix A). These OFAC licenses mandate that any authorized transactions with Venezuela's government or state energy company PDVSA must follow US laws (with disputes being resolved in the US), and that payments to the Venezuelan government or any other Venezuelan sanctioned entity be made into a US-overseen fund. US support for energy investment in Venezuela was emphasized from February 11 to 12, when US Energy Secretary Chris Wright led a delegation to Caracas to meet with Rodríguez, becoming the highest-ranking US official to visit Venezuela in years.

Figure 2: US Energy Secretary Chris Wright examining crude oil at a PDVSA project site with Rodríguez (Source: Social Media)

Internal and External Threats Confronting Acting President Rodríguez

Since Acting President Rodríguez took over from Maduro in the immediate aftermath of the US operation on January 3, she has voiced support for cooperation with Washington — but her incentives to cooperate fully are very likely limited. Rodríguez is aware of Washington’s “three point plan” for Venezuela and is likely supportive of US plans to stabilize the country, lift sanctions, and promote investment. However, she is almost certainly seeking to preserve her rule and a government led by the PSUV, and will very likely resist any attempt to preside over a transition of power to an opposition-led government. Her ability to do so will very likely depend on her ability to consolidate power and manage potential spoilers within her own coalition, as well as her ability to deepen cooperation with US interests and demonstrate utility to the White House. In doing so, she faces a number of internal and external threats to her rule, which include challenges by rivals inside the ruling PSUV over the next six to twelve months, and pressure by Washington to hold new elections over the next twelve to twenty-four months.

Internal Threats to Rodríguez’s Rule

The main internal threat to Rodríguez’s power in the short term is other members of the ruling elite. She has steadily worked to consolidate power and secure the support of the military and intelligence services, but her support among the country’s political and economic sectors is far from settled. There are almost certainly key figures in the security forces, the business community, and in the ruling party who view Rodríguez, and her relationship with the US, as a challenge to the previous status quo and its associated privileges, economic arrangements, and patronage schemes. They may be concerned about their future influence, immunity

As Rodríguez continues to establish her rule, some of these individuals may seek to oppose her, either by seeking to derail or sabotage her rapprochement with Washington or by openly rebelling against her. In this context, an attempted palace coup cannot be ruled out. Her primary rivals include the following figures and networks, each of whom has a distinct power base and incentive to view Rodríguez as an adversary or rival:

  • Diosdado Cabello, Minister of Interior, Justice and Peace. Cabello is a senior power broker within the ruling party and has been the PSUV’s Secretary General since 2011. He has deep connections to the security services and hardline enforcement networks, including to pro-government armed paramilitary organizations known as “colectivos” (see Figure 3). State media has sought to downplay reported tensions between Cabello and Rodríguez, but Cabello’s incentives to undermine her are straightforward: Her consolidation of power threatens his influence over the party, the security apparatus, and his networks. He is also the only current cabinet member who was named in the unsealed drug trafficking indictment US prosecutors issued to capture Maduro, and he likely suspects that Rodríguez may eventually hand him over to the US.
  • General Vladimir Padrino López, former Minister of Defense. Padrino’s Lopez’s likely core incentive is to preserve the influence he accumulated after over a decade as the institutional head of the FANB, and to preserve the patronage networks he developed as the country’s longest-serving defense minister. He also likely seeks to protect himself and senior officers loyal to him from eventual prosecution for corrupt activities or involvement in repression, and therefore very likely views Rodríguez’s government as a challenge to longstanding FANB impunity. While there is no public evidence of any cracks between Padrino López and Rodríguez, it is very likely that he will resist meaningful reforms inside the armed forces
  • Major General Alexis Rodríguez Cabello, Director of the Servicio Bolivariano de Inteligencia Nacional (SEBIN). Cabello is a cousin of Diosdado Cabello and is believed to be close to him. As head of the primary intelligence service, Rodríguez Cabello has strong incentives to resist reforms that would expose him or his network to prosecution, and to preempt any purge that might impact him or his network.
  • Major General Iván Rafael Hernández Dala, former director of the General Directorate of Military Counterintelligence (DGCIM). Hernández Dala, a close confidant of Maduro, was head of DGCIM until replaced by Rodríguez in January 2026. He is also believed to be a longstanding opponent of both Rodríguez and Cabello, and of their respective factions in the PSUV. Even if sidelined from formal command, Hernández Dala likely retains networks inside the intelligence and security apparatus. He likely has incentives to undermine Rodríguez if he anticipates facing prosecution for past abuses, loss of status, or exclusion from any protection or economic deals between Washington and Caracas.
  • Business and Political Elites Tied to Maduro. Maduro and Flores dominated Venezuelan politics for nearly thirteen years. During that time, they cultivated a vast network of well-connected economic, military, and political elites that helped them sustain power. Many of them are not overtly tied to the Rodríguez siblings, and instead may be willing to ally themselves with rival factions to advance their own interests. Possible figures in this category include:
    • Tarek William Saab, Acting Ombudsman. Until his resignation in February 2026, Saab served as attorney general since 2017 and held significant influence over how the repressive apparatus was deployed, overseeing detentions and prisoner releases. Saab’s resignation was very likely forced, and he has clear incentives to resist any reform process that reduces his discretion or creates a credible path to independent investigations into past repression or corruption.
    • Nicolas Maduro Guerra, also known as “Nicolasito.” A member of the National Assembly and son of Maduro and Flores, Maduro Guerra is not one of the top PSUV powerbrokers in his own right but has played a crucial role in securing continuity by appearing publicly with Rodríguez and claiming she has his parents’ full support. Given lingering questions over internal Chavista involvement in the January 3 operation, he has leverage to complicate Rodríguez’s narrative and may seek to use it if he feels that his interests are threatened by the Rodríguez administration.
    • Alex Saab. Saab played a crucial role in facilitating sanctions evasion networks until his arrest by US law enforcement in 2020. Saab was later returned to Venezuela in a 2023 prisoner swap, and Maduro rewarded him by making him Minister of Industry and National Production. Rodríguez replaced him in January 2026, likely understanding that Saab was not palatable for US business interests, but Saab likely retains enough social capital within Venezuela’s private sector to pose a challenge to Rodríguez. This is the likely reason why Saab was reportedly detained by Venezuelan intelligence in February 2026, although his lawyer has maintained that he is not under arrest.
Figure 3: Illustration of key internal rivals of Venezuelan Acting President Delcy Rodríguez (Source: Recorded Future)

External Threats to Rodríguez’s Rule

US Pressure to Box Out Geopolitical Adversaries

In the short term, the most significant external threat that Rodríguez faces is a reversal of United States policy — either via renewed military or intelligence operations intended to force her removal, or through a more indirect pressure campaign meant to trigger a domestic fracture. A second US special forces operation to depose her outright is unlikely, but it remains a scenario Rodríguez and her circle will have to treat seriously, given the direct and disproportionate leverage that Washington currently holds over Caracas. More likely than further military action is the prospect of renewed pressure: the US can calibrate sanctions relief, revoke OFAC licences, and facilitate or block diplomatic recognition in ways that shape incentives and perceptions of the regime’s survivability among Venezuelan elites. Recent reporting suggests Washington is simultaneously pursuing deepened energy engagement while remaining skeptical about whether Rodríguez will fully align with US strategic demands, which increases the possibility of an abrupt shift away from Rodríguez if she does not deliver on US priorities.

A major fault line in the US-Venezuela relationship is Venezuela’s ongoing relationships with US geopolitical adversaries, namely China, Russia, Iran, and Cuba, even as the US has increasingly sought to box them out of Venezuela. US officials publicly demanded that Venezuela cut ties with adversary nations and have actively moved to push them out. The US has successfully pressured Venezuela to end fuel shipments to Cuba, and OFAC general licenses intended to facilitate Venezuelan oil and gas activity explicitly do not authorize transactions involving Russian, Chinese, or Iranian entities. In spite of this, Rodríguez has sought to publicly demonstrate an interest in retaining these partnerships.

Opposition Efforts to Limit US-Venezuela Engagement

Another short-term external threat to Rodríguez is opposition figure María Corina Machado. While she remains the most popular opposition figure in Venezuela, and her faction has a demonstrated capacity to organize protests on the ground, these have so far not presented a significant threat to stability or to PSUV governance. Her presence in Washington since December 2025, however, has provided her with a major platform to directly shape the US foreign policy debate over Venezuela. With Machado and close advisors operating from Washington, she has advanced a narrative publicly supportive of the US agenda while privately calling on allies in Congress and in the international community to press for a clearer timetable for new elections and the ouster of the PSUV. She has also used her platform to promise she will return soon, and to highlight perceived inconsistencies between Rodríguez’s actions and her rhetoric, noting, for instance, the gap between the government’s claimed political prisoner release numbers and the figures cited by independent rights organizations.

Figure 4: Photo of Venezuelan opposition leader Maria Corina Machado at a rally ahead of the 2024 presidential election (Source: Reuters)

Machado has received strong support from bipartisan lawmakers in the US House and Senate, who have questioned US engagement with Rodríguez. While Machado’s efforts to raise the political cost of engagement with the Rodríguez government have earned her support from some allies in Washington, the White House has reportedly expressed frustration with her criticism, with officials claiming it undermines US policy. These efforts very likely represent a lesser threat to Rodríguez’s hold on power, given White House insistence on working with Rodríguez, but introduce persistent uncertainty into the sustainability of US support for her.

Calls for a Competitive Election

Beyond these immediate pressures, the most important mid-term threat to Rodríguez and to future PSUV rule is the election timeline reportedly being promoted by the Trump administration. While the US has refrained from presenting a specific timetable, officials ranging from Chargé d’Affaires Dogu to Secretaries Rubio and Wright have increasingly signaled publicly that the US expects to see new elections in the next eighteen to twenty-four months. The specifics of these elections, like whether they would be only presidential or include broader general elections (to replace the PSUV-dominated National Assembly), have not been disclosed, but the US insistence on elections in some form very likely forces Rodríguez to reconcile her approach to coalition management with a desire to seek electoral legitimacy on a compressed timeline.

At the moment, Rodríguez, her inner circle, and PSUV elites almost certainly view a competitive presidential election as an existential threat. Polls have repeatedly demonstrated that the PSUV is unpopular. While Rodríguez is the most popular figure in the PSUV, she would very likely lose a presidential race with Machado by a two-to-one margin, and Machado would very likely defeat any PSUV candidate absent a significant shift in public opinion. Maduro’s removal has not automatically revived grassroots loyalty to the ruling party, with local PSUV leaders describing fractures, demobilization, and severe drops in participation inside local party structures since January 2026.

Given the PSUV’s lack of legitimacy, US support for elections will likely become a flash point in the relationship with Rodriguez. These tensions will also very likely be exacerbated by opposition mobilization inside the country and Machado’s efforts to marshal support in Washington. While US authorities have not yet demanded that Machado be allowed to return to Venezuela (and has reportedly asked her to delay any plans to this effect), her return is almost certain to occur well in advance of an election as she has openly said she will run. The temporary re-arrest of opposition figure Juan Pablo Guanipa in February after he began organizing anti-government rallies suggests the ruling party will likely seek to use the repressive apparatus to restrict Machado’s campaigning efforts, elevating the likelihood of pre-election instability. Even if a competitive election is held under the PSUV, the experience of the July 2024 election suggests that the ruling party is unlikely to recognize the results if the opposition wins, raising the likelihood of post-election instability, protests, and violence.

Delcy Rodríguez’s Origins and Principles of Her Approach to Decisionmaking

Before her emergence in recent years as the face of relative economic pragmatism in Chavismo, Delcy Rodríguez’s background was not well-known internationally. But her rise to power reveals a number of factors that likely inform her approach to governance and likely impact the prospect for political and economic stability moving forward. These include:

  • Familiarity with Venezuela’s Intelligence and Repressive Apparatus: In addition to her reputation as an economic reformer, Rodríguez likely has a deep familiarity with intelligence work that, according to state media, goes back to the Chávez years. In 2002-2003, she reportedly worked with the SEBIN’s predecessor agency, the Dirección General Sectorial de los Servicios de Inteligencia y Prevención (DISIP), on undisclosed counterintelligence work involving “geopolitical reports” with former DISIP head Eliezer Otaiza. From the time she rose to the office of Executive Vice President in 2018 until 2021, the SEBIN technically fell under her office. While there is no publicly available evidence that she explicitly directed SEBIN-led repression of dissidents, her role likely afforded her a deep familiarity with the main Venezuelan intelligence agency’s response during the government’s crackdown on the post-2018 election protests and the 2019 protest wave led by opposition figure Juan Guaidó. It is likely that she was, at a minimum, aware of acts of torture, extrajudicial executions, arbitrary detentions, and other alleged human rights violations and crimes against humanity since 2014 that have been credibly documented by the Independent International Fact-Finding Mission on Venezuela created by the United Nations (UN) Human Rights Council.
  • Identity Shaped by Revolutionary Politics: Rodríguez was born in Caracas in 1969 and grew up in a politically active left-wing family. Her father, Jorge Antonio Rodríguez, founded an armed urban guerrilla group and was killed in police custody in 1976, allegedly under interrogation. His death made him a martyr among the Venezuelan left, which cemented the revolutionary identities of Rodríguez and her older brother Jorge from an early age. Rodríguez has framed her decision to study law as an effort to “do justice for her father’s case,” and both she and her brother routinely cite his death as a justification for their support for Hugo Chávez and the movement he founded. In public, Rodríguez has repeatedly expressed strong support for the ruling party’s socialist ideology. In a September 2019 address to the United Nations General Assembly, she criticized “capitalist supremacism” and ended with a call to “save the world from capitalist violence.”
  • Willingness to Break from Ideological Purity: In practice, Rodríguez’s rise demonstrates that she is open to abandoning ideological purity in order to accomplish her objectives. Unlike Maduro and other ruling party figures who developed close personal ties to Chávez, she had a notoriously poor relationship with the former leader and spent significant time outside Venezuela in her formative years. Rodríguez studied law at the Central University of Venezuela, but later pursued postgraduate studies abroad in labor law in London and Paris, and reportedly spent time in the United States. She speaks English and French. Rodríguez returned to Venezuela after an opposition-led failed coup attempt against Chávez in 2002, and first worked as an advisor in the Foreign Ministry, and then as Deputy Minister for European Affairs before ending up as Chávez’s Minister for Presidential Affairs. She did not last long in this position, however, and was abruptly dismissed after she reportedly argued with and insulted him during a presidential visit to Moscow. Rodríguez then adopted a lower profile in Venezuelan political life until Maduro took power, who made her his foreign minister in 2014. As foreign minister (2014-2017), president of the pro-government National Constituent Assembly (2017-2018), and then as executive vice president (2018-2026), she developed a reputation as a shrewd political operator and staunch Maduro ally.
  • Interest in Addressing PSUV’s Declining Popularity: Although Rodríguez was and arguably remains a Maduro ally, she has demonstrated a clear awareness of how the PSUV’s economic mismanagement has led to its declining popularity and has shown an interest in reversing it. Ahead of the 2018 presidential election, she briefly led a satellite party of the PSUV called the Movimiento Somos Venezuela (“We Are Venezuela Movement”) and served as its leader in a likely attempt to “rebrand” Chavismo and connect with a younger generation of Venezuelans. She was officially reincorporated into the PSUV’s leadership in late 2018 after her party failed to account for more than six percent of Maduro’s reelection vote. When Maduro made Rodríguez his Minister of Economy in 2020, she began to advance an agenda of relative economic liberalization, and brought on a team of Ecuadorean advisors to impose tighter fiscal discipline and stabilize the exchange rate, eventually promoting the de facto dollarization of the economy. The success of the policies contributed to a modest but important economic rebound and led Maduro to appoint her in 2024 as Energy Minister as well, a post she technically still occupies. In overseeing this economic agenda, she began to cultivate a reputation for herself as less of an ideologue and more of a pragmatist, and began to pursue closer relationships with major energy companies and other investors. This reputation almost certainly contributed to the US decision to engage with her government after removing Maduro.
  • Calculating Operator with Sense of Persecution: Rodríguez has a history of keeping track of past instances where she has been slighted, even referring to her support of Chavismo and of its revolution as her and her brother’s “personal revenge” for the death of their father. Rodríguez herself has alluded to this trait on state media. In a 2024 appearance on the Con Maduro Podcast, she recalled running into former Argentine President Mauricio Macri, a vocal critic of the Venezuelan government, at the 2022 World Cup in Qatar. Macri had recently been made the Executive Chairman of the FIFA Foundation, and, according to Rodríguez, she shook his hand and told him: "Did you see where you are now, and where we are? We're with the Venezuelan people. And you? You're here picking up balls.” Rodríguez is also a savvy operator, and her rise to prominence reflects not only her ability to deliver on economic policy objectives but also her ability to outmaneuver rivals. The best-known instance of this is her leadership of an anti-corruption campaign in 2024, which resulted in the imprisonment of former vice president, oil minister, and longtime rival Tareck El Aissami.
  • Openness to Dialogue with Washington: Even before the current rapprochement between Washington and Caracas, Rodríguez was known for consistently favoring a deeper diplomatic relationship with Washington — albeit one built on mutual respect. During the 2022 phase of exploratory talks in which the two countries negotiated sanctions relief in exchange for holding presidential elections in 2024, Rodríguez publicly maintained that the relationship “cannot be conditioned,” saying that Venezuela’s doors were open to any country that arrived “with respect” and treated it as an equal under international law. During this period, she specifically centered the importance of discussing US oil and gas interests in bilateral diplomacy, saying that Venezuela was willing to pursue “energy dialogue” with US firms, indicating a view of energy cooperation as a channel for de-escalating tensions.

A Framework for Anticipating Delcy Rodríguez’s Policy Decisions

When Delcy Rodríguez faces policy decisions that impact economic and political stability in Venezuela in the coming months, her approach is likely informed by the pillars described above: her revolutionary identity, tactical pragmatism, openness to US engagement, an interest in restoring popular support for the PSUV, a long memory for slights, and familiarity with the security apparatus, as well as the internal and external short- and mid-term threats to her rule. Given these factors, Insikt Group assesses that she is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while likely cooperating with the US in ways that preserve her credibility inside the ruling coalition. This matters for prospective investors because it suggests the Venezuelan government is likely to seek to maintain a pragmatic economic policy environment focused on short-term macroeconomic stability. At the same time, companies seeking to invest will almost certainly continue to face elevated sanctions compliance risks and potential policy reversals depending on the evolving Washington-Caracas relationship, making it critical to closely monitor Rodríguez’s evolving policy decisions and internal relationships.

Coalition Management over Open Confrontation with Rivals

Rodríguez will likely prioritize maintaining and reconfiguring her coalition over seeking conflict with internal rivals, because the external pressure she faces makes internal rupture more risky than compromise. Her main rival, Diosdado Cabello, has significant sway over the repressive apparatus and over pro-government armed “colectivos” loyal to him, and his removal could therefore provoke unrest and destabilizing violence. This is precisely the kind of chaos Washington has sought to avoid, and very likely why it opted to keep Rodríguez in place as interim president in the first place. She therefore likely assesses that purging, detaining, or otherwise sidelining Cabello or other top PSUV rivals could risk calling into question her ability to maintain order, and would undermine her position with Washington as a lynchpin of relative calm and continuity.

This is likely the reason that Rodríguez has sought to balance the ruling coalition since taking power rather than immediately shaping it to align with her preferences. Although she elevated her allies to higher positions in her government early in her tenure — such as appointing Calixto Ortega as Vice President of Economy — she has largely kept the ruling apparatus in place. Not only has she left a number of other figures close to Cabello in their positions, but she has also promoted figures in Cabello’s network. Just three days after Maduro’s capture, she named Gustavo González López, believed to be a Cabello ally, to lead both the Presidential Honor Guard and the Directorate General of Military Counterintelligence (DGCIM). On March 18, she also named González López to be her Defense Minister, replacing Padrino López. She also appointed Cabello’s daughter, Daniella Cabello, to be Minister of Tourism — a significant post that will afford her a direct role in reopening Venezuela to international commercial activity. These moves were likely taken out of a desire to effectively secure Cabello’s support for her economic normalization agenda.

Face-Saving Cooperation with Washington

Rodríguez will likely continue to cooperate with Washington’s energy priorities, but she will very likely pair this compliance with visible signaling aimed at saving face with PSUV loyalists. This is likely why, even as she has received high-level US officials in Caracas and even spoken with Trump over the phone, she has publicly demonstrated support for retaining partnerships with US adversaries. On January 8, for instance, Cuban Foreign Minister Bruno Rodríguez traveled to Caracas and accompanied the interim president to speak at a commemoration event at Venezuela’s Military Academy for the Cuban and Venezuelan casualties from the January 3 US operation to capture Maduro. This was Rodríguez’s first event in which she officially presided over a military ceremony as commander in chief of the armed forces. On the same day, state-run media reported that Rodríguez held a meeting with Chinese Ambassador to Venezuela Lan Hu, in which she thanked China for its support for Venezuelan sovereignty and described the encounter as “cordial.” The ambassadors of China, Russia, and Iran were given front row seats to Rodríguez’s January 5 swearing-in ceremony, and state TV broadcast images of the Venezuelan leader greeting them affectionately.

Figure 5: Screenshot of Venezuelan state TV broadcast showing Chinese ambassador Lan Hu, Russian ambassador Sergey Mélik-Bagdasárov, and Iranian ambassador Ali Chegueni were prominently seated at Venezuelan Acting President Delcy Rodríguez’s January 5, 2025, swearing-in ceremony (Source: Telesur)

Such gestures will very likely continue as they offer Rodríguez a way to preserve credibility among PSUV elites and everyday party faithful. She can claim that her rapidly evolving relationship with Washington is a sovereign decision that improves stability and living conditions, rather than a relationship that is shaped by a drastically uneven playing field. As part of presenting an image of mixed compliance with Washington’s demands for Venezuelan audiences, she will almost certainly continue insisting that Maduro remains the legitimate president and demand his return, even as she works to consolidate her own power.

Leveraging Hardliners to Justify Non-Compliance

The internal rivalries identified above represent significant threats to Rodríguez’s legitimacy inside the PSUV and her claim to power, and attempting to balance her coalition while consolidating her control will almost certainly be a major challenge for Rodríguez. However, it is likely that Rodríguez will, over time, point to alleged hardliners to justify selective non-compliance with US aims, credibly or otherwise. Ultimately, it may be useful for Rodríguez to be able to point to ongoing tensions in her coalition or the prospect of instability as a way of warding off US pressure for an eventual transition or for competitive elections to be held. This justification is likely to lose credibility over time if she continues to consolidate administrative control and accumulate legitimacy, especially if she presides over significant economic gains amid US sanctions relief. Ultimately, the very steps that allow her to consolidate her rule may eventually be used by Washington to justify accelerating the end of it.

Resistance to Elections if Seen as an Existential Threat

Rodríguez’s past political experience and the PSUV’s record across more than 25 years of governing suggest the Venezuelan government will very likely seek to maximize political gain from any economic growth resulting from US sanctions relief and economic normalization. And while US officials have routinely conveyed that they expect elections to be held in the next two years, the Venezuelan government is almost certain to resist or sabotage elections unless it perceives that economic improvement has boosted the PSUV’s chances of winning a competitive election. Even then, the PSUV will very likely seek to use its control of government to activate patronage networks, divert public resources to politicized social programs, and attempt to present legal obstacles to opposition campaigning — just as it did in the lead-up to the 2024 presidential election.

Ultimately, this logic is consistent with how Chavista elites have historically conceptualized elections: In multiple instances of US-backed talks meant to offer sanctions relief in exchange for competitive elections, Venezuelan government negotiators routinely argued that elections can be considered “fair” only if voters can judge the government without the distorting economic effects of sanctions. If economic growth does not translate into a boost in popular support for the ruling party, Rodríguez will likely come under increasing pressure from rivals to resist a US-backed transition. It is therefore likely that democratization in Venezuela will be phased and gradual, not immediate, and will likely depend in large part on whether elements of the ruling elite see a viable future for themselves in the country as a possible outcome after alternating power.

Outlook

Over the coming months, Delcy Rodríguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while still finding ways to cooperate with the United States that preserve her rule and credibility inside the ruling PSUV coalition. In the short- to mid-term, the main challenge she faces is the threat posed by internal rivals who may feel threatened by her reforms. This makes her cabinet changes, and evidence of backlash among political and economic elites, crucial variables to watch. In confronting internal threats to her rule, she will likely pursue a strategy of coalition management over one of open confrontation. Even as Rodríguez continues to consolidate power and tries to keep hardline rivals contained, she will likely avoid high-risk moves that could fracture elite support and risk threatening her relationship with Washington.

In the short and mid terms, the main flashpoints will be US pressure to end Caracas’s relationships with Moscow, Beijing, and other US adversaries, as well as US pressure to hold competitive elections in the next two years and eventually to advance a political transition. Rodríguez and PSUV elites likely view a genuinely competitive presidential vote as an existential threat. As a result, the government is almost certain to resist or sabotage competitive elections unless economic improvement significantly boosts the PSUV’s electoral odds. Even then, it would likely use patronage, politicized social programs, and legal obstacles to constrain opposition campaigning and preserve an institutional advantage. This raises the prospect of instability both in the lead-up and in the aftermath of any elections, given the likelihood of opposition protests and an associated crackdown. Given these dynamics, any transition is more likely to be phased and gradual than immediate, with stability hinging on whether Rodríguez is able to consolidate support among the ruling elite and whether the broader Chavista coalition can see a viable future for itself under any eventual alternation of power.


Appendix A: 2026 OFAC Licenses Issued for Venezuela

Date Issued
Title (Hyperlink)
Scope
February 3, 2026
Authorizes US persons to export/reexport/sell/supply US-origin diluents to Venezuela even when transactions involve the Government of Venezuela, PDVSA, or PDVSA-majority entities, as long as contracts are governed by US law and disputes are resolved in the US
February 10, 2026
Authorizes “established US entities” to engage in transactions that are ordinarily incident and necessary to the lifting, export/reexport, sale/resale, supply, storage, marketing, purchase, delivery, transportation, and refining of Venezuelan-origin oil, including related logistics, even when the activity involves the Government of Venezuela, PDVSA, or PDVSA-majority entities
February 10, 2026
Authorizes OFAC to permit the provision from the US of goods, technology, software, and services needed for oil and gas exploration, development, production, and maintenance in Venezuela, even when transactions involve the Government of Venezuela and PDVSA
February 13, 2026
Authorizes transactions otherwise that are “related to the negotiation of and entry into” contingent contracts with the Government of Venezuela, PDVSA, or PDVSA-majority-owned entities — so long as the contract’s performance is expressly contingent on separate OFAC authorization
February 13, 2026
Authorizes transactions related to oil or gas sector operations in Venezuela conducted by specified companies and their subsidiaries, provided contracts are governed by US law (with disputes resolved in the US) and most payments to blocked persons (including taxes/royalties) are routed to specified US-directed deposit funds

Table 1: A list of OFAC general licenses issued since the passage of the Venezuela hydrocarbons law(source: US Office of Foreign Assets Control)

Latin America and the Caribbean Cybercrime Landscape

2 April 2026 at 02:00

Executive Summary

This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025. Insikt Group found that threat actors operating in or targeting the LAC region predominantly use client-server applications and end-to-end encrypted messaging platforms such as Telegram, as well as established English- or Russian-speaking dark web and special-access forums, to communicate and conduct activities. Threat actors demonstrate increased sophistication in their operations, adapting their tactics, techniques, and procedures (TTPs) over time, while still relying primarily on traditional methods such as phishing and social engineering, malware distribution, and ransomware. Based on our analysis, we have determined that Brazil, Mexico, and Argentina were the countries most targeted by financially motivated cybercriminals, likely because they are LAC's largest economies. Additionally, based on this research, Insikt Group found that threat actors often targeted critical industries such as healthcare, finance, and government because they hold high-value data, face operational urgency, and, at times, rely on legacy systems that may be vulnerable.

Key Findings

  • Insikt Group assesses that criminal forum DarkForums and the messaging platform Telegram are the primary special-access forums and communications platforms used by threat actors operating in or targeting the LAC region.
  • Threat actors operating in or targeting LAC are typically financially motivated and frequently leverage social engineering, ransomware, and various forms of mobile malware to gain initial access to government, healthcare, and financial institutions.
  • In 2025, Insikt Group recorded 452 ransomware incidents impacting the LAC region. The top five industries affected were healthcare, manufacturing, government, information technology, and education, all of which observed a noticeable increase in attacks compared to the previous year.
  • Insikt Group continued to identify banking trojans being leveraged by threat actors, with established variants being the most widely used. Specifically, threat actors used banking trojans in targeted smishing campaigns targeting WhatsApp users to gain access to financial data and steal credentials.
  • Insikt Group identified LummaC2 as the most prolific information stealer (infostealer) affecting organizations in LAC in the first half of 2025 and Vidar in the second half, following law enforcement disruption of LummaC2.

Background

In the aftermath of the COVID-19 pandemic, the LAC region underwent rapid digital development that outpaced security maturity, leading to asymmetrical cloud adoption, reliance on legacy infrastructure, and the introduction of remote work across all verticals. Many organizations adopted software-as-a-service (SaaS) platforms without effectively implementing strong access controls or multi-factor authentication (MFA) methods, leaving them exposed to ransomware and data theft, among other cyberattacks. Economic instability (inflation and currency controls) in LAC countries has created incentives for cybercrime while weakening institutional defenses. Political volatility, social protests, and corruption have created new opportunities for financially and politically motivated threat actors. Compounded factors such as high youth unemployment, income inequality, and the influence of informal economies have driven individuals to seek alternative sources of income, which in turn fuels much of the cybercrime we see today.

According to a World Economic Forum report, 13% of respondents in the LAC region expressed low confidence in their country’s preparedness to respond to significant cyber incidents. Despite significant progress in digital government, regulatory advancements, and investments in the region, many countries still lack the technical competence in their workforce and the resources to sustainably harden their environments. Many LAC government networks hold large amounts of sensitive data but are deficient in their security best practices, leaving their systems vulnerable to cyberattacks. Large breaches are routinely circulated, recycled, and resold on dark web marketplaces, enabling identity theft, synthetic identity fraud, SIM swaps, and account takeovers, among other types of cybercriminality to flourish at a larger scale.

Although the LAC region has made significant technological advancements, particularly in the financial services sector, innovations are creating new challenges. The financial technology industry has introduced mobile banking applications, digital wallets, and instant payment systems. LAC countries face rising levels of cyber-enabled fraud in the financial sector because real-time payment rails have weaker identity verification controls, rendering social engineering attempts more effective. Instant payment systems, such as Brazil’s PIX and similar mobile banking platforms, have often been targeted by threat actors. With faster transaction speeds at higher volumes, detection and recovery efforts have become increasingly complex, making scams significantly more profitable and scalable.

The LAC region has the world's fastest-growing rate of disclosed cyber incidents, though many remain unreported. Only seven LAC countries have plans to protect their critical infrastructure from cyberattacks, and only twenty have Computer Security Incident Response Teams (CSIRTs). Despite 31 LAC countries having some form of legislation addressing cybercrime, many face skills shortages, creating barriers to enforcement. Limited law enforcement resources and unreliable interstate cooperation further delay investigation and prosecution, enabling threat actors to operate across jurisdictions with relative ease. A cultural perception that cybercrime carries low risk and offers high reward undermines the deterrent effect that reliable law enforcement action would otherwise have. This incentive structure, coupled with reduced stigma, encourages repeat offenses and recruitment, as reflected in the cybercriminal trends observed by Insikt Group in 2025.

Cybercriminal Activities in LAC

Throughout 2025, Insikt Group investigated and identified different types of cybercriminals operating on clearnet and dark web sources. Cybercriminals routinely leveraged phishing for initial access, and among the most common methods seen was the search and collection of sensitive information directly from a compromised host's file system or databases. This technique is often a critical pre-exfiltration step used to obtain financial records, passwords, and other forms of personally identifiable information (PII), likely to conduct account takeovers or fraud. Insikt Group research found that cybercriminals have also begun evolving their TTPs to exploit near-field communications (NFC) to commit financial fraud and are using malware to target cryptocurrency wallets. Insikt Group intelligence indicates that cybercriminals are primarily interested in selling compromised databases and access methods, as well as participating in hacktivist collectives. In some instances, advanced persistent threats (APTs) have also begun to overlap their activities with cybercrime when targeting the region.

Cybercriminal Sources

Threat actors operating in or targeting the LAC region continued to rely on the infrastructure of established English- and Russian-speaking forums throughout 2025 (see Appendix A). Insikt Group identified Spanish- and Portuguese-language postings on several established dark web and special-access forums. Even though these sources are predominantly English- and Russian-speaking, these posts likely indicate a preference among threat actors targeting LAC to seek more established, traditional platforms for conducting business. Research showed that low to moderate-tier forums are most commonly used by threat actors based in or targeting LAC countries, possibly suggesting lower levels of sophistication, as higher-tier forums often require vouching, payment, demonstration of knowledge or technical abilities, and sometimes private invitation to gain access.

Insikt Group assesses that most communications between threat actors likely occur on encrypted messaging platforms such as Telegram, WhatsApp, and Signal due to speed, ease of access, and higher levels of trust among group members. Given the privacy-enhancing features of many of these platforms, collection efforts can become significantly more constrained. Telegram is predominantly used because it offers larger channel and group capacities, account creation is simple, it enables threat actors to leverage bot automation and support for their malicious activities, and content moderation is typically less stringent than on other platforms. By offering a path of least resistance, threat actors enjoy the added privacy that end-to-end encrypted messaging platforms provide without delaying their operations.

Financially motivated threat actors often advertise a variety of data types, including PII, financial data, login credentials, system access credentials, exploits and vulnerabilities, malware, ransomware, and hacking tutorials. In some instances, Insikt Group observed threat actors selling customer relationship management (CRM) access, virtual private network (VPN) access with domain user privileges and local administrator rights on a database server, and command-and-control (C2) access to LAC-based entities in 2025. Leveraging this access to information, cybercriminals may facilitate further crimes, including but not limited to extortion attempts, digital and social engineering scams, ransomware deployment, data theft, and account takeovers. Insikt Group research indicates that threat actors generally advertise breached databases and payment card data because they can be lucrative, require relatively low levels of sophistication, and are sought after by other cybercriminals.

Threat actors often target government systems because they contain highly sensitive data that can be profitable for scams, identity theft, or extortion. For instance, shortly after a tense general election, Ecuador’s legislature, the National Assembly, reported it had suffered two cyberattacks aimed at accessing confidential data and disrupting the availability of information services. In another example, threat actors exposed sensitive data on millions of Paraguayan citizens on the dark web; among the alleged exfiltrated data are national ID numbers, dates of birth, physical addresses, and health service records.

DarkForums was the primary dark web and special-access forum where Insikt Group recorded the most posts relating to cybercrime-related events in Spanish and Portuguese in 2025. This forum is an English-language, low-tier forum operated by English-speaking administrators, launched in March 2023, and is accessible via a clearnet domain. Additionally, DarkForums was observed hosting leaked databases and data breaches involving Spanish-speaking countries, with posts describing the compromise of thousands of records and credentials. Other forums, such as XSS, Exploit, RehubcomPro, Cracked, BreachForums 2, ProCrd, and CrdPro, were also among the top forums to contain posts in Spanish and Portuguese. Appendix A presents a sample of Spanish and Portuguese forum threads from these sources.

Cybercriminal Tactics and Attack Vectors

The LAC region has a long history of financially motivated cybercrime; as a result, Insikt Group observed in this analysis that threat actors continue to heavily target the financial sector. Threat actors typically rely on traditional initial access methods, such as phishing via email, SMS, and WhatsApp messages, impersonating financial institutions, and requesting invoices or payments. Threat actors deliver lures via malicious links that redirect to fake login pages and contain malicious attachments with embedded links. Many of these techniques are effective when targeting entities in the LAC region due to an overwhelming reliance on email and messaging applications for business, as well as a general strong trust in branded communications. Artificial intelligence (AI) has introduced more sophisticated methods into the cybercriminal ecosystem in LAC, lowering the barrier to entry for threat actors and significantly increasing the scalability of attacks through automation. AI helps threat actors create more effective phishing messages that could be generated in native Spanish or Portuguese, rendering them more convincing to the local target audience. The advent of agentic AI also presents new opportunities and attack vectors for cybercriminal groups to exploit and greatly facilitates cybercrime-as-a-service. Organized criminal groups have integrated AI into their operations to assist with drug smuggling, money laundering, cyber-enabled fraud, and malware development.

Throughout 2025, Insikt Group observed threat actors targeting the LAC region by compromising remote desktop protocol (RDP), VPNs, and web admin panels, and obtaining credentials from prior infostealer infections, password reuse, brute-force attacks, and other initial access points. Based on data within the Recorded Future Intelligence Operations Platform, there are approximately 29,000 references to exposed LAC-related credentials on Russian Market. These exposed credentials are from domains belonging to the top organizations (by revenue) in the healthcare, government, and financial sectors across the five largest economies in LAC. Russian Market is one of the leading dark web marketplaces for the sale and distribution of infostealer logs. Most of these logs were from LummaC2 and then Acreed Stealer, consistent with what Insikt Group observed in its review of additional infostealer logs. It should be noted that many of the 29,000 exposed credentials are likely customers of these organizations and not necessarily employees, as Recorded Future does not have access to internal-facing employee domain addresses to search for exposed credentials; however, those can be added by an end user. Insikt Group assesses that these attack vectors were likely effective for infiltrating the systems of targets in the LAC region due to increased remote work adoption, legacy infrastructure in many public institutions, and limited monitoring and resources. Insikt Group observed threat actors advertising carding tools, bulk SMS/Email blasting, SIM swapping, hacking assistance, and other similar services on Telegram channels.

In 2025, Insikt Group observed a rise in novel types of malware that actively leverage and exploit NFC. First identified by Threat Fabric, PhantomCard is an Android trojan, notably a variant of China-origin NFC relay malware-as-a-service (MaaS), primarily targeting banking customers in Brazil. PhantomCard enables relay attacks by obtaining NFC data from a victim's banking card and transmitting it to a threat actor's device to perform transactions at point-of-sale (POS) systems or ATMs. PhantomCard is distributed via malicious webpages that impersonate legitimate applications, prompting victims to tap their cards and enter their personal identification numbers (PINs) for authentication. Once credentials are fraudulently obtained, they are relayed to attackers.
Similarly, in late 2025, threat actors deployed RelayNFC, a mobile malware that targets contactless payment cards, in a phishing campaign targeting Brazilian users. This evolution in TTPs parallels the shift by threat actors from skimming magnetic stripe data to “shimming” Europay, Mastercard, and Visa (EMV) chip data in the payment fraud ecosystem, since unique cybercriminal solutions typically follow new security innovations.

Per the 2025 Cybercriminal Cryptocurrency Annual Activity Report, Insikt Group consistently observed activity in which cryptocurrency wallets were targeted by various forms of malware, such as drainers, clippers, and miners, to steal funds. Given the persistent lag in cybersecurity measures in LAC and the rapid growth of the cryptocurrency market in the LAC region, its users may become attractive targets for cybercriminals. The top five countries in the LAC region that dominate the cryptocurrency ecosystem are Brazil, Argentina, Mexico, Venezuela, and Colombia. However, Brazil is the clear leader, accounting for a third of overall cryptocurrency activity. Insikt Group assesses that, as the mainstream adoption of cryptocurrency continues, threat actors will likely seek targets in these countries, as knowledge and security practices among the user base in these regions will likely be lacking. Additionally, as with threat actors in other regions of the world, those targeting LAC will almost certainly leverage this medium of exchange to transact and launder illicit funds. As countries continue to adopt new regulations and introduce new forms of cryptocurrency, we expect threat actors to identify new vectors for exploitation. As of 2025, Argentina, Brazil, Colombia, Ecuador, Paraguay, Trinidad and Tobago, Uruguay, and Venezuela are participating in INTERPOL’s inaugural pilot phase for the new Silver Notice, which will be published to “help trace and recover criminal assets, combat transnational organized crime and enhance international police cooperation,” likely including cryptocurrency assets if linked to criminal proceeds.

Advanced Persistent Threats (APTs) and Cybercrime

Throughout 2025, Insikt Group observed a rise in APT activity targeting the LAC region using traditional cybercriminal methods, such as phishing and ransomware. This suggests some APT groups may also have financial motivations extending beyond seeking strategic geopolitical influence. Prominent APTs, such as Dark Caracal, conducted cyber espionage and delivered the Poco RAT via financial-themed phishing. TAG-144 (Blind Eagle) primarily targeted government entities in South American countries, notably Colombia, using TTPs such as spearphishing and remote access trojans (RATs) in campaigns blending espionage and financial motives.

Insikt Group assesses that some Chinese state-sponsored activity is likely aimed at protecting economic investments in the region, such as the Belt and Road Initiative (BRI), sovereign loans, and widespread commercial interests. In addition to the above APT groups, Chinese state-sponsored groups are also targeting entities in LAC countries. TAG-141 (FamousSparrow) leveraged SparrowDoor malware against entities in Mexico, Argentina, and Chile. Storm-2603 (Gold Salem) deployed ransomware, including Warlock, LockBit, and Babuk, targeting multiple sectors across agriculture, government, energy and natural resources, and telecommunications in the LAC and Asia-Pacific (APAC) regions. This activity may signal that China is seeking to retain influence in the LAC region through cybercriminal means or is interested in financial gain.

Hacktivism

The LAC region has repeatedly experienced periods of complex political and social unrest fueled by debates regarding economic reforms, corruption, and inequality. Unlike financially motivated cybercrime, hacktivism tends to be political or ideological, and these tense conditions can create an environment where hacktivism spikes. In late 2025, Insikt Group noticed increased activity from Chronus Team, a hacktivist group known for defacement attacks and data leaks aimed at exposing security vulnerabilities, primarily targeting organizations in Mexico. The threat group leverages Telegram channels for communication and propaganda. It has loosely aligned with other hacktivist and cybercriminals groups, such as Elite 6-27 and Sociedad Privada 157, to gain attention and increase its reputation. Insikt Group observed another trend where several hacktivist groups began transitioning to ransomware-as-a-service (RaaS) for financial gain. One such hacktivist group, “FiveFamilies”, functions as a collective of several groups; some of their targeted entities included those located in Cuba and Brazil.

Figure 1: Chronus Team hack and web defacement of the website for the budget transparency for the municipality of Hermosillo, Sonora, Mexico (Source: Social Media)

Malware Trends

In 2025, Insikt Group observed elevated ransomware activity targeting organizations in the LAC region. Additionally, banking trojans also remained a prominent issue affecting LAC countries, with Insikt Group noting an uptick in campaigns specifically leveraging WhatsApp for delivery. Infostealers remained a popular initial access enabler in the LAC region. Botnets have grown in the region largely due to small office/home office (SOHO) devices, such as routers and other internet-of-things (IoT) appliances with weak security, outdated firmware, and a reliance on default credentials. Botnet activity can contribute to credential theft, the propagation of phishing campaigns, the distribution of spam, the takeover and abuse of residential IP addresses, and the enabling of distributed denial-of-service (DDoS) attacks. Insikt Group also observed threat actors targeting payment terminals in 2025 with ATM and POS malware.

Ransomware

In 2025, Recorded Future’s Global Ransomware Landscape Dashboard recorded 452 ransomware incidents impacting the LAC region out of 7,346 total globally, based on all publicly known ransomware victims listed on associated ransomware blogs. Attacks on entities in the LAC region constituted just over 6% of all global ransomware attacks in 2025. The top five industries most impacted by ransomware in the LAC region in 2025 were Healthcare (36 attacks), Manufacturing (49 attacks), Government (28 attacks), Information Technology (21 attacks), and Education (20 attacks), as demonstrated in Figure 3. Insikt Group research on ransomware in the LAC region covers 27 of the 33 constituent countries. Insikt Group did not obtain ransomware data from Antigua and Barbuda, Belize, Cuba, Saint Kitts and Nevis, Saint Lucia, or Suriname in 2025.

Figure 2: Global Ransomware Landscape Dashboard view of attack metrics for the top five ransomware groups impacting LAC in 2025 (Source: Recorded Future)
Figure 3: Global Ransomware Landscape Dashboard view of attack metrics for the top five most impacted industries in LAC in 2025 (Source: Recorded Future)

Insikt Group observed an increase in ransomware activity across all major industries in LAC compared to the prior year. Insikt Group specifically examined ransomware attacks against financial, government, and healthcare entities across the LAC region and identified the following: 16 attacks targeting the finance sector, 28 attacks targeting the government sector, and 36 attacks targeting the healthcare sector. Appendix C highlights a sample of these ransomware attacks.

Regarding LAC countries, the top five countries most impacted by ransomware in the LAC region in 2025 were Brazil (128 attacks), Mexico (78 attacks), Argentina (63 attacks), Colombia (51 attacks), and Peru (27 attacks). These countries are among the largest economies in the region, which may lead to downstream spillover effects for enterprises that conduct business directly with them or with neighboring countries. Insikt Group found that the majority of ransomware groups leverage double extortion. This extortion technique involves encrypting a victim’s data, exfiltrating the data, and then threatening to publicly leak the data on the ransomware group’s name-and-shame blog if a ransom is not paid. Recorded Future assesses countries by network intrusion and ransomware targeting risk every quarter to provide awareness and help organizations assess risk exposure. Takeaways from the top five impacted countries based on metrics and analysis from Recorded Future include:

  • Brazil’s network intrusion risk score increased from Medium to Very High, and Brazil’s ransomware targeting risk score remained Medium by the end of 2025. Brazil was the most targeted country in LAC and among the top ten countries worldwide impacted by ransomware in 2025, with a total of 130 victims.
  • Mexico’s network intrusion risk score increased from Very Low to Low, and Mexico’s ransomware targeting risk score increased from Low to Medium at the end of 2025. Notably, data was leaked relating to a Mexican government entity on the dark web name-and-shame extortion website, Tekir Apt Data Leak Site.
  • Argentina’s network intrusion risk score increased from Very Low to Low, and Argentina’s ransomware targeting risk score increased from Low to Medium at the end of 2025. Insikt Group observed that Argentina was targeted by a new rust-based ransomware “RALord”.
  • Colombia’s network intrusion risk score increased from Low to High, and Colombia’s ransomware targeting risk score remained low with no observed changes at the end of 2025. Colombia’s financial sector was impacted by the ransomware group Crypto24, which posted victims' names on its blog.
  • Peru’s network intrusion risk score increased from Very Low to Low, and Peru’s ransomware targeting risk score was low with no observed changes at the end of 2025. A pharmaceutical company headquartered in Peru was named as a victim on the Dire Wolf Blog.
Figure 4: Global Ransomware Landscape Dashboard view of the most affected countries in LAC in 2025 (Source: Recorded Future)

Banking Trojans

According to the Global System for Mobile Communications Association (GSMA), in 2024, approximately 64% of the LAC population used mobile internet; it is projected that this will increase to nearly three-quarters by 2030. Increasing internet penetration and high cell phone subscription rates in LAC signify a rising reliance on mobile devices, likely making them more appealing targets for threat actors. Android remains the predominant operating system (OS) of mobile devices in South America with an 84.59% market share. Android devices may support more sideloaded applications (links and Android application packages [APKs] from social media or third-party stores) than Apple iOS, which typically has tighter ecosystem controls, and Android users may be running older OS versions, thereby making Android devices attractive targets for cybercriminals. The Android ecosystem grants developers more freedom to list apps within the Google Play Store, and the vetting and verification process is less stringent, allowing malicious APK domain mirrors to go undetected. In LAC, users may rely on mobile phones as their primary or only computing device, making them desirable initial access points for threat actors to deploy Android-based malware. According to the World Bank's Global Findex 2025 report, 37% of adults in the LAC region had a mobile money account as of 2024. Mobile banking, digital wallets, and QR payments are commonplace in the area. Based on the World Bank’s findings, Insikt Group assesses that persistent mobile banking malware targeting LAC is likely driven by rapid digital banking integration that has outpaced security controls and the expansion of MaaS ecosystems. Sophisticated localized social engineering attacks and disproportionate regional enforcement capacity are further accelerating this trend within LAC’s ever-evolving mobile financial landscape.

Insikt Group research reflected an increase in banking trojans targeting the WhatsApp platform in 2025. Brazilian authorities have, in recent years, focused their attention on disrupting banking trojans. A significant amount of crimeware in LAC consists of mobile banking trojans, though similar in many ways, they are not a monolith and differ in unique ways. Insikt Group analysis from 2025 reflects that, despite some law enforcement disruptions, banking trojans are still a prominent issue in the LAC region and will likely continue to be in 2026. Appendix D highlights the most active banking trojans across the LAC region in 2025.

Infostealers

Infostealers pose a persistent threat worldwide, and the LAC region is no exception. Insikt Group analyzed a small sample of the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors across the top five largest economies in LAC. Analysis showed that the most prominent infostealer threats observed in 2025 were LummaC2, Vidar, Rhadamanthys, RedLine, and Nexus. This is despite multiple law enforcement operations under Operation Endgame conducting takedowns impacting Rhadamanthys and LummaC2.

Figure 5: Infostealers infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

LummaC2 was undoubtedly the most active infostealer targeting entities in the LAC region despite being targeted by law enforcement. LummaC2 has been discussed in several news sources and Telegram chatter as targeting users in Argentina, Paraguay, and Mexico. Cybercriminals deploy LummaC2 to obtain victim credentials to carry out financial fraud and cryptocurrency theft. Insikt Group conducted research into LummaC2 affiliates and identified a likely Mexico-based threat actor operating under multiple aliases linked to Lumma build ID “re0gvc”. In mid-2025, law enforcement took measures to disrupt LummaC2; the operation effectively led to the takedown of approximately 2,300 malicious domains integral to LummaC2’s infrastructure, Lumma’s central command, and associated criminal marketplaces. Shortly after this operation, it appears LummaC2 still had infected victims in several countries, including Brazil and Colombia, likely because sinkholing requires some time to have a noticeable effect as it redirects traffic but does not automatically clean infected machines. More complete remediation would require patching and malware removal on affected systems, which is challenging to implement at scale when infected devices are spread across the world. However, Insikt Group observed a significant decrease in credentials exposed by LummaC2 in the second half of 2025, likely due to the success of the joint Microsoft and law enforcement operation, as well as the main threat actor being banned from Exploit.

Figure 6: LummaC2 infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

In the wake of the LummaC2 operation, Recorded Future detected an increase in Vidar infections during the latter half of 2025. This increase highlights threat actors’ ability to migrate between infostealers to facilitate their criminality despite disruptions.

Figure 7: Vidar Infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)

Botnets

Botnet activity has grown steadily in the LAC region, enabling financial fraud, spam distribution, credential harvesting, initial access for ransomware and large-scale DDoS attacks targeting financial and government institutions. Botnets remained a priority for international law enforcement in 2025. For example, the ongoing Operation Endgame aims to hinder threat actors' remote-control capabilities by dismantling ransomware and other malware infrastructure. Emerging in late 2025, Kimwolf, also known as AISURU, is a botnet that targets compromised streaming devices. News reporting and dark web chatter indicate many of the devices infected with Kimwolf are based in Brazil, India, the US, and Argentina. Additional reporting suggests a threat actor involved with the AISURU botnet is likely based in Brazil. Horabot is a malware family and type of botnet first identified in June 2023, targeting Spanish-speaking users in six LAC countries: Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. Horabot uses invoice-themed phishing emails to gain initial access to victims' systems.

Payment Terminal Malware

Threat actors also continued to target payment infrastructure for financial gain. ATM malware activity has continued to rise in LAC, with some experts noting ATM malware attacks have spiked by 46% across LAC in 2025. For instance, Ploutus is a sophisticated malware family first detected in Mexico in 2013, which compromises ATMs by issuing unauthorized commands to their cash dispensing modules. In December 2025, the US Department of Justice indicted 54 individuals associated with the Venezuelan gang Tren de Aragua (TDA) for participation in a massive ATM jackpotting scheme that exploited Ploutus malware. Moreover, the POS malware MajikPOS, designed to infiltrate systems connected to POS terminals and extract magnetic stripe payment data from bank cards, remained an active threat to companies operating in Brazil.

Mitigations

  • Use Recorded Future’s Global Ransomware Landscape Dashboard: Recorded Future customers can proactively mitigate this threat by operationalizing the Recorded Future Global Ransomware Landscape Dashboard and leveraging the victimology tab to filter based on ransomware group, country, and industry of interest. Recorded Future customers can customize their own ransomware risk profile and establish alerts that align with their risk priorities.
  • Use Recorded Future’s Threat and Third-Party Risk Monitoring: Configure alerts in the Recorded Future Intelligence Cloud to track activity across Telegram channels, darkweb forums, and other platforms for proactive awareness. Use the Third-Party Intelligence module to assess risk exposure for current and future partnerships.
  • Update Legacy Systems: Threat actors, whether opportunistic or financially motivated, or both, often seek to exploit vulnerable systems. Organizations that rely on outdated technology stacks leave themselves exposed to preventable cyber threats and attacks.
  • Engage in Public-Private Information Sharing: To bolster regional collaboration and establish standardized best practices, coordinate with law enforcement, and create intelligence-sharing channels to enhance investigations and decrease incident response times.
  • Generate Awareness through Education: Advocating for digital literacy through university partnerships and scholarship in the LAC region will encourage good cyber hygiene and prepare for a stronger, more competent workforce. Enterprises can implement mandatory cybersecurity training during new hire onboarding and establish routine drills to ensure protocols are followed.

Outlook

Insikt Group has highlighted the most salient cybercriminal trends and methods observed throughout the LAC region in 2025. Threat actors conducted phishing and credential theft to gain and sell initial access to LAC organizations while often relying on dark web forums and end-to-end encrypted messaging platforms to communicate and monetize compromised data and access methods. Cybercriminals carried out elevated ransomware attacks against the healthcare, government, finance, and other critical sectors. Banking trojan and infostealer activity persisted throughout LAC despite law enforcement disruption attempts. Cybercriminals have proven to be adaptive and resilient, often capitalizing on immature or emerging businesses that lack the skills, tools, and personnel to prevent attacks. Small and medium-sized enterprises (SMEs) constitute over 95% of all businesses in LAC. SMEs are desirable targets for cybercriminals because they typically have limited resources and expertise, lack robust infrastructure, and have a high overreliance on third-party platforms. Insikt Group trend analysis supports these findings.

Absent regional harmonization of cybersecurity policies and best practices, LAC countries will likely continue to use fragmented incident response approaches, complicating cross-border cooperation and collaboration. For effective and sustainable protection of systems and information against cyber threats, LAC countries should focus on working together to establish standardized risk assessments and reporting mechanisms, protocols for information sharing to bolster timely remediation, and implement proactive “secure by design” principles. Possible approaches to accomplishing this may include increased investment in workforce development, participation in public-private partnerships, and the establishment of centralized cybersecurity management systems. Despite the lack of prominent Spanish- and Portuguese-language forums, it is likely that threat actors will continue to leverage traditional platforms and methods similar to those used by the English- and Russian-speaking cybercriminal underground. Based on current and historical data, we anticipate these trends will continue, and LAC will likely remain a popular target for ransomware groups and a hotspot for mobile malware in 2026.

Appendix A: Sample Listing of Posts Targeting Entities in LAC Countries on Dark Web and Special Access Forums

Alleged Access or Leak
Source
LAC Country and Sector Impacted
Access to a Brazilian banking entity
XSS Forum
Brazil/Finance
VPN access to a Colombian bank
Exploit Forum
Colombia/Finance
Access to a leaked government database
DarkForums
Mexico/Government
Database access to the official government portal
Exploit Forum
Argentina/Government
Web shell access with root privileges for a healthcare provider
XSS Forum
Chile/Healthcare
Global VPN access to a healthcare network
RehubcomPro Forum
Brazil/Healthcare

(Source: Recorded Future)

Appendix B: Sample Metrics of the Top Five Ransomware Groups Impacting LAC in 2025

Group Name
Total Attacks (All Sectors)
Healthcare
Manufacturing
Government
IT
Education
Qilin (Agenda)
54
4
6
0
2
2
LockBit Gang (BITWISE SPIDER, DEV-0396, Flighty Scorpius)
29
2
3
1
1
4
Safepay
27
2
4
0
0
0
The Gentlemen
22
3
1
0
0
1
Kazu
21
0
0
17
0
2

(Source: Recorded Future)

Appendix C: Sample Data of Ransomware Incidents Impacting Healthcare, Government, and Financial Sectors in LAC Countries in 2025

Ransomware Group
Country
Sector
Safepay
Argentina
Healthcare
The Gentlemen
Brazil
Healthcare
Kazu
Colombia
Government
Kazu
Mexico
Government
Qilin (Agenda)
Ecuador
Finance
Qilin (Agenda)
Argentina
Finance

(Source: Recorded Future)

Appendix D: Trends from the Most Active Banking Trojans in LAC in 2025

Banking Trojan
Attributes
Activity in 2026
Grandoreiro
Spreads through phishing emails with seemingly legitimate documents, such as PDFs. Once on a device, it performs anti-sandbox checks, logs keystrokes, and communicates with C2 servers to exfiltrate sensitive banking credentials
New variants emerged with advanced evasion techniques, rendering them more effective at bypassing modern security measures
Crocodilus
Employs sophisticated tactics such as remote control capabilities, keylogging, overlay attacks to capture user credentials, and the ability to harvest cryptocurrency wallet seed phrases
Expanded operational reach by targeting users in Poland, Spain, Brazil, Argentina, Indonesia, the US, and India
Mispadu (URSA)
Employs sophisticated infection methods, including spam emails containing malicious PDFs that trigger multi-stage download processes that deploy the Mispadu payload after performing anti-sandbox and anti-virtual machine checks
Insikt Group created a YARA rule to detect Mispadu after analysis indicated the trojan had targeted several LAC banks
Astaroth (Guildma)
Distribution methods include spearphishing attacks and the use of compromised cloud infrastructure for hosting malicious content. Insikt Group conducted technical static analysis and detection using sigma rules
Resurfaced with a multi-stage campaign, “STAC3150”, involving WhatsApp session hijacking, credential theft, and persistence on compromised systems
SORVEPOTEL
Targeted Brazil in several campaigns; Insikt Group assesses that at least some SORVEPOTEL operators are likely Portuguese-speaking, based on language artifacts in the panels analyzed and consistent targeting of Brazilian victims; analysis of a notable campaign dubbed “Water Saci” indicates WhatsApp Web was used for distribution
Analysis of the new infrastructure tied to the SORVEPOTEL loader demonstrates that it has distributed Coyote and Maverick
Casabaneiro (“Mekotio” and “Metamorfo”)
Primarily targets financial institutions in LAC, leverages phishing emails that typically contain malicious URLs, which lead to ZIP archives or ISO files with payloads that execute PowerShell scripts designed for obfuscation and evading detection
Water Saci campaign targeting Brazilian financial platforms via WhatsApp propagation linked to Casbaneiro malware family
BBTok
Distribution methods that trigger infections via LNK files and exhibit advanced capabilities for credential theft and data exfiltration, leveraging techniques such as dynamic-link library (DLL) embedding within downloaded files and the use of legitimate Windows utility commands for evasion
A new tactic emerged where the primary delivery method was WhatsApp
Coyote
Primarily targets Brazilian users, capable of executing keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials; Coyote’s infrastructure is dynamic and hosted on various platforms, indicating robust evasion techniques by its operators
Coyote remained active in 2025 and was observed in a WhatsApp-based worm campaign that used self-propagating messages containing malicious ZIP archives that further distributed the malware
Herodotus
Distributed through smishing messages that lure victims into downloading malicious APKs; Herodotus has been observed primarily targeting users in countries like Brazil and Italy
Insikt Group analyzed a sample, where Herodotus impersonated a security application named “Modulo Seguranca Stone” in a campaign in Brazil

(Source: Recorded Future)

Panorama del cibercrimen en América Latina y el Caribe

2 April 2026 at 02:00

Resumen ejecutivo

Este informe brinda un resumen de las tendencias y los desarrollos en el ecosistema cibercriminal de América Latina y el Caribe (LAC) en 2025. Insikt Group identificó que los actores maliciosos que operan en la región de LAC o que la tienen como objetivo utilizan principalmente aplicaciones cliente-servidor y plataformas de mensajería con cifrado de extremo a extremo como Telegram, así como foros de la dark web y de acceso especial en inglés o ruso, para comunicarse y llevar a cabo sus actividades. Los actores maliciosos demuestran una mayor sofisticación en sus operaciones, ya que adaptan sus tácticas, técnicas y procedimientos (TTP) con el tiempo, pero siguen apoyándose principalmente en métodos tradicionales como el phishing y la ingeniería social, la distribución de malware, y el ransomware. A partir de nuestros análisis, determinamos que Brasil, México y Argentina son los países más atacados por cibercriminales financieros, probablemente porque son las economías más grandes de la región de LAC. Además, a partir de esta investigación, Insikt Group determinó que los actores maliciosos a menudo atacan industrias críticas, como las de salud, finanzas y gobierno, porque poseen datos de alto valor, afrontan urgencias operativas y, a veces, utilizan sistemas antiguos que pueden ser vulnerables.

Principales hallazgos

  • Insikt Group estima que el foro criminal DarkForums y la plataforma de mensajería Telegram son los principales medios de acceso especial utilizados por los actores maliciosos que operan en la región LAC o que la tienen como objetivo.
  • Los actores maliciosos que operan en la región LAC o que la tienen como objetivo suelen estar impulsados por motivos financieros y, a menudo, utilizan la ingeniería social, el ransomware y diferentes formas de malware móvil para obtener acceso inicial a las instituciones gubernamentales, de salud o financieras.
  • En 2025, Insikt Group registró 452 incidentes de ransomware que afectaron la región de LAC. Las cinco principales industrias afectadas fueron las de salud, fabricación, gobierno, tecnología de la información y educación; todas ellas observaron un aumento notable en los ataques en comparación con el año anterior.
  • Insikt Group identificó que los actores maliciosos usan troyanos bancarios, especialmente las variantes más establecidas. En particular, estos actores usaron troyanos bancarios en campañas de smishing dirigidas a usuarios de WhatsApp con el objetivo de acceder a datos financieros y robar credenciales.
  • Insikt Group identificó a LummaC2 como el ladrón de información (infostealer) más prolífico que afectó a organizaciones de la región LAC en el primer semestre de 2025, y a Vidar en el segundo semestre, tras la intervención de las fuerzas del orden contra LummaC2

Panorama do cibercrime na América Latina e Caribe

2 April 2026 at 02:00

Resumo executivo

Este relatório apresenta uma visão geral das tendências e desenvolvimentos no ecossistema do cibercrime na América Latina e Caribe (LAC) em 2025. O Insikt Group descobriu que os agentes de ameaças que operam na região da América Latina e Caribe (LAC) ou que a têm como alvo usam predominantemente aplicações cliente-servidor e plataformas de mensagens criptografadas de ponta a ponta, como o Telegram, bem como a dark web estabelecida em inglês ou russo e fóruns de acesso restrito, para se comunicarem e realizarem atividades. Os agentes de ameaças demonstram crescente sofisticação nas operações, adaptando táticas, técnicas e procedimentos (TTPs) ao longo do tempo, embora ainda dependam principalmente de métodos tradicionais, como phishing e engenharia social, distribuição de malware e ransomware. Com base na nossa análise, determinamos que Brasil, México e Argentina foram os países mais visados por cibercriminosos com motivação financeira, provavelmente por serem as maiores economias da América Latina e Caribe. Além disso, com base nesta pesquisa, o Insikt Group descobriu que os agentes de ameaças frequentemente visavam a setores críticos, como saúde, finanças e governo, pois esses setores detêm dados valiosos, enfrentam urgências operacionais e, às vezes, dependem de sistemas legados que podem ser vulneráveis.

Principais descobertas

  • O Insikt Group avalia que o fórum criminoso DarkForums e a plataforma de mensagens Telegram são os principais fóruns de acesso restrito e plataformas de comunicação usados por agentes maliciosos que operam na região da América Latina e Caribe ou que têm essa região como alvo.
  • Os agentes de ameaça que operam na América Latina e Caribe (LAC) ou que têm como alvo a região são geralmente motivados por interesses financeiros e frequentemente adotam engenharia social, ransomware e várias formas de malware em aparelhos móveis, a fim de terem acesso inicial a instituições governamentais, financeiras e de saúde.
  • Em 2025, o Insikt Group registrou 452 incidentes de ransomware que afetaram a região da América Latina e Caribe. Os cinco setores mais afetados foram saúde, manufatura, governo, tecnologia da informação e educação, que registraram um aumento considerável nos ataques em comparação ao ano anterior.
  • O Insikt Group continuou a identificar trojans bancários sendo usados por agentes de ameaças; os mais usados são as variantes já estabelecidas. Especificamente, os agentes maliciosos usaram trojans bancários em campanhas de smishing direcionadas a usuários do WhatsApp para terem acesso a dados financeiros e roubarem credenciais.
  • O Insikt Group identificou o LummaC2 como o ladrão de informações (infostealer) mais prolífico, afetando organizações na América Latina e Caribe no primeiro semestre de 2025; e o Vidar no segundo semestre, após a desarticulação das atividades do LummaC2 pelas autoridades policiais.

ClickFix Campaigns Targeting Windows and macOS

25 March 2026 at 01:00

Executive Summary

Insikt Group identified five distinct clusters leveraging the ClickFix social engineering technique to facilitate initial access to host systems. Observed since at least May 2024, these clusters include those impersonating financial application Intuit QuickBooks and the travel agency Booking.com. Insikt Group leveraged the Recorded Future® HTML Content Analysis dataset, which enables systematic monitoring of embedded web artifacts to identify and track new malicious domains and infrastructure.

The clusters demonstrate significant operational variance in lure themes and infrastructure patterns, and highlight the technique's evolution, moving past simple verification by visually fooling victims with various fake challenges and demonstrating technical sophistication through operating system detection to tailor execution chains. Despite these structural differences, its operation is largely the same, showing that ClickFix’s core techniques work across platforms and only the social engineering lure needs to be adapted to the victim. Threat actors manipulate victims into executing malicious, obfuscated commands directly within native system tools like the Windows Run dialog box or macOS Terminal.

This living-off-the-land (LotL) approach allows malicious scripts to execute in-memory, effectively bypassing traditional browser security and endpoint controls. Parallel clusters targeting sectors as diverse as accounting, real estate, and legal services indicates that ClickFix has transitioned into a standardized, high-ROI template for both cybercriminal and potentially advanced persistent threat (APT) groups.

To protect against these threats, security defenders should move beyond simple indicator blocking and prioritize aggressive behavioral hardening. Key recommendations include disabling the Windows Run dialog box via Group Policy Objects (GPO), implementing PowerShell Constrained Language Mode (CLM), and operationalizing Digital Risk Prevention tools such as Recorded Future's Malicious Websites to identify and mitigate threats to your digital assets.

Based on increasing use since 2024, Insikt Group assesses that the ClickFix methodology will very likely remain a primary initial access vector throughout 2026 as threat actors continue to social engineer victims to enable exploitation. Looking ahead, Insikt Group anticipates ClickFix lures will become increasingly technically adaptive, incorporating more selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. In addition to technical refinements, Insikt Group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims into executing malicious commands.

Key Findings

  • Insikt Group identified and tracked five distinct ClickFix activity clusters exhibiting significant operational variance in lure themes and infrastructure patterns despite a shared reliance on fraudulent human-verification lures. This indicates that the ClickFix methodology has transitioned into a standardized, high-ROI template adopted across a fragmented ecosystem of threat actors.
  • While visually diverse, all analyzed clusters use a consistent execution framework that bypasses traditional browser security controls by shifting the point of exploitation to user-assisted manual commands. These campaigns target a wide variety of sectors, including accounting (QuickBooks), travel (Booking.com), and system optimization (macOS).
  • ClickFix technical execution follows a standardized four-stage pattern: input of highly encoded or fragmented strings, native execution via legitimate system shells living-off-the-land binaries (LOLBins), remote ingress from threat actor-controlled infrastructure, and immediate in-memory execution. This methodology allows threat actors to stage and run remote code with limited and short-lived forensic artifacts on the host system.

Background

First documented in late 2023, ClickFix has transitioned from a niche social engineering tactic to a cornerstone of the global cybercriminal ecosystem. ClickFix is a social engineering methodology that lures victims into manually executing malicious commands by masquerading as a necessary technical resolution for fabricated system errors or human-verification prompts. This technique represents an evolutionary shift from the FakeUpdates (SocGholish) model, prioritizing manual user intervention to evade the increasingly robust security features of modern web browsers and automated endpoint detection systems. In this context, the methodology embodies a "think smart, not hard" approach. The simplicity of relying on a manual user action makes it a potent defensive evasion tactic: bypassing typical browser-based security makes it difficult to detect, while the high number of threat actors using it makes it difficult to track across a fragmented threat landscape.

The technical core of the methodology relies primarily on pastejacking, where background JavaScript populates a victim's clipboard with an obfuscated command while they are distracted by visual lures such as fraudulent reCAPTCHA or Cloudflare Turnstile overlays. In some instances, malicious commands are not automatically pasted into the victim’s clipboard, but rather, victims are manipulated into copying and running the command manually. By leveraging a living-off-the-land (LotL) approach, threat actors manipulate users into executing these commands directly within trusted system tools like the Windows Run dialog box, PowerShell, or the macOS Terminal. This user-assisted execution allows malicious scripts to execute silently and bypass traditional browser and endpoint security perimeters.

ClickFix has been weaponized by a diverse spectrum of threat actors, ranging from high-volume initial access brokers (IABs) to sophisticated state-sponsored groups such as BlueDelta (aka APT28) and the North Korean group PurpleBravo. The methodology enables a repeatable and scalable delivery framework capable of deploying a wide variety of secondary payloads, including infostealers like Lumma Stealer and Vidar, or remote access trojans (RATs) such as NetSupport RAT and Odyssey Stealer. These operations are frequently supported by highly adaptive, disposable infrastructure designed to maintain operational continuity even as individual domains are identified and blocked.

Technical Analysis

Insikt Group identified and tracked five emerging ClickFix clusters by leveraging the Recorded Future HTML Content Analysis dataset, which enables the systematic monitoring of embedded web artifacts. By pivoting on unique technical identifiers, including specific Document Object Model (DOM) hashes, hard-coded image source tags, and unique page titles, Insikt Group mapped ClickFix’s infrastructure and identified new malicious domains and infrastructure, facilitating the discovery of active domains and near real-time monitoring of cluster evolution.

Across the analyzed clusters, Insikt Group detailed the ClickFix commands victims were manipulated into executing on their systems. These commands relied heavily on LOLBins to achieve operational goals. By using LOLBins, threat actors leveraged native, legitimately signed executables to download malicious payloads to a victim's machine. Depending on the security implementation of personal machines or corporate endpoints, this methodology can effectively evade standard detections and foundational security principles.

ClickFix Clusters

Insikt Group identified five clusters (see Figure 1) that exhibited significant operational variance despite a shared reliance on the ClickFix social engineering technique. These clusters were defined by their infrastructure patterns and targeting approaches, ranging from logistics-themed lures to dual-platform selection logic. This indicates that the ClickFix methodology is being deployed across a fragmented ecosystem of threat actors, each tailoring the technique to suit their own delivery requirements and victim profiles.

These clusters were grouped based on observable patterns in infrastructure reuse, lure formatting, platform targeting, and operational adjustments over time. While core technical elements and delivery mechanisms overlap, each cluster maintained a distinct footprint within the broader landscape. Insikt Group categorized the activity into the following five clusters:

  • Intuit QuickBooks: Targeted impersonation of accounting software, often leveraging aged domains to bypass security filters
  • Booking.com: Used fraudulent domains to present fake verification portals
  • Birdeye: A large-scale cluster that lures users of the AI marketing company Birdeye by spoofing domains and manipulating victims to use a malicious command to deliver NetSupport RAT.
  • Dual-Platform Selection: Used operating system detection to deliver platform-tailored lures and malware
  • macOS Storage Cleaning: Used counterfeit prompts mimicking macOS system optimization to trick users into executing encoded terminal commands
Figure 1: Overview of ClickFix and associated clusters (Source: Recorded Future)

Cluster 1: Intuit QuickBooks

Cluster 1 was observed operating from January 2026 to the time of writing, primarily targeting organizations through social engineering lures impersonating the accounting software Intuit QuickBooks. QuickBooks is widely used for tax preparation in the United States; given the campaign's active window coincides with the US tax season (typically January through April 15), Insikt Group assesses with moderate confidence that the timing was a calculated effort to target entities engaged in financial reporting. Although this cluster recently pivoted to targeting users of the US real estate marketplace Zillow, QuickBooks-related artifacts and brand-specific imagery remain deeply embedded throughout the Document Object Model (DOM) of the malicious landing pages.

Cluster 1 Profile

Figure 2: Overview of ClickFix Cluster 1 — Intuit QuickBooks (Source: Recorded Future)
Table 1: PowerShell commands observed across Cluster 1

Cluster 1 Infection Chain

The infection chain begins when a victim lands on a ClickFix landing page. The page presents a fraudulent human-verification interface (see Figure 3) that instructs the victim to complete specific "verification" steps.

Figure 3: Intuit QuickBooks-themed ClickFix page (Source: Recorded Future Web Scans)

By interacting with the page, the victim unknowingly copies a malicious command to their system clipboard. The technique often results in execution through native system utilities, such as Windows Run dialog and PowerShell, leveraging LOLBins to evade traditional browser and endpoint-based security controls.

Upon pasting the command, an obfuscated PowerShell script (Figure 4) executes in a hidden window. This stager uses self-referential function names to dynamically construct and invoke Invoke-RestMethod to the domain nobovcs[.]com.

Figure 4: Obfuscated PowerShell command executed in a hidden window, dynamically reconstructing and invoking code via iex (Source: Recorded Future)

This request triggers the retrieval of a short PowerShell stager (see Figure 5) that downloads a second-stage payload, bibi.php, saving it to the %TEMP% directory as script.ps1. This stager is the initial execution step that kicks off the NetSupport RAT installation.

Figure 5: Stager script to download second-stage script, bibi.php (Source: Recorded Future)

The bibi.php script is essential for the final deployment phase and for obfuscating on-disk artifacts. It contains a function called Get-RomanticName, which selects and combines strings from a thematic wordlist, including terms such as "Heart", "Soul", and "Desire", to generate a randomized folder name under %LOCALAPPDATA%, where the staging files are placed.

The script retrieves four primary files from nobovcs[.]com, detailed in Table 2.

Filename
SHA-256
at.7z
c0af6e9d848ada3839811bf33eeb982e6c207e4c40010418e0185283cd5cff50
lnk.7z
5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db
7z.exe
43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87
7z.dll
b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c

Table 2: Filenames and SHA256 hashes of the files downloaded from nobovcs[.]com (Source: Recorded Future)

The script uses 7z.exe to extract at.7z (protected by the password “pppp”), which contains the NetSupport RAT binary, neservice.exe. Persistence is established by hijacking Startup shortcuts; if no existing shortcut is detected, the script extracts lnk.7z to the Startup folder to ensure the payload launches automatically upon system reboot.

Following successful execution, the binary neservice.exe performs an HTTP GET request to gologpoint[.]com to initiate command-and-control (C2) communications. gologpoint[.]com resolves to the IP address 62[.]164[.]177[.]230.

Cluster 2: Booking.com

Cluster 2 was observed operating from February 2026 to the time of writing, impersonating the travel agency Booking.com. Insikt Group tracked the cluster by pivoting on a unique DOM hash made possible by the threat actor’s repeated use of a unique HTML title and consistent image files. Indicators of compromise (IoCs) tagged in this cluster can be seen in the Recorded Future HTML Content Analysis. The landing pages for this cluster use a counterfeit reCAPTCHA v2 challenge, requiring victims to select all photos containing a "bucket" (Figure 6). Insikt Group observed that the same challenge photos are presented in the same order across all analyzed pages.

Cluster 2 Profile

Figure 7: Overview of ClickFix Cluster 2 — Booking.com (Source: Recorded Future)
Table 3: PowerShell commands observed across Cluster 2

Cluster 2 Infection Chain

The process begins when a victim interacts with the fake challenge. Upon completing the challenge, the victim is redirected to a verification page where a malicious PowerShell command (see Figure 8) is copied to the system clipboard. Instructions on the verification page manipulate the victim into opening the Windows Run dialog box and entering the command. Executing this malicious command starts the infection chain for NetSupport RAT.

Figure 8: Command from the booking campaign that reaches out to the payload server (Source: Recorded Future)

The PowerShell command provided in script.ps1 (see Figure 9) executes with the -NoProfile and -ExecutionPolicy Bypass flags to evade standard logging and security restrictions. Following execution, the system pulls four staging files to a directory named DesireSpark Serenade. This directory naming convention is functionally identical to the "romantic" naming methodology observed in Cluster 1.

Figure 9: DOM file from checkpulse[.]com that details the command to be run on the victim machine, suppressing the protections normally in place to pull down the PowerShell command and execute it (Source: Recorded Future)

The primary staging mechanism relies on script.ps1 to pull secondary payloads from the staging server. In one analyzed instance, scripts originating from thestayreserve[.]com reached out to checkpulses[.]com to retrieve the files detailed in Table 4.

Filename
SHA-256
at.7z
397dcea810f733494dbe307c91286d08f87f64aebbee787706fe6561ed3e20f8
lnk.7z
5d821db386c7c879caeabf3e9f94c94a48eec6ec5a3a0efbae9d69da3f52c1db
7z.exe
43907e54cf3d1258f695d1112759b5457576481072cc76a679b8477cfeb3db87
7z.dll
b17c3e4058aacdcc36b18858d128d6b3058e0ea607a4dc59eb95b18b7c6acc7c

Table 4: Filenames and SHA256 hashes of the files downloaded from checkpulses[.]com (Source: Recorded Future)

The 7z.exe utility is used to extract at.7z, which contains the NetSupport RAT binary neservice.exe. Persistence is established by adding a link to the system Startup folder.

The domains observed across this cluster use a similar PowerShell command pattern. However, once the command is executed, the infection chain varies slightly with the staging infrastructure being called. In the cases of sign-in-op-token[.]com and the thestayreserve[.]com domains, the malicious command is identical in terms of pattern and organization, but the hard-coded dropper domain is bkng-updt[.]com and checkpulses[.]com, respectively.

While staging domains vary, the final payloads across this cluster converge on the same NetSupport RAT C2 infrastructure (Table 5).

Click Fix Domain
IP Address
Dropper
NetSupport RAT C2
sign-in-op-token[.]com
91[.]202[.]233[.]206

bkng-updt[.]com

77[.]91[.]65[.]144

hotelupdatesys[.]com

152[.]89[.]244[.]70

thestayreserve[.]com
91[.]202[.]233[.]206

checkpulses[.]com

77[.]91[.]65[.]31

chrm-srv[.]com

ms-scedg[.]com

152[.]89[.]244[.]70

Table 5: IoCs observed in the Booking.com infection chain (Source: Recorded Future)

Following installation, the malware from thestayreserve[.]com initiates communication (Figure 10) with chrm-srv[.]com and ms-scedg[.]com, both of which resolve to 152[.]89[.]244[.]70. The domain hotelupdatesys[.]com , resolves to the same IP address as the NetSupport RAT C2 for sign-in-op-token[.]com.

Figure 10: POST Request from sign-in-op-token[.]com showing NetSupport interaction (Source: Recorded Future)

Cluster 3: Birdeye

Cluster 3 was observed operating from May 2024 until the time of writing. Previously reported on by Insikt Group, this cluster uses infrastructure centered on domains incorporating the keyword "bird" to deliver its ClickFix lure pages, trackable in Recorded Future’s HTML Content Analysis. These lures spoof Birdeye, an AI marketing company, to manipulate victims into executing malicious commands.

Cluster 3 Profile

Figure 11: Overview of ClickFix Cluster 3 — Birdeye (Source: Recorded Future)
Table 6: PowerShell command observed across Cluster 3

Cluster 3 Infection Chain

The infection chain begins when a victim visits a compromised site and is presented with a Cloudflare-style CAPTCHA challenge. Upon interacting with the page, the victim is prompted to run a command in the Windows Run dialog box. Insikt Group identified this cluster by pivoting on unique technical identifiers within the HTML artifacts, including a consistent and unique page title and a static image used across the infrastructure.

The command the victim is manipulated into running causes the victim’s device to reach out to alababababa[.]cloud to download a payload from hxxps[://]alababababa[.]cloud/cVGvQio6[.]txt. To further reduce suspicion, once the malicious command is executed, the victim is redirected to the legitimate birdeye.com website (see Figure 12).

Figure 12: The redirect to the legitimate Birdeye website (Source: Recorded Future)

Analysis of the JavaScript within the DOM for this cluster, provided in Appendix F, revealed insights into the threat actor's methods. A notable portion of the script uses seven obfuscated lines that are concatenated into a single string to be attached to the victim's clipboard. The developer left comments within the code that detail the deobfuscated purpose of each line. For example, one comment explicitly identifies the portion of the command calling PowerShell with specific flags (Figure 13).

Figure 13: Portion of JavaScript containing threat actor comments (Source: Recorded Future)

Furthermore, a comment written in Cyrillic at the beginning of the script translates to, "This should help bypass Cloudflare static analysis". This internal documentation suggests the threat actor is purposefully detailing their actions to refine bypass techniques against security scanners.

Historically, alababababa[.]cloud has been associated with the delivery of multiple malware strains, including Lumma Stealer and RedLine Stealer. The large volume of domains identified in this cluster, exceeding 40 unique entries, highlights the scale of the "run and repeat" model used to sustain this activity.

Cluster 4: Dual-Platform Selection

Cluster 4 was observed operating from March 2025 to the time of writing. This cluster is unique for its use of operating system detection to deliver tailored ClickFix lures for both Windows and macOS users. Unlike standard ClickFix behavior that typically pushes commands to the clipboard automatically, this variant provides detailed manual instructions, requiring the victim to open native system tools and manually copy and paste the provided staging payload. One of the ClickFix pages used to analyze this behavior was macosapp-apple[.]com, hosted at IP address 45[.]144[.]233[.]192.

Cluster 4 Profile

Figure 14: Overview of ClickFix Cluster 4 — Dual-Platform Selection (Source: Recorded Future)
Table 7: Encoded commands observed across Cluster 4

Cluster 4 Infection Chain

The infection chain begins when a victim lands on a ClickFix page that instructs them to verify they are human (Figure 15).

Figure 15: ClickFix page identified in Cluster 4 (Source: Recorded Future Web Scans)
Figure 23: Landing page for mac-os-helper[.]com (Source: Recorded Future)

Once the Terminal is open, the victim is prompted to execute a multi-stage command that purportedly "finds and removes temporary system files".

In reality, these commands (see Table 9) use different encoding layers to hide their true intent; the first example decodes a hexadecimal string to reveal a Base64-encoded client URL (curl) instruction, while the second directly decodes a Base64 string to run an executable command. Both methods ultimately bypass simple pattern matching by obfuscating the malicious payload until execution.

Table 9: Encoded and obfuscated ClickFix commands for macOS (Source: Recorded Future)

As shown in Table 10, the revealed curl instruction uses a compound set of arguments, in this cluster, -kfsSL, to facilitate silent delivery. These flags ensure that Transport Layer Security (TLS) certificate checks are bypassed, server-side errors are suppressed, and the process remains hidden from the user's view while following redirections to reach the final payload domain.

Table 10: Decoded and deobfuscated ClickFix commands for macOS (Source: Recorded Future)

Based on historic evidence (1, 2) and forensic patterns, Insikt Group assesses with high confidence that the information stealer MacSync was the primary payload used to infect victims in this cluster. The malicious commands on these pages caused the infected systems to reach out to a specific set of staging and C2 infrastructure, detailed in Table 11. Notably, while the domains varied, they were frequently observed behind Cloudflare to complicate network-level blocking.

Indicator
IP Address
ASN
First Seen
Last Seen
octopox[.]com
Cloudflare
Cloudflare
2026-02-06
2026-03-05
joeyapple[.]com
Cloudflare
Cloudflare
2026-02-04
2026-03-05

Table 11: C2 servers identified for the macOS cleaner campaign (Source: Recorded Future)

Copy Command Analysis

Insikt Group analyzed commands across the five clusters identified in this research. While the visual lures and impersonated brands vary between groups like Cluster 1 (Intuit QuickBooks) and Cluster 5 (macOS Storage Cleaning), the underlying execution logic remains consistent. This "run and repeat" methodology relies on a narrow set of trusted LOLBins and lightweight obfuscation to stage remote code with minimal forensic artifacts.

The technical implementation of ClickFix follows a standardized four-stage pattern across all target operating systems, as summarized in Table 12.

Stage
Action
Technical Intent
Obfuscated Input
Input of highly encoded or fragmented strings
Bypass static analysis and signature-based detection
Native Execution
Leveraging trusted system shells (zsh, bash, or powershell.exe)
Execute the initial stager using legitimate system binaries
Remote Ingress
Initiation of external requests to threat actor-controlled IPs or domains
Download secondary scripts or payloads from the staging infrastructure
In-Memory Execution
Piping downloaded content directly into an interpreter
Ensure no malicious files are initially saved to disk to evade endpoint security

Table 12: Standardized four-stage ClickFix execution pattern (Source: Recorded Future)

Insikt Group identified two primary command styles used in macOS-centric campaigns, such as Cluster 4 and Cluster 5, which are detailed in Table 13.

Technique
Observed Pattern
Defender Insight
Multi-Stage Encoding
Hex -> Base64 -> ZSH
The use of xxd -r -p in a user-initiated command is a significant indicator of malicious intent, as it is rarely used in legitimate troubleshooting.
Persistence and Backgrounding
Use of nohup and the & operator
This ensures the malicious process continues to run in the background even after the user closes the terminal, providing persistence during staging.

Table 13: Observed tactics, techniques, and procedures (TTPs) for macOS and Linux (zsh and bash) commands (Source: Recorded Future)

Windows-based commands, particularly those observed in Cluster 1 and Cluster 2, exhibit a higher degree of sophistication through "Command Swizzling" and case randomization, as shown in Table 14.

Technique
Observed Pattern
Defender Insight
Parameter Obfuscation
Randomized casing and shortened aliases (for example, -wINDoW MiNI, -wi mi, or -w h)
Threat actors use these to evade security tools looking for literal strings like "Hidden" or "Minimized".
The "Golden" Pattern
Combining Invoke-RestMethod (irm) with Invoke-Expression (iex)
This allows for the seamless retrieval and execution of remote code entirely in memory. This combination is a high-fidelity hunt for ClickFix activity.
String Manipulation Deception
Using .Substring() or .Replace() to "build" commands
Clusters like Cluster 1 avoid explicitly typing iex to bypass static signature detections.

Table 14: Observed TTPs for Windows (PowerShell) commands (Source: Recorded Future)

Mitigations

To mitigate the threats posed by ClickFix social engineering and related living-off-the-land (LotL) techniques, Insikt Group recommends a defense-in-depth approach that combines proactive intelligence monitoring with aggressive hardening of native system utilities.

  • Operationalize HTML Content Analysis: Recorded Future customers should use the HTML Content Analysis source to monitor for impersonations of their brand, which are leveraged to deliver ClickFix. Leverage the Recorded Future Intelligence Operations Platform to monitor for unique web artifacts, such as specific Document Object Model (DOM) hashes and page titles, to identify new ClickFix domains in real time.
  • Use Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate this threat by operationalizing Recorded Future Intelligence Operations Platform data, specifically by leveraging continuously updated Risk Lists and by blocklisting IP addresses and domains associated with ClickFix to block communication with malicious infrastructure.
  • Monitor Malicious Infrastructure Risk Lists: Continuously update security information and event management (SIEM) and endpoint detection and response (EDR) tools with Recorded Future Risk Lists to block traffic to identified staging and command-and-control (C2) domains.
  • Use Malware Intelligence: Leverage the Recorded Future Intelligence Operations Platform to hunt for indicators of compromise (IoCs) associated with payloads identified in this report, such as NetSupport RAT, Odyssey Stealer, and Lumma Stealer.
  • Leverage Network Intelligence: Use Recorded Future Network Intelligence to detect exfiltration events early (such as those linked to NetSupport RAT), which can help prevent intrusions before they escalate. This approach relies on comprehensive, proactive infrastructure discovery provided by Insikt Group and the analysis of vast amounts of network traffic.
  • Use Identity Module: Recorded Future customers should leverage the Identity Module to monitor for credentials and passwords being sold on the dark web that have been stolen by information stealers.
  • Disable Windows Run Dialog via Group Policy Objects (GPOs): For corporate environments, disable the Win+R keyboard shortcut and the Run command in the Start menu via Group Policy Objects (GPOs). This significantly hinders the ClickFix execution chain, as victims are typically instructed to paste malicious commands directly into this dialog box.
  • Restrict Terminal and PowerShell Execution: Implement PowerShell Constrained Language Mode (CLM) and use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unassigned scripts and the misuse of living-off-the-land binaries (LOLBins). On macOS, restrict Terminal and other shell interpreters (for example, zsh and bash) using application control policies enforced via mobile device management (MDM), and leverage System Integrity Protection (SIP) and endpoint security controls to limit unauthorized script execution and abuse of native command-line utilities.
  • User Awareness and Training: Conduct targeted social engineering simulations that specifically educate users on the dangers of "manual verification" prompts that require copying and pasting commands into system utilities.

Outlook

The identification of five parallel operational clusters targeting diverse sectors, including accounting, travel, real estate, and legal services, indicates that the ClickFix methodology has transitioned from a niche technique to a standardized template within the cybercriminal ecosystem. This standardized "run and repeat" model is facilitating broader adoption by both lower-tier "traffers" and sophisticated advanced persistent threat (APT) groups. Threat actors are able to maintain operational continuity even when individual domains are blocked due to the availability of disposable infrastructure and shared technical templates.

Insikt Group assesses with high confidence that the ClickFix methodology will very likely remain a heavily used initial access vector throughout 2026. The continued success of ClickFix is driven by its ability to bypass advanced browser-based security controls by shifting the point of exploitation to user-assisted manual actions. As long as native system utilities such as PowerShell and Terminal remain accessible to end-users, ClickFix will continue to offer threat actors a high-return, low-complexity alternative to traditional exploit kits.

Looking ahead, ClickFix lures will likely become increasingly technically adaptive. Future iterations are expected to incorporate more granular browser fingerprinting to conditionally serve payloads based on a victim's hardware, geographic location, or organizational profile. Furthermore, since threat actors are already purposefully documenting bypass techniques for static analysis engines within their code, Insikt Group anticipates a long-term trend toward more resilient and obfuscated staging environments. This convergence of sophisticated social engineering and LotL techniques necessitates a shift in defensive strategy, moving away from simple indicator blocking toward aggressive behavioral hardening of the system utilities that ClickFix relies upon.

Appendix A: Indicators of Compromise

Appendix B: Cluster 1 — Intuit QuickBooks Indicators

Domain
IP Address
ASN/AS
First Seen
Last Seen
mrinmay[.]net
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-21
2026-03-05
guypinions[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-20
2026-02-25
4freepics[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-20
2026-02-24
ariciversontile[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-20
2026-02-25
quiptly[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-20
2026-02-25
anthonydee[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-20
2026-02-26
ned.coveney-ltd[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2025-10-10
2025-11-20
grandmastertraders[.]traderslinkfx[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2025-12-01
2026-02-24
nhacaired88[.]com
193[.]58[.]122[.]97
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-10
2026-03-05
elive777a[.]com
94[.]156[.]112[.]115
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-02
2026-03-05
fomomforhealth[.]com
94[.]156[.]112[.]115
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-02
2026-03-05
suedfactoring[.]it[.]com
45[.]93[.]20[.]141
Chang Way Technologies Co. Limited (AS57523)
2026-01-30
2026-02-09
shopifyservercloud[.]com
45[.]93[.]20[.]50
Chang Way Technologies Co. Limited (AS57523)
2026-01-10
2026-03-05
elive123go[.]com
45[.]93[.]20[.]50
Chang Way Technologies Co. Limited (AS57523)
2026-01-09
2026-03-05
hostmaster[.]extracareliving[.]com
45[.]93[.]20[.]50
Chang Way Technologies Co. Limited (AS57523)
2026-01-25
2026-03-05
orkneygateway[.]com
45[.]93[.]20[.]50
Chang Way Technologies Co. Limited (AS57523)
2025-12-14
2026-03-05
ustazazharidrus[.]com
87[.]236[.]16[.]20
Beget LLC (AS198610)
2026-02-02
2026-03-05
45[.]93[.]20[.]50
Chang Way Technologies Co. Limited (AS57523)
2026-01-09
2026-02-01
deinhealthcoach[.]com
193[.]222[.]99[.]212
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-16
2026-03-05
bancatangcode[.]com
193[.]222[.]99[.]212
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-16
2026-03-05
billiardinstitute[.]com
193[.]58[.]122[.]97
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-10
2026-03-05
yvngvualr[.]com
Cloudflare
Cloudflare
2025-04-06
2026-03-05
visitbundala[.]com
Cloudflare
Cloudflare
2025-03-10
2026-03-05
surecomforts[.]com
45[.]93[.]20[.]50
Chang Way Technologies Co. Limited (AS57523)
2026-01-09
2026-03-05
theinvestworthy[.]com
45[.]93[.]20[.]50
Chang Way Technologies Co. Limited (AS57523)
2025-12-13
2026-03-05
customblindinstall[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-21
2026-03-05
extracareliving[.]com
45[.]93[.]20[.]50
Chang Way Technologies Co. Limited (AS57523)
2025-12-14
2026-03-05
subsgod[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-21
2026-03-05
traderslinkfx[.]com
193[.]35[.]17[.]12
PLAY2GO INTERNATIONAL LIMITED (AS215439)
2026-02-21
2026-03-05

Appendix C: bibi.php Script

Appendix D: Cluster 2 — Booking.com Indicators

Indicator
IP Address
ASN
First Seen
Last Seen
sign-in-op-token[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-03-01
2026-03-03
thestayreserve[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-23
2026-02-24
accountpulse[.]help
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-16
2026-03-05
admin-activitycheck[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-22
2026-02-27
accountmime[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-21
2026-02-24
checkhelpdesk[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-18
2026-02-23
thepulseactivity[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-18
2026-02-23
checkaccountactivity[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-17
2026-02-23
account-helpdesk[.]top
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-15
2026-02-18
pulse-help-desk[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-13
2026-02-19
account-helpdesk[.]icu
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-10
2026-03-02
account-helpdesk[.]info
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-08
2026-02-11
helpdeskpulse[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-06
2026-02-09
account-help[.]info
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-08
2026-03-05
acconthelpdesk[.]com
91[.]202[.]233[.]206
Prospero (AS200593)
2026-02-05
2026-03-03

Appendix E: Cluster 3 — Birdeye Indicators

Indicator
IP Address
ASN
First Seen
Last Seen
acebirdrep[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
bebirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrankbox[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrankfx[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrankgo[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrankinc[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrankllc[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrankmax[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdranktip[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrankup[.]com
Cloudflare
Cloudflare
2024-05-17
2026-03-05
birdrankus[.]com
Cloudflare
Cloudflare
2024-05-17
2026-03-05
birdrankusa[.]com
Cloudflare
Cloudflare
2024-05-16
2024-05-16
birdrankvip[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrankzen[.]com
Cloudflare
Cloudflare
2024-05-17
2026-03-05
birdrepbiz[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrepgo[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrephelp[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdreplab[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrepsys[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrepusa[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
birdrepuse[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
bitbirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
bitbirdrep[.]com
Cloudflare
Cloudflare
2024-05-17
2026-03-05
fixbirdrank[.]com
Cloudflare
Cloudflare
2024-05-17
2026-03-05
getbirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
gobirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
helpbirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
helpbirdrep[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
infobirdrep[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
justbirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
mybirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
nowbirdrank[.]com
Cloudflare
Cloudflare
2024-05-17
2026-03-05
optbirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
probirdrep[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
topbirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
topbirdrep[.]com
Cloudflare
Cloudflare
2024-05-17
2026-03-05
usbirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2024-05-16
usebirdrep[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05
vipbirdrank[.]com
Cloudflare
Cloudflare
2024-05-16
2026-03-05

Appendix F: Birdeye Cluster Javascript

Appendix G: Cluster 4 — Dual-Platform Selection Indicators

Indicator
IP Address
ASN
First Seen
Last Seen
valetfortesla[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-11-12
2026-03-05
macxapp[.]org
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-18
2025-06-18
apposx[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-13
2025-06-24
cryptonews-info[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-18
2025-12-20
macosx-app[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-14
2025-06-16
cryptoinfnews[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-14
2025-06-30
macxapp[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-14
2025-06-16
cryptoinfo-allnews[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-13
2025-06-30
appxmacos[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-13
2025-06-30
appmacintosh[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-12
2025-06-13
macosxappstore[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-09
2025-06-30
macosx-apps[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-09
2025-06-11
cryptoinfo-news[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-06-08
2025-06-29
financementure[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-05-27
2025-06-30
appsmacosx[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-05-27
2025-06-09
appmacosx[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-05-27
2025-06-14
macosxapp[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-05-27
2025-06-09
macosapp-apple[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-05-25
2025-05-26
macapps-apple[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-05-23
2025-05-24
macapp-apple[.]com
45[.]144[.]233[.]192
Baykov Ilya Sergeevich
(AS41745)
2025-05-13
2025-05-23

2025 Year in Review: Malicious, Infrastructure

19 March 2026 at 01:00

Executive Summary

In 2025, Insikt Group significantly expanded its tracking of malicious infrastructure, broadening
coverage across additional malware families and threat categories spanning cybercriminal and APT activity. This expansion included deeper analysis of infrastructure types, enhanced integration of data sources such as Recorded Future Network Intelligence®, improved threat detection methodologies,more granular higher-tier infrastructure insights, expanded victimology analysis, and a new focus on so-called threat activity enablers (TAEs). While many patterns identified in 2024 persisted, including Cobalt Strike’s dominance among offensive security tools (OSTs), AsyncRAT and QuasarRAT leading the remote access trojan (RAT) landscape, the widespread use of open-source or cracked malware variants, and the continued prevalence of Android malware within the mobile threat ecosystem, Insikt Group observed several notable shifts and emerging trends throughout 2025.

For example, although Cobalt Strike remained the most prominent OST, its relative share of detected command-and-control (C2) servers declined as detection coverage expanded and competing tools gained traction. Tools such as RedGuard, Ligolo, and Supershell saw significant growth in use throughout 2025. Following law enforcement disruption efforts targeting LummaC2, Vidar and other infostealers partially filled the gap, reflecting continued volatility in the infostealer ecosystem. Similar fluctuations were observed in the loader and dropper landscape, where new malware families consistently emerged, including CastleLoader, attributed to GrayBravo. Additionally, Insikt Group observed sustained and widespread use of traffic distribution systems (TDS), including activity by TAG-124, GrayCharlie, and other threat actors.

Defenders should leverage the insights from this report to strengthen security controls by prioritizing the detection and mitigation of the most prevalent malware families and infrastructure techniques. This includes enhancing network monitoring capabilities and deploying relevant detection mechanisms such as YARA, Sigma, and Snort rules. Organizations should also invest in tracking evolving malicious infrastructure dynamics, conducting threat simulations to validate their defensive posture, and maintaining continuous monitoring of the broader threat landscape. With respect to legitimate infrastructure services (LIS), defenders must carefully balance blocking, flagging, or allowing high-risk services based on assessed criticality and organizational risk tolerance.

As malicious infrastructure continues to evolve alongside improving detection capabilities, Insikt Group anticipates that many current trends will persist into 2026. Rather than dramatic shifts, change is likely to be driven by incremental innovation, adaptation to defensive measures, and reactions to public reporting and law enforcement actions. Threat actors are expected to continue leveraging legitimate tools, services, and content delivery networks (CDNs) such as Cloudflare, a pattern also heavily observed among multiple APT groups, to blend malicious activity with legitimate traffic. While not yet widely observed at the infrastructure layer, Insikt Group assesses that artificial intelligence may increasingly be leveraged to support evasion and operational resilience. The “as-a-service” ecosystem is likely to continue expanding across malware categories, enabling scalability and lowering barriers to entry for threat actors. Although public reporting and sanctions targeting certain TAEs have triggered increased scrutiny, the ecosystem’s underlying economic and operational logic is expected to remain

intact, allowing established actors to continue operating. At the same time, Insikt Group anticipates increasingly assertive international law enforcement actions targeting malicious infrastructure, including coordinated takedowns and other disruption efforts.

Key Findings

  • Infostealers remained the primary infection vector in 2025, with malware-as-a-service (MaaS)offerings dominating. Vidar outperformed competitors, Lumma proved resilient despite law enforcement and doxxing pressure, and the wider ecosystem remained highly volatile.
  • Cobalt Strike retained clear dominance in OST detections (~50%) despite declining share, while Metasploit and Mythic held their positions. RedGuard, Ligolo, and Supershell expanded notably, and jQuery again led as the most prevalent malleable C2 profile by detections and geographic reach.
  • The malware ecosystem remained anchored in MaaS and open-source tooling across desktop and mobile, with AsyncRAT and Quasar RAT leading the RAT landscape, DcRAT and REMCOS RAT gaining share, and families such as XWorm, SectopRAT, and GOSAR entering the top tier, while Android dominated mobile activity (nine of the top ten families) amid rising use of mercenary spyware.
  • Droppers, loaders, and TDS remained dynamic but resilient in 2025, with high loader turnover following Operation Endgame 2024, driven by Latrodectus expansion and the rise of MintsLoader and GrayBravo’s CastleLoader, alongside sustained and widespread TDS activity linked to TAG-124, GrayCharlie, and other threat actors.
  • Lastly, in 2025, Insikt Group pivoted to identifying TAEs via the Threat Density List, highlighting high-risk networks such as Virtualine Technologies, often transiting via aurologic GmbH, that sustained operations through Regional Internet Registry (RIR) resource abuse and rapid rebranding despite sanctions and law enforcement pressure.

Background

Insikt Group proactively identifies and monitors infrastructure linked to hundreds of malware families,threat actors, and related artifacts, including phishing kits, scanners, and relay networks. Through daily,automated validation using proprietary methods, Insikt Group delivers accurate risk representation,enabling Recorded Future customers to strengthen their detection and defense capabilities.

Building on Insikt Group’s annual malicious infrastructure reports from 2022, 2023, and 2024, this year’s report delivers a concise, data-driven overview of malicious infrastructure observed throughout 2025. While the percentages presented throughout the report are intended to provide insight into trends and the state of malicious infrastructure in 2025, it is important to note that Insikt Group continuously adds new detections for both existing and emerging families, which makes year-over-year comparisons imperfect.

This year, the focus continues to be on the synergy between passive infrastructure detection,
higher-tier infrastructure insights powered by Recorded Future Network Intelligence, and victim
identification. It also expands to examine trends across the ecosystem of TAEs that underpin cyber threats, including how sanctions against selected entities have reshaped that landscape. Overall, this report is intended for anyone interested in malicious infrastructure, providing a high-level overview of its current state along with summaries of key findings to support informed decision-making and offer a broad perspective on this rapidly evolving landscape.

Recognizing the challenge of categorizing malware types in a mutually exclusive manner due to their overlapping functionalities, this report establishes a set of malware categories to facilitate analysis, as detailed in Appendix A, with brief definitions for each. Notably, certain malware categories, such as crypters, have been intentionally excluded because they typically lack network artifacts.

Beyond examining malicious infrastructure through the lens of malware categories, Insikt Group also monitors it by type, assigning each a distinct risk score within the Recorded Future Intelligence Operations Platform®. This differentiation reflects varying levels of severity. For instance, network traffic to or from a C2 server in a corporate network may indicate a higher risk compared to the presence of a management panel, as the former typically implies active malicious activity. The infrastructure types defined by Insikt Group are detailed in Appendix B.

Download the full report

Preparing for Russia’s New Generation Warfare in Europe

24 February 2026 at 01:00

Executive Summary

Since its full-scale invasion of Ukraine in February 2022, Russia has waged what we assess is largely opportunistic, though increasingly aggressive, hybrid warfare in NATO territory. Moscow has very likely not yet leveraged its full capability to integrate cyber, political, and sabotage tools into a full-scale campaign.

Over the next two years, Russian President Vladimir Putin will likely escalate Russia’s hybrid warfare campaign against NATO members into a full-fledged campaign likely consistent with a Russian military doctrine called New Generation Warfare (NGW). Putin will likely use this campaign to degrade NATO political unity and defense capabilities, reinforce Russia’s network of overt and covert assets across NATO, and optimize the physical and political environment, should Putin decide to launch a military incursion into NATO territory.

In a full-scale NGW campaign in NATO territory, Russia would likely move from its current pattern of influence operations efforts combined with largely opportunistic cyber and sabotage targeting to a Europe-wide campaign that is more intentionally planned and aims to project Russian power and weaken European defenses on a systemic level. An NGW campaign would very likely involve Russia using the same tactics it is currently using, including sabotage operations, influence operations, territorial waters and airspace violations, and exploitation of some NATO states’ dependence on Russian oil and gas. The primary differences between Russia’s current operations in Europe and an NGW campaign would include greater geographic breadth of those operations; greater frequency of operations; and Russia likely using tactics simultaneously and in coordinated ways. For example, likely Russia-directed threat actors might use a drone to violate the airspace over a NATO state’s airport, forcing the temporary closure of that airport, coupled with a distributed denial-of-service attack on the airport’s internal communications system. Russia might then post a video of the incidents through one of its overt or covert propaganda outlets, arguing that they show NATO cannot adequately protect its aviation network.

An NGW campaign in NATO territory would very likely have significant implications for private and public sector entities, including degradation of critical infrastructure, reputational risk for individuals and companies named in Russian influence operation campaigns, and reduced public confidence in the government’s ability to ensure their safety.

Over the next three to five years, Putin will likely evaluate the feasibility of moving from an NGW-like campaign in Europe to a kinetic military incursion. Factors Putin would likely weigh when making such a decision include NATO military capabilities, the likelihood that the US would defend a NATO state if it were attacked, and Russian military capabilities. However, even if the necessary conditions for such an operation emerge, the probability of a proactive Russian military operation into NATO territory very likely remains low.

Key Findings

  • Russia’s hybrid warfare campaign in NATO territory between February 2022 and January 2026 has been increasingly aggressive, but likely opportunistic and not reflective of Russia’s full cyber, influence operations, and sabotage capabilities.
  • Putin likely views the next two years as an opportunity to test NATO’s defensive capabilities and prepare the physical and psychological environment, should he decide to launch a military incursion. Putin likely assesses that the 2028 US presidential election could lead to a US president more willing to commit US resources to NATO. As such, Putin likely views the next two years as an opportunity to exploit existing US-NATO tensions to weaken NATO’s unity and ability to defend itself.
  • Russia’s escalated aggression against NATO over the next two years is likely to have the hallmarks of a Russian military doctrine called New Generation Warfare (NGW), which combines sabotage operations, cyberattacks, influence operations, and other non-military actions to undermine the enemy’s confidence and prepare the physical and psychological environment, should Russia elect to escalate into a kinetic military campaign.
  • A full-scale NGW campaign would likely involve an intensified campaign of tactics Russia has used against NATO in the last few years, including sabotage operations, influence operations, violations of NATO airspace with drones and jets, violations of NATO states’ territorial waters, targeting of undersea cables, and exploitation of some NATO states’ dependence on Russian gas and oil. Russia would likely deploy these tactics more frequently, across more states simultaneously, and would likely use tactics simultaneously in an attempt to strain NATO resources.
  • A full-scale NGW campaign would have significant implications for private and public sector entities operating in NATO territory, including disruption to critical services, reputational risk for individuals and firms named in influence campaigns, supply chain disruptions, and reduced public trust in the government’s ability to safeguard critical infrastructure. The fact that most of the critical infrastructure in NATO territory is privately owned means public-private partnerships will be essential in mitigating the impact of escalated Russian aggression.

Russia Likely to Escalate into New Generation Warfare Campaign in Europe Over Next Two Years

Since Russia’s full-scale invasion of Ukraine in February 2022, it has waged what Insikt Group assesses is largely opportunistic, though increasingly aggressive, hybrid warfare in Europe. These actions, though destructive, have very likely not leveraged Russia’s full capability to integrate cyber, political, and sabotage tools into a full-scale campaign.

Nonetheless, Russian president Vladimir Putin very likely still prioritizes weakening European unity and defensive capabilities in service to his overarching foreign policy goal of replacing the US-led international system with a multipolar world in which Russia, the US, and China are relatively equal in terms of geopolitical influence. Putin very likely judges that uneven US assistance to European defensive efforts creates a window of opportunity for Russia to weaken Europe’s ability to resist Russian aggression. Putin likely views recent US-NATO tensions, such as the US’s articulated intention to control Greenland, as an opportunity to exacerbate the strategic distance between the US and NATO, thereby weakening the transatlantic partnership that has formed the core of the US-led, post-World War II security architecture. Putin also likely views the next two years as an opportunity to optimize the physical and informational environment in Europe, should he decide to launch a kinetic military attack against Europe.

Putin very likely views this window of opportunity as finite. He likely recognizes that the 2028 US presidential election could result in a US president more willing to commit US military and political resources to amplifying Europe’s defensive capabilities. As such, over the next two years, Putin will likely escalate Russia’s hybrid warfare against Europe into an expanded campaign that is likely consistent with the principles of Russian New Generation Warfare (NGW) –– a warfare doctrine espoused by senior Russian military officials emphasizing control of the information and psychological spaces, as well as the use of undeclared special forces, to weaken an enemy prior to using traditional military forces.

Europe’s efforts to bolster its defenses against current levels of Russian hybrid warfare likely reinforce Putin’s perception that Europe is motivated to weaken Russia, thereby likely making him more motivated to target Europe. Putin’s perception that Europe’s defensive efforts are actually a threat to Russia is likely rooted in his calculus that NATO is fundamentally an anti-Russia bloc. Putin has substantiated this assessment by pointing to actions such as NATO’s expansion to include former Warsaw Pact countries and its decision to install missile defense systems in Poland.1

New Generation Warfare Origins and Principles

Insikt Group assesses that much of Russia’s aggressive foreign policy actions since the annexation of Crimea in March 2014 –– which marked the beginning of Putin’s more assertive efforts to push back against perceived Western efforts to weaken Russia –– have been consistent with NGW, a Russian doctrine in which the state aims to bring about political change in another country primarily by using overt and covert influence tools, as opposed to conventional military force. These tools can include influence operations, sabotage operations, and exploiting economic leverage.

New Generation Warfare is typically associated with Chief of the General Staff Valery Gerasimov’s 2013 article in the Russian journal Military-Industrial Kurier, though NGW is essentially a modern version of Soviet active measures. “Active measures” (aktivnye meropriyatiya) was a term used by the Soviet Union from the 1950s onwards to describe covert influence and subversion operations, including establishing front organizations, backing pro-Soviet political movements abroad, and attempting to orchestrate regime change in foreign countries. Active measures declined during the 1980s and 1990s, but Putin revived its use in the early 2000s. Indeed, in 2007, retired major-general Alexander Vladimirov alluded to that revival when he stated that “modern wars are waged on the level of consciousness and ideas” and that “modern humanity exists in a state of permanent war” in which it is “eternally oscillating between phases of actual armed struggle and constant preparation for it.”2

Despite the long history of Russia using active measures, Gerasimov’s 2013 article provides the most comprehensive account of how current Russian military leaders likely view this doctrine. Gerasimov’s article suggests that he views NGW both as the reality of modern warfare and as a preferred way of weakening enemies. Gerasimov argued that the Arab Spring demonstrated that modern wars are not declared conflicts between traditional militaries, but instead depend more on a combination of declared military force and tactics such as domination of the information space, targeting of critical enemy facilities, “asymmetric and indirect operations,” and the use of unofficial special forces. He argued that “the very ‘rules of war’ have changed. The role of nonmilitary means of achieving political and strategic goals has grown and, in many cases, they have exceeded the power of force of weapons in their effectiveness.”

The following table, taken from a translation of the article, shows Gerasimov’s view of traditional warfare as opposed to New Generation Warfare:

Figure 1: New Generation Warfare and traditional warfare forms and methods (Source: Military Review)

We assess that Russia’s campaign in Ukraine, starting with the annexation of Crimea in March 2014 and extending to its ongoing full-scale military operation, bears many of the hallmarks of NGW. Russia’s military operations more closely aligned with NGW principles from 2014 through 2021; after Russia’s full-scale invasion of Ukraine in February 2022, the Russian military transitioned to more traditional operations. Russia’s exploitation of influence operations and asymmetric warfare has been a feature of its operations since 2014, and since 2022, Russia has expanded asymmetric and sabotage operations in Europe likely as part of a multi-faceted strategy to use power exertion in Ukraine and Europe to weaken the Western geopolitical system.

This does not mean that Russian military leadership have consciously used NGW as their guiding principle in Ukraine at all times; indeed, we lack the insight into Russian military leadership thinking to assess with high confidence the principles they are employing. Rather, the combination of Gerasimov’s writings and observation of Russian operations in Ukraine means we can assess with medium confidence that Russia’s Ukraine operations prior to 2022 often reflected NGW principles. As such, we assess that NGW is a useful framework for understanding Russian military operations.

NGW Principle
Example of How the Ukraine Operation Exemplifies Principle
Initiation of military operations by groupings of line units in peacetime
March 2014–February 2022: Russian regular line units (Russian Airborne Forces [VDV], Naval Infantry, and Main Intelligence Directorate [GRU]-controlled unit formations) entered Ukrainian territory, annexed Crimea, and operated in eastern Ukraine without a declared state of war. In eastern Ukraine, troops operated under attempted deniability, with Moscow claiming the operations were being conducted by sympathetic Ukrainian separatist forces.

February 2022–January 2026: Though Russia acknowledged its presence throughout Ukraine, it still operates3 without a full declaration of war, instead casting its campaign as a “special military operation.”
Highly maneuverable, noncontact combat operations of interbranch groupings of line units
March 2014–February 2022: Russian battalion tactical groups (BTGs) generally demonstrated high operational mobility, integrating ground forces, artillery, electronic warfare, and intelligence, surveillance, and reconnaissance (ISR) assets.

February 2022–January 2026: As Russia has attempted to take more territory, it has transitioned to a greater emphasis on attritional, contact-heavy warfare.
Reduction of the military-economic potential of the enemy state via the destruction of critically important military and civilian infrastructure
March 2014–January 2026: Russia has consistently attempted to degrade Ukraine’s critical infrastructure, including through long-range strikes and cyberattacks targeting power plants, transportation and logistics hubs, and defense-industrial facilities.
Mass use of precision weaponry, special operations forces, and robotics systems
March 2014–January 2026: Russia has increasingly used precision weapons (for example, Iskander-M ballistic missiles, Kalibr cruise missiles, Kh-101/555 air-launched cruise missiles), GRU special operations units (including the 3rd Separate Spetsnaz Brigade and the 346th Independent Spetsnaz Brigade); and unmanned systems (such as Orlan-10, Lancet, Shahid-136 drones, and ground robots for logistics and mine-clearing operations).
Simultaneous effects on line-units and enemy facilities throughout the enemy state’s territory
March 2014–January 2026: Russia has conducted strikes across Ukraine, using frontline units, operational rear units, missile and ground attacks, and cyber operations.
Warfare simultaneously in physical and information space
March 2014–January 2026: Russia has consistently used covert and overt means to propagate narratives meant to justify intervention and regime change in Ukraine. These include allegations of Nazism in the Ukrainian military and government writ large; discrimination against Russians in Ukraine; and Western government efforts to foment revolution in Ukraine.
Use of asymmetric and indirect operations

March 2014–February 2022: Russia’s operations were indirect because they included non-acknowledged units, private military companies, and proxy forces such as Donetsk People’s Republic (DPR) and Luhansk People’s Republic (LPR) militias.

February 2022–January 2026: Russia escalated its use of asymmetric and indirect operations against Europe, including targeting undersea cables and critical infrastructure, likely to pressure Europe and Kyiv to abandon efforts to resist Russia’s Ukraine campaign.

Command and control of forces and assets in a unified information space
March 2014–January 2026: Russia has attempted to integrate its C2 structures, including shared ISR, targeting data, and operational planning, across services, and has centralized strike coordination for long-range fires.

However, limitations have been apparent in Russia’s ability to accomplish this, especially since February 2022, likely stemming from deficiencies such as poor inter-service coordination, rigid command structures, and underestimation of Ukrainian capabilities and willingness to fight.

Table 1: New Generation Warfare principles (Source: Recorded Future)

New Generation Warfare Toolkit

In a full-scale New Generation Warfare campaign in Europe, Russia would likely move from its current pattern of influence operations efforts combined with largely opportunistic cyber and sabotage targeting to a Europe-wide campaign that is both proactive and reactive. It would likely involve the same tactics Russia has used against NATO states for the past few years. The difference would likely be that Russia would deploy these tactics more frequently and across a greater number of states at once. A full NGW campaign would likely also involve using some operational methods simultaneously and in ways that amplify one another.

Even in a full-scale NGW campaign, Russia would very likely aim to keep destruction below the threshold that risks NATO invoking Article 5. NATO officials have not specified precisely what the Article 5 threshold is; indeed, former NATO Secretary General Jens Stoltenberg stated that the grounds for invoking Article 5 “must remain purposefully vague.” However, it is likely that it would include a mass casualty event or the use of a chemical or biological weapon. The text of Article 5 specifies that the threshold involves “an armed attack.” NATO officials said in 2022 that a cyberattack could constitute grounds for invoking Article 5, though they did not specify what kind of cyberattack would qualify.

Russia is likely to face few downsides during an NGW campaign, due to minimal risk of Russian casualties and the campaign’s tactical flexibility. Unlike a conventional military campaign, which risks a high level of casualties that can cause domestic public dissatisfaction, an NGW campaign very likely would involve minimal risk to Russian citizens. In addition, an NGW campaign inherently offers significant tactical flexibility, as it is not a declared campaign in which Russia needs to articulate goals to justify the campaign to the Russian public and elites. As such, Putin would likely have the option to draw down tactics that are proving less effective and increase the use of more effective tactics, without needing to justify tactical failures. This flexibility would likely allow Putin to continue at least aspects of an NGW campaign in the likely event that Europe responds to an NGW campaign with escalated efforts to counter Moscow.

Influence Operations and Propaganda

Russian “active measures” serve as a force multiplier for Moscow’s broader political warfare, integrating influence operations, propaganda, and sabotage. In Europe, these efforts aim to weaken transatlantic cohesion, erode public and political support for Ukrainian sovereignty and assistance to Kyiv, and exacerbate internal societal divisions, economic uncertainty, and other challenges. By cultivating sanctions fatigue and encouraging selective bilateral re-engagement with Russia through active measures, Moscow seeks to mitigate its international isolation and undermine the rules-based international order, thereby advancing a Russia-favored multipolar system characterized by exclusive spheres of influence. Notably, these activities also include angles of domestic preservation by portraying the West as chaotic, corrupt, and immoral, and thereby discouraging the expansion of liberal democracies elsewhere, particularly from within.

Since Russia’s full-scale invasion of Ukraine in 2022, Insikt Group has observed concentrated Russian influence operations targeting the domestic audiences of what Moscow likely views as Kyiv’s core European supporters: the UK, France, Germany, and Poland. Insikt Group investigations, in addition to public reporting, have previously identified multiple influence operations targeting the above-mentioned major European allies, including Doppelgänger, Operation Overload, Operation Undercut, and CopyCop. These influence operations have commonly impersonated national and pan-European media outlets to disseminate messages aligned with Kremlin propaganda, including anti-Ukraine themes and content that denigrates pro-European political figures. Elsewhere, Russian influence operations have sought to use fear and physical demonstrations to manipulate public opinion. In France, for example, Russia-linked physical intimidation very likely intended to provoke public anxiety and societal unrest included the Star of David and red hand graffiti, as well as the placement of caskets near the Eiffel Tower ahead of the 2024 Paris Olympic Games. Similar efforts have also appeared elsewhere in Europe, including the emergence of pro-Russian billboards in Italy and the "Children of War, Alley of Angels" exhibit in Germany.

Russian influence efforts have also leveraged illicit financing and alleged bribery to attempt to favorably reshape European politics. For example, in spring 2024, Czech authorities attributed the Voice of Europe, an organization linked to Viktor Medvedchuk, to paying politicians in several EU countries to spread anti-Ukraine messages. In September and October 2024, Moldovan police reported that a Russia-linked network, allegedly run by fugitive oligarch Ilan Shor, channeled tens of millions of dollars to buy votes ahead of Moldova’s October 20, 2024, presidential election and EU referendum. In December 2024, Romanian prosecutors conducted raids and opened probes into alleged illegal campaign financing and payments to TikTok users and influencers associated with the then-annulled presidential vote. More recently, former UK Member of the European Parliament (MEP) Nathan Gill was sentenced on November 21, 2025, after pleading guilty for accepting bribes to make pro-Russian statements.

Insikt Group assesses Russia’s NGW against Europe will likely consist of aggressive influence operations targeting Europe that aim to erode European unity and advance Russia’s quest for a multipolar world order. NGW will very likely continue supporting Moscow’s core objectives of eroding political and public support for Ukrainian sovereignty and assistance to Kyiv, accelerate sanctions fatigue, and exploit domestic political crises and election cycles to fracture European cohesiveness and transatlantic cooperation. Moscow will likely expand its reliance on access to third parties and intermediaries, including sympathetic socio-political organizations and fringe movements, to launder Kremlin-aligned messages into the European information environment.

Across Europe, Russia will almost certainly continue to attempt to delegitimize existing democratic institutions and Europe’s information ecosystem by continuing to foster distrust in elections, mainstream media, the EU, and pro-European government figures. In a post-war environment, assuming European sanctions on Russian media enterprises are lifted, Russia will very likely attempt to reestablish its state media presence while also hardening itself to withstand future disruptions, legal restrictions, and platform or government takedowns in the event of a kinetic conflict with Europe.

New Generation Warfare operations against Europe will very likely incorporate much of Russia’s current-era influence tradecraft, including social media influence via human and automated networks, media impersonation and covert media outlet brands, illicit financing and bribery, and cyber-enabled influence such as hack-and-leak narratives. Further, Insikt Group assesses Moscow will very likely continue attempting to cultivate sympathetic allies through covertly funded fringe socio-political organizations, using these entities to astroturf “grassroots” support, amplify Kremlin-aligned narratives, and catalyze or intensify domestic unrest across Europe. We assess that Russia will also adapt emerging technologies, particularly AI, to scale the production, localization, and quality of influence content, increase dissemination efficiency, and optimize targeting. Continued advances in generative AI will almost certainly improve the realism of propaganda images and fabricated reporting, forged documents and correspondence, and synthetic impersonations of public figures, including audio and video deepfakes.

Airspace Incursions by Drones and Jets

Beginning in September 2025, suspected violations of NATO airspace by Russia-directed drone operators or Russian jets increased to unprecedented levels, as Russia likely sought to project power across NATO territory and test NATO resolve while maintaining plausible deniability. Insikt Group tracked 30 suspected or confirmed violations between September 2025 and January 2026, compared to 23 suspected or confirmed violations between March 2022 and August 2025. The most commonly targeted countries since March 2022 have been Poland and Romania; however, suspected Russian violations of NATO airspace have occurred outside of Russia’s historic sphere of influence, including in Germany, UK, Denmark and Norway. Violations have most frequently targeted critical infrastructure, such as military bases and airports.

In a full-scale New Generation Warfare-like campaign in Europe, Russia likely would escalate the frequency and level of aggressiveness of these violations. Russia’s targeting would likely continue to focus on critical infrastructure, but violations would very likely significantly increase in frequency. Russia would also likely use drones to fly closer to targets and perhaps hover over them for extended periods of time, in a likely effort to test NATO’s willingness to shoot down drones and perhaps collect intelligence on critical infrastructure facilities. Indeed, in September 2025, Polish authorities said they shot down Russian drones that violated Poland’s airspace.

Other ways Russia would likely escalate the aggressiveness of its airspace violations include timing those violations with major NATO events, such as military exercises and summits. Russia could escalate its use of drones as electronic warfare mechanisms, perhaps to disrupt NATO military exercises or the functioning of critical infrastructure facilities.

Russia would likely also use its drones to amplify its psychological warfare as a way of projecting power and demonstrating to the public that Moscow can disrupt everyday life in NATO countries. Russia could do this via tactics such as hovering drones over civilian transportation infrastructure, like railways or airports, which have already been forced to temporarily close. Russia could also launch drones over facilities hosting political summits, such as the annual NATO Summit, or over polling places during elections to stoke public fear. In a full-scale NGW campaign that involves coordination of multiple tactics, Russian propaganda outlets might release footage of these incidents to propagate a narrative that NATO states cannot protect their infrastructure. Russia could also combine drone or jet violations with sabotage operations to further sow public panic and force NATO governments into a defensive posture.

Russia would very likely seek to maintain some level of deniability and would avoid airstrikes and mass casualty events, which would almost certainly guarantee an Article 5 declaration.

Territorial Waters Violations and Targeting of Undersea Cables

Insikt Group assesses that, since February 2022, Russia has increasingly used violations of NATO states’ territorial waters4 and targeting of undersea cables to test the alliance’s resilience, collect intelligence, keep NATO in a reactive, defensive posture, and attempt to deter NATO from undermining Russian strategic interests. In June 2023, Deputy Chairman of the Security Council Dmitriy Medvedev stated that, “if we proceed from the proven complicity of Western countries in blowing up the Nord Streams, then we have no constraints — even moral — left to prevent us from destroying the ocean-floor cable communications of our enemies.” Medvedev’s comments were likely purposefully hyperbolic; however, they likely reflect a Kremlin perception that NATO is targeting Russian strategic interests, thereby justifying retaliatory action.

Examples of Russia likely targeting undersea cables and maritime assets include an April 2025 incident in which the UK identified Russian sensors attempting to collect intelligence on UK nuclear submarines and other underwater critical infrastructure; the Russian Yantar surveillance ship sailing near cables carrying data for Google and Microsoft under the Irish Sea in November 2024; and reports suggesting that the Russian Eagle S ship accused of damaging multiple undersea cables in December 2024 carried spy equipment to monitor naval activity.

Russian ships have also violated NATO states’ territorial waters, likely to test NATO resilience, force NATO into a defensive posture, and project power. Examples include a July 2025 incident in which a Russian border guard vessel entered Estonian territorial waters without permission; a July 2024 incident in which a Russian naval vessel entered Finnish territorial waters without authorization; and frequent encounters between NATO states and Russia-linked “shadow fleet” vessels. These vessels are tankers sailing under other flags, which often refuse inspection or orders from local navies.

During a full-scale New Generation Warfare campaign against NATO, Russia likely would escalate its targeting of undersea cables and violations of territorial waters. This could include more frequent cable targeting, likely to cause minor but persistent damage to undersea critical infrastructure that tests NATO resilience and Russian destructive capabilities without provoking an Article 5 declaration. Russia could also conduct electronic jamming operations during cable repairs to inhibit communications and use Russian ships to harass those conducting repairs.

Russia would also likely attempt longer and more provocative territorial waters violations, including placing Russian ships near NATO vessels and expanding these activities into areas such as the Mediterranean; conducting concurrent hybrid activity such as GPS jamming and automatic identification system (AIS) spoofing; refusing escort out of territorial waters; and combining territorial waters violations with airspace violations by Russian aircraft or targeting of undersea infrastructure.

Russia would likely aim to overwhelm NATO’s existing efforts to prevent sabotage of undersea infrastructure. In January 2025, Allied Joint Force Command Brunssum (JFCBS) launched Baltic Sentry — a campaign that uses tools such as frigates, maritime patrol assets, and naval drones to deter sabotage of undersea infrastructure. Since the launch of Baltic Sentry, the Baltic Sea has experienced very few undersea sabotage efforts; however, it is not clear whether this is the result of Baltic Sentry or a lack of planned operations.

Sabotage Operations

We assess Russia has escalated its use of sabotage operations in NATO territory since its full-scale invasion of Ukraine in 2022, likely to test the resilience particularly of NATO states’ critical infrastructure; propagate a narrative that Western states cannot protect their populations from threats; harm NATO’s ability to collectively respond to Russian aggression by forcing NATO into a reactive, defensive posture; and degrade NATO states’ ability to provide material support to Ukraine. Sabotage operations are loosely defined, but typically consist of targeting civilian or dual-use infrastructure with physical security attacks by deniable entities.

Particularly since 2022, Russia-linked entities have focused sabotage operations on critical infrastructure in NATO states, exploiting vulnerabilities wrought from deferred maintenance and lack of sufficient public or private investment in upkeep. Within critical infrastructure, the most frequently targeted sectors include undersea telecommunication and power cables; water supply and distribution; transportation; military; healthcare; and telecommunications. The number of Russian sabotage operations has quadrupled from 2023 to 2024, and in 2025, it was likely at levels consistent with 2024. Operations have occurred across NATO, as opposed to being focused in Russia’s historic sphere of influence. That said, the most commonly targeted states between January 2018 and June 2025 were Germany, Estonia, Latvia, Lithuania, and Poland.

In a New Generation Warfare-like campaign targeting NATO territory, Moscow would likely move from what we assess has thus far been largely opportunistic sabotage to operations with more consistency and geographic breadth, and that complement other tactics.

Russia would likely still focus its sabotage operations on critical infrastructure, but would likely place a premium on damaging the critical infrastructure of NATO states that either would be probable targets of a Russian military incursion — such as Poland or the Baltic states — or would lend significant assistance to those states, such as the UK, Germany, or France. This is because in an NGW campaign, Russia would likely view sabotage operations as, in part, a way to test the resilience of potential victim states and their allies. Russia’s sabotage operations against those targets would likely be more frequent and could coincide with significant events such as elections or military exercises. Russia would likely pair sabotage operations with other tactics, such as offensive cyber operations or airspace violations, to augment the destructive impact of the operations and try to strain NATO states’ capacity by forcing them to respond to multiple disruptions at once, while still staying below the threshold that would risk an Article 5 declaration.

Offensive Cyber Operations for Disruption and Counterintelligence

Russian cyber activity directed at European targets has consistently emphasized access-oriented operations, including attacks on internet-facing firewalls, virtual private networks (VPNs), email services, and web portals. This activity aligns with documented Russian cyber practices focused on enabling intelligence collection, operational reach, and long-term flexibility rather than immediate disruptive effects. Recent Insikt Group reporting highlights BlueEcho activity targeting perimeter infrastructure to establish footholds and enable follow-on credential capture and lateral movement, while BlueDelta campaigns demonstrate sustained credential harvesting at scale using impersonated Microsoft Outlook Web App (OWA), Sophos VPN, and Google login workflows. This tradecraft is low-cost, repeatable, and consistent with long-term counterintelligence targeting of government, defense, and research entities.

Russian cyber activity affecting Europe has been broad in scope, with targeting observed across multiple regions and sectors. If cyber operations were used for more overtly disruptive purposes, effects would likely be more pronounced in states with weaker cybersecurity maturity or slower coordinated response mechanisms, such as fragmented local-government IT environments or limited national incident response surge capacity. This does not preclude activity against major NATO states, where Russian cyber operations have historically focused more heavily on intelligence collection and access. BlueDelta’s targeting of NATO-aligned and defense-related organizations reflects continued Russian interest in strategically valuable European targets aligned with GRU intelligence requirements.

Observed Russian cyber activity also provides insight into how operations could escalate if strategic conditions were to change and Russia were to launch a full-scale NGW campaign. Russian threat actors have demonstrated the ability to establish and maintain access over time, including through persistent connections and tunneling, which could be repurposed to degrade remote access services, manipulate edge-device configurations, or cause temporary service disruption. In Ukraine, cyber activity has been observed alongside influence operations and physical sabotage, including Recorded Future–tracked influence campaigns such as CopyCop, which leveraged automated content replication and spoofed media infrastructure to amplify pro-Russian narratives in parallel with other forms of hybrid activity. If applied elsewhere, similar coordination could increase pressure on incident response capabilities and undermine public confidence in the reliability of essential services. Credential-harvesting operations further provide pathways beyond inbox access, including potential compromise of identity providers, VPN portals, and privileged administrative portals.

Russian cyber operations have historically involved establishing and maintaining access to targeted networks over extended periods, a pattern also documented in prior campaigns in Ukraine. However, there is no public evidence demonstrating that the access currently observed in European networks is intended for future disruptive operations. If a kinetic conflict were to escalate in Europe, Russia would likely seek to expand or prioritize access within relevant networks to support intelligence collection, operational coordination, or potential disruption. Russia also has a documented history of tolerating or leveraging cybercriminal activity alongside state-directed operations, including overlap with criminal infrastructure and access brokers, which may allow operators to expand scale, complicate attribution, and generate disruptive effects without overtly exposing state-linked capabilities. Collectively, activity associated with BlueAlpha, BlueDelta, BlueEcho, Sandworm, and Dragonfly illustrates Russia’s ability to scale cyber operations from access and intelligence collection toward disruption if strategic conditions were to change, consistent with broader hybrid and New Generation Warfare practices.

Exploitation of European Dependence on Russian Oil and Natural Gas

Russia has long exploited other states’ dependence on its natural gas and oil to exercise leverage over them, typically by strategically decreasing supply flows, particularly during high-demand periods, such as winter. For example, in 2006, Georgia accused Russia of intentionally cutting gas supplies during an unusually cold period to increase political pressure on Tbilisi. In the run-up to Russia’s full-scale invasion of Ukraine in February 2022, Russian state gas company Gazprom reduced natural gas deliveries to Europe, likely in an effort to pressure Europe into abandoning a unified stance on supporting Ukraine.

Since 2022, many NATO states have sought to reduce their dependence on Russian natural gas and oil; however, several states remain dependent, including Slovakia, Hungary, and Türkiye. In a full-scale New Generation Warfare campaign in Europe, Russia would very likely escalate its exploitation of those states’ dependence on Russian energy imports to demonstrate Moscow’s ability to degrade European critical infrastructure, undermine NATO unity, gauge the resilience of these states’ critical infrastructure, and test Russia’s ability to handicap critical infrastructure, should Putin decide to launch a military incursion into NATO territory.

Moscow’s willingness to exploit these states’ dependence on Russian energy likely varies by state. Moscow is less likely to exploit Hungary’s dependence on Russian oil and gas, given Budapest’s strong relations with Russia. Slovakia is a more likely target, as it seeks a positive relationship with Moscow, but is likely of less strategic importance to Russia than Hungary. Moscow’s relations with Türkiye have fluctuated between positive and adversarial; the likelihood of exploiting Türkiye’s dependence on Russian energy imports would likely depend, in part, on how positive the overall Russia-Türkiye relationship is at that time.

Escalation of economic critical infrastructure targeting would likely take the form of both more frequent and more geographically broad operations, particularly during high-demand periods such as the winter and perhaps during NATO military exercises or elections. Russia could also escalate its use of pricing manipulation to punish states that work against Russia’s strategic priorities in Ukraine, and reward pro-Russia states such as Hungary.

Russia would also likely combine supply cuts with sabotage operations. For example, in 2006, Moscow cut gas supplies in Georgia at the same time it sabotaged an electricity line. Following a successful operation, pro-Russia propaganda outlets would likely amplify narratives that claim European critical infrastructure is weak and vulnerable, and that this demonstrates the inadequacy of democracy and the Western political system writ large at fulfilling basic public needs.

In a New Generation Warfare campaign against Europe, Russia would be unlikely to seek permanent damage to European critical infrastructure or mass civilian harm from disruption of energy flows. Russia would also likely avoid long-term disruption of oil and gas deliveries to limit the financial impact, since oil and gas revenues comprise roughly 25% of Russia’s annual federal revenue.

Indicators of NGW Campaign in Europe, Implications for Public and Private Sectors, and Recommended Mitigations

Tactic: Influence Operations

Indicators of NGW Campaign

  • Increased convergence of narratives across propaganda outlets, including state media, inauthentic social media accounts, and so on
  • Parallel narratives tailored to each country or region

Implications for Public and Private Sectors

  • Public Sector: more pronounced political polarization; reduced public trust in government competence
  • Private Sector: brand damage if firms are targeted in influence operation (IO) campaigns; employee or executive harassment or doxxing

Recommended Mitigations

  • Ensure communication response protocols are in place, such as rapid rebuttal measures
  • Ensure information environment monitoring is attuned to Russia-nexus narratives so inauthentic behavior can be detected quickly

Tactic: Airspace Incursions by Drones and Jets

Indicators of an NGW Campaign

  • More frequent incursions that last longer and target strategic sites such as military training grounds, critical infrastructure nodes, and so on
  • Incursions are conducted at lower altitudes, with transponders turned off
  • Violations are clustered around NATO decisions or major military exercises

Implications for Public and Private Sectors

  • Public: forced closures of critical infrastructure sites during airspace violations, thereby disrupting operations, as well as likely escalation of public alarm and potential decrease in public confidence in the government’s ability to keep critical infrastructure safe
  • Private: business operation disruptions due to critical infrastructure closures

Recommended Mitigations

  • Strengthen counter-measures against unmanned aircraft systems (UASs) around critical sites
  • Ensure joint civil-military air incident protocols are in place, including aviation alerts and Notice to Airmen (NOTAM) coordination
  • Improve GPS resilience

Tactic: Territorial Waters Violations and Targeting of Undersea Cables

Indicators of an NGW Campaign

  • More frequent territorial waters violations
  • Violations by state-linked vessels
  • Non-compliance with escort or hails; risky maneuvering around NATO state vessels, perhaps to provoke potential collisions
  • Increased loitering of suspicious vessels near cable routes and landing areas
  • Repeated “anchor drag” incidents
  • Interference with repair ships
  • Simultaneous cyber activity against telecommunications and energy operators

Implications for Public and Private Sectors

  • Public: intermittent communications degradation; potential harm to energy infrastructure
  • Private: major potential operational losses for telecommunications, finance, and other key sectors; potential increases in insurance costs for shipping companies, should territorial waters violations at ports become common

Recommended Mitigations

  • Consider mapping alternative sea routes in case primary routes are disrupted; consider rapid reroute contracts
  • Ensure sufficient port and state coordination
  • Ensure physical hardening at cable landing sites
  • Expand Baltic Sentry efforts to other locations

Tactic: Sabotage Operations

Indicators of an NGW Campaign

  • More frequent operations, including arson, vandalism, explosions, and rail disruptions
  • Targeting of high-priority sites, such as military logistics hubs, defense suppliers, and so on
  • Targeting of civilian sites, such as shopping malls or residential neighborhoods
  • Concurrent operations in multiple geographic regions, suggesting intentional planning
  • Combined sabotage operations and airspace or territorial waters violations

Implications for Public and Private Sectors

  • Public: potential reduction in public confidence in government’s ability to protect critical infrastructure and residential areas; in the event of significant escalation in sabotage operations, emergency services could be strained
  • Private: facility damage or loss; threat to worker safety; supply chain interruption; business interruption; reputational liability

Recommended Mitigations

  • Expand insider threat and contractor vetting at critical infrastructure sites
  • Ensure physical security measures are in place, including perimeter detection, anti-drone measures, camera coverage, and access control
  • Enhance public-private partnerships, as most of the critical infrastructure NATO relies upon is commercially owned
  • Ensure rapid liaison channels with law enforcement and intelligence services

Tactic: Offensive Cyber Operations

Indicators of an NGW Campaign

  • Campaigns that target strategic pressure points, such as logistics and transportation hubs, defense supply chains, and local government entities
  • Intrusion and distributed denial-of-service (DDoS) activity spikes at politically significant moments, including elections, military exercises, or geopolitical summits
  • Campaigns that blend state and proxy activity, such as hacktivist DDoS campaigns that amplify Kremlin-aligned narratives
  • Coupling of multiple tactics, such as cyber and influence operation hybrid campaigns

Implications for Public and Private Sectors

  • Public: DDoS and ransomware campaigns can undermine public confidence in the reliability of institutions; compromise of government narratives can result in less public confidence in the truth of government messaging; even attempted election manipulation can reduce confidence in voting systems
  • Private: elevated risk of disruption of key logistics, transport, rail, and aviation systems; hack and leak operations pose risk to reputation, personally identifiable information, and intellectual property rights; targeting of critical infrastructure can result in operational disruption

Recommended Mitigations

  • Enforce phishing-resistant multi-factor authentication
  • Implement conditional network access based on geopolitical and risk factors
  • Patch for commonly exploited software
  • Reduce exposure (lock down admin portals; restrict by IP address; remove unused services)
  • Use DDoS protection, autoscaling
  • Coordinate with the national computer emergency response team (CERT) and National Counterintelligence and Security Center (NCSC), as well as upstream providers; rehearse continuity plans
  • Require multi-factor authentication (MFA) and logging parity from third-party providers; segment privileged access; monitor for abnormal remote management activity

Tactic: Leveraging Economic Dependence

Indicators of an NGW Campaign

  • Supply manipulation, including threats or actions to raise price volatility
  • Exploitation of legal measures, including sudden contract disputes or claims of force majeure
  • More frequent cessation of oil and gas supplies, especially during high-demand periods such as winter

Implications for Public and Private Sectors

  • Public: higher energy bills and supply disruption, potentially leading to public dissatisfaction
  • Private: price shocks, supply uncertainty, costs related to resolving alleged contract disputes

Recommended Mitigations

  • Diversify suppliers and routes
  • Ensure on-site backup generation where feasible

2025 Cloud Threat Hunting and Defense Landscape

19 February 2026 at 01:00

Executive Summary

Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report:

  • Exploitation and Misconfiguration
  • Cloud Abuse
  • Cloud Ransomware
  • Credential Abuse, Account Takeover, and Unauthorized Access
  • Third-Party Compromise

Across cases, initial access frequently comes from vulnerable or misconfigured services exposed to the internet — including application delivery controllers, monitoring dashboards, email security gateways, and enterprise resource planning (ERP) platforms — as well as stolen or weakly governed credentials sourced from public leaks, compromised developer workstations, and socially engineered helpdesk workflows. Once inside a targeted environment, threat actors systematically pivot through hybrid identity and virtual private network (VPN) infrastructure, targeting directory-synchronized accounts, non-human and executive identities, and privileged cloud roles to gain tenant-wide administrative control.

Post-compromise activity is characterized by heavy use of built-in cloud and SaaS functionality: enumerating and exfiltrating data via native storage and backup services, destroying or encrypting cloud backups and snapshots for impact, manipulating static frontends and continuous integration/continuous deployment (CI/CD) pipelines to subvert trust in applications and repositories, and using mainstream platforms such as calendar services as covert command-and-control (C2) channels.

In comparison to its previous iteration, the majority of the events discussed in this report indicate that threat actors are engaging in similar threat behaviors; however, there are three specific trends that appear to have emerged since the most recent iteration:

  • Cloud threat actors are registering their own legitimate cloud resources for use in attack chains.
  • DDOS attacks are becoming less effective when targeting cloud environments, even in instances of record-breaking throughput, due to increased cloud-native capabilities for mitigating these threats.
  • Cloud threat actors are increasingly diversifying the types of services that they target in victim environments during an attack chain, with a notable focus on LLM and other AI-powered services hosted in cloud environments.

The trends associated with abuse indicate a shift in threat actor perception, demonstrating that threat actors are exploring the broader benefits that compromised cloud services can provide.

Download Cloud Threat Landscape: Executive Insights

GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack

18 February 2026 at 01:00

Executive Summary

Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the deployment of Stealc and SectopRAT. Insikt Group identified a large amount of infrastructure linked to GrayCharlie, primarily tied to MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, both actor-controlled and compromised staging infrastructure, and higher-tier infrastructure used to administer operations. While most compromised websites appear to be opportunistic and span numerous industries, Insikt Group identified a cluster of United States (US) law firm sites that were likely compromised around November 2025, possibly through a supply-chain compromise involving a shared IT provider.

To protect against GrayCharlie, security defenders should block IP addresses and domains tied to associated remote access trojans (RATs) and infostealers, flag and potentially block connections to compromised websites, and deploy updated detection rules (YARA, Snort, Sigma) for current and historical infections. Other controls include implementing email filtering and data exfiltration monitoring. See the Mitigations section of this report for implementation guidance and Appendix A for a complete list of indicators of compromise (IoCs).

Key Findings

  • GrayCharlie, which overlaps with SmartApeSG and first emerged in mid-2023, is a threat actor that injects links to externally hosted JavaScript into compromised WordPress sites. These links redirect victims to NetSupport RAT infections delivered via fake browser update pages or ClickFix techniques, ultimately resulting in Stealc and SectopRAT infections.
  • Insikt Group identified a wide range of GrayCharlie infrastructure, largely associated with MivoCloud and HZ Hosting Ltd. This includes NetSupport RAT command-and-control (C2) servers, staging infrastructure made up of both actor-controlled and compromised infrastructure, as well as components of GrayCharlie’s higher-tier infrastructure used to manage its operations.
  • Insikt Group identified two primary attack chains associated with GrayCharlie: one in which victims encounter fake browser update pages after visiting compromised websites, and another in which they are presented with a ClickFix pop-up, a technique that has become increasingly common in 2025.

Background

GrayCharlie is Insikt Group’s designation for a threat activity group that first appeared in mid-2023 and is behind SmartApeSG, also referred to as ZPHP or HANEYMANEY. The group’s operations typically involve injecting malicious JavaScript into legitimate but compromised WordPress sites. Visitors to these sites are shown convincing, browser-specific fake update prompts (such as for Chrome, Edge, or Firefox) that encourage them to download what appears to be an update but is actually malware.

In late March or early April 2025, SmartApeSG shifted from using fake browser updates to deploying ClickFix lures, mirroring a broader trend among threat actors of increasingly adopting ClickFix.

GrayCharlie predominantly delivers NetSupport RAT; however, deployments of Stealc and, more recently, SectopRAT, have been observed in rare instances. The group’s ultimate objectives remain uncertain. Current evidence suggests a focus on data theft and financial gain, with a theoretical, but unsubstantiated, possibility that it may sell or transfer access to other threat actors.

Threat Analysis

Insikt Group has been tracking GrayCharlie for an extended period and has observed the actor’s persistent behavior since its emergence in 2023. GrayCharlie continues to conduct the same types of operations, regularly deploying large volumes of new infrastructure and adhering to consistent tactics, techniques, and procedures (TTPs), including continued use of the same infection chains and NetSupport RAT payloads. The group targets organizations worldwide, with a particular focus on the US. The following sections provide a detailed examination of GrayCharlie’s operational infrastructure and its two primary attack chains.

Infrastructure Analysis

NetSupport RAT Clusters

Insikt Group identified two main NetSupport RAT clusters linked to GrayCharlie based on factors such as TLS certificates, NetSupport serial numbers and license keys, and the timing of the activity (see Figure 1). In addition, Insikt Group identified a range of other NetSupport RAT C2 servers linked to GrayCharlie activity, but which are not currently attributed to either of the two main clusters. Insikt Group assesses that these clusters may correspond either to different individuals associated with GrayCharlie or to distinct GrayCharlie campaigns. The clusters are further described below.

Figure 1: Overview of GrayCharlie clusters observed in 2025 (Source: Recorded Future)
Cluster 1

Cluster 1 comprises NetSupport RAT C2 servers whose TLS certificates display a recurring monthly naming pattern. All servers in this cluster are hosted by MivoCloud and were deployed between March and August 2025. Notably, NetSupport RAT samples associated with the cluster’s March and April infrastructure used the license key DCVTTTUUEEW23 and serial number NSM896597, before shifting to the license key EVALUSION and serial number NSM165348 in subsequent deployments. The C2 servers associated with this cluster are listed in Table 1.

IP Address
TLS Common Name
License Key
Serial Number
194[.]180[.]191[.]51
mar5
DCVTTTUUEEW23
NSM896597
194[.]180[.]191[.]168
mar4
DCVTTTUUEEW23
NSM896597
194[.]180[.]191[.]171
mar3
DCVTTTUUEEW23
NSM896597
5[.]181[.]159[.]60
mar1
DCVTTTUUEEW23
NSM896597
194[.]180[.]191[.]17
mar2
DCVTTTUUEEW23
NSM896597
94[.]158[.]245[.]66
apr2
DCVTTTUUEEW23
NSM896597
94[.]158[.]245[.]81
apr3
DCVTTTUUEEW23
NSM896597
185[.]225[.]17[.]74
apr4
DCVTTTUUEEW23
NSM896597
194[.]180[.]191[.]189
apr1
DCVTTTUUEEW23
NSM896597
5[.]252[.]178[.]123
may5
EVALUSION
NSM165348
94[.]158[.]245[.]104
may1
EVALUSION
NSM165348
94[.]158[.]245[.]115
may2
EVALUSION
NSM165348
94[.]158[.]245[.]118
may3
EVALUSION
NSM165348
94[.]158[.]245[.]131
may4
EVALUSION
NSM165348
94[.]158[.]245[.]137
may53
EVALUSION
NSM165348
94[.]158[.]245[.]13
june2
EVALUSION
NSM165348
94[.]158[.]245[.]174
june6
EVALUSION
NSM165348
94[.]158[.]245[.]140
june1
EVALUSION
NSM165348
185[.]163[.]45[.]30
june7
EVALUSION
NSM165348
94[.]158[.]245[.]63
june3
EVALUSION
NSM165348
94[.]158[.]245[.]111
june7
EVALUSION
NSM165348
94[.]158[.]245[.]135
june5ebatquot
EVALUSION
NSM165348
5[.]252[.]178[.]23
july9
EVALUSION
NSM165348
185[.]163[.]45[.]41
july1
EVALUSION
NSM165348
185[.]163[.]45[.]61
july3
EVALUSION
NSM165348
185[.]163[.]45[.]73
july4
EVALUSION
NSM165348
185[.]163[.]45[.]87
july6
EVALUSION
NSM165348
185[.]163[.]45[.]97
july8
EVALUSION
NSM165348
185[.]163[.]45[.]130
july9
EVALUSION
NSM165348

Table 1: NetSupport RAT C2 servers linked to Cluster 1 (Source: Recorded Future)

Notably, the NetSupport RAT C2 servers in Cluster 1 are connected not only through the characteristics previously described, but also by the near-simultaneous creation of their TLS certificates. For example, the TLS certificate with the common name june5ebatquot associated with IP address 94[.]158[.]245[.]135 was generated on June 30, 2025 at 4:55:20 PM, while the certificate with the common name june6 linked to 94[.]158[.]245[.]174 was created only 20 seconds later.

Cluster 2

Cluster 2 comprises NetSupport RAT command-and-control servers whose TLS certificates typically start with two or more repetitions of “s”, followed by an “i” and a number (so “sssi3”, for example). NetSupport RAT samples linked to Cluster 2 used the license key XMLCTL and serial number NSM303008. The NetSupport RAT C2 servers typically also host an instance of the vulnerability scanner Acunetix. The C2 servers associated with this cluster are listed in Table 2. Notably, all TLS certificates associated with this cluster were created in a single batch on June 17, 2025.

IP Address
TLS Common Name
License Key
Serial Number
5[.]181[.]159[.]112
sssi3
XMLCTL
NSM303008
5[.]181[.]159[.]9
ssi1
XMLCTL
NSM303008
5[.]181[.]159[.]38
sssi2
XMLCTL
NSM303008
5[.]181[.]159[.]140
ssssi6
XMLCTL
NSM303008
5[.]181[.]159[.]143
ssssi8
XMLCTL
NSM303008
5[.]181[.]159[.]142
sssssi7
XMLCTL
NSM303008
5[.]181[.]159[.]139
ssssi5
XMLCTL
NSM303008

Table 2: NetSupport RAT C2 servers linked to Cluster 2 (Source: Recorded Future)

Of note, one NetSupport RAT C2 server (94[.]158[.]245[.]56) used a TLS certificate with the common name 23sss, created in May 2025, and was linked to a NetSupport RAT sample that carried the same license key (EVALUSION) and serial number (NSM165348) previously observed in Cluster 1.

Other NetSupport RAT C2 Servers

Insikt Group identified an additional set of NetSupport RAT C2 servers linked to GrayCharlie that did not form a distinct cluster (see Table 3). However, all the servers were hosted by MivoCloud and were associated with NetSupport RAT samples using license key and serial number combinations observed in Clusters 1 and 2.

IP Address
TLS Common Name
License Key
Serial Number
5[.]181[.]159[.]29
ssdecservicsdes
N/A
N/A
194[.]180[.]191[.]18
papichssd2
DCVTTTUUEEW2
NSM896597
94[.]158[.]245[.]153
kosmo2
XMLCTL
NSM303008
94[.]158[.]245[.]170
normvork
XMLCTL
NSM303008
5[.]181[.]159[.]62
ffdds
DCVTTTUUEEW23
NSM896597
5[.]181[.]156[.]234
wedn1
XMLCTL
NSM303008
5[.]252[.]178[.]35
scgs234123
XMLCTL
NSM303008
194[.]180[.]191[.]209
novemsdf
XMLCTL
NSM303008
5[.]181[.]156[.]244
wends4
XMLCTL
NSM303008
194[.]180[.]191[.]121
novaksuur
EVALUSION
NSM165348
5[.]252[.]177[.]120
lohsd
XMLCTL
NSM303008
5[.]252[.]177[.]15
bounce
XMLCTL
NSM303008
185[.]163[.]45[.]16
update1
XMLCTL
NSM303008

Table 3: Additional NetSupport RAT C2 servers linked to GrayBravo (Source: Recorded Future)

Staging Infrastructure

Once GrayCharlie victims land on the compromised WordPress sites, thereby satisfying the conditional logic, the payload is typically fetched from the attacker-controlled infrastructure and injected into the compromised WordPress sites. Insikt Group has identified two distinct types of staging infrastructure, each characterized by different website templates. Type 1 is modeled after “Wiser University,” and Type 2 is modeled after “Activitar.”

Type 1: “Wiser University”

The IP addresses associated with the Type 1 staging infrastructure are linked to websites impersonating “Wiser University” (see Figure 2), a fictional entity used to demonstrate Wiser, a free Bootstrap HTML5 education website template for school, college, and university websites. (As a sidenote, Oreshnik is the name of a Russian intermediate-range ballistic missile reportedly capable of speeds exceeding Mach 10.) Appendix B lists the IP addresses associated with the Type 1 staging infrastructure. All IP addresses, except for one, are announced by AS202015 (HZ Hosting Ltd).

Figure 2: Website impersonating “Wiser University” (Source: Recorded Future)
Suspected Testing Infrastructure

Although most IP addresses associated with the Type 1 staging infrastructure are announced by AS202015, as shown in Appendix B, Insikt Group also identified a small subset announced by other ASNs that host the same websites (see Table 4). On average, approximately one such IP address appears to be established each month. Notably, most of these IP addresses appear to geolocate to Russia, and the same ASNs are consistently reused within the same timeframe.

IP Address
ASN
Country
Date of Emergence
89[.]253[.]222[.]25
AS41535
RU
2025-08-29
89[.]253[.]222[.]156
AS41535
RU
2025-08-26
89[.]169[.]12[.]48
AS207957
GB
2025-07-08
185[.]231[.]245[.]158
AS202984
RU
2025-06-27
95[.]182[.]123[.]86
AS202984
RU
2025-05-19
23[.]140[.]40[.]66
AS61400
RU
2025-04-11
217[.]114[.]15[.]253
AS198610
RU
2025-04-09
45[.]153[.]191[.]245
AS198610
RU
2025-03-21
46[.]29[.]163[.]28
AS51659
RU
2025-02-06

Table 4: Additional infrastructure possibly linked to GrayCharlie (Source: Recorded Future)

Type 2: “Activitar”

Insikt Group identified an additional set of staging infrastructure, referred to as “Type 2.” The IP addresses in this cluster commonly host specific websites (see Figure 3). Insikt Group assesses that this template was sourced elsewhere and is not unique to GrayCharlie.

Figure 3: Website impersonating “Activitar” (Source: Recorded Future)

A subset of domains and IP addresses associated with Type 2 is presented in Table 5. Notably, most of the IP addresses are also announced by AS202015 (HZ Hosting Ltd), and one domain in Table 5, filmlerzltyazilimsx[.]shop, is linked to the email address oreshnik[@]mailum[.]com through its WHOIS record.

Domain
IP Address
ASN
filmlerzltyazilimsx[.]shop
79[.]141[.]163[.]169
AS202015
foolowme[.]com
144[.]172[.]115[.]211
AS14956
joiner[.]best
79[.]141[.]162[.]135
AS202015
lowi1[.]com
185[.]33[.]86[.]11
AS202015
morniksell[.]com
172[.]86[.]90[.]84
AS14956
persistancejs[.]store
185[.]80[.]53[.]79
AS59711
pomofight[.]com
45[.]61[.]134[.]76
AS14956
port4loms[.]com
194[.]15[.]216[.]118
AS197155
signaturepl[.]com
77[.]83[.]199[.]162
AS202015
yungask[.]com
91[.]193[.]19[.]220
AS202015

Table 5: Domains and IP addresses linked to Type 2 staging infrastructure (Source: Recorded Future)

Compromised Infrastructure

GrayCharlie commonly injects malicious scripts into the Document Object Model (DOM) of compromised WordPress sites using script tags. Insikt Group has identified several recurring URL patterns tied to this activity: some URLs load externally hosted JavaScript files (such as hxxps://joiner[.]best/work/original[.]js), while others call a PHP file on specific endpoints using an ID parameter (such as hxxps://signaturepl[.]com/work/index[.]php?abje2LAw). Notably, these URLs are updated over time by the threat actor, complicating detection and indicating the threat actor maintains ongoing access to a large pool of compromised WordPress installations. Appendix A lists a subset of WordPress websites infected by GrayCharlie.

Although the exact initial access vector is unknown, it is likely that the actors either purchase access, such as via malware logs containing WordPress admin credentials, or exploit vulnerable WordPress plugins. The latter remains the most frequent cause of all WordPress compromises.

Suspected Compromise of “Law Firm Acceleration Company” SMB Team

While the GrayCharlie-linked compromised WordPress sites span a wide range of industry verticals, in a few rare instances, the threat actors appear to have obtained, either through their own intrusions or via a third party, a more targeted set of WordPress domains. Specifically, at least fifteen websites belonging to US law firms were observed loading the external JavaScript hosted at hxxps://persistancejs[.]store/work/original[.]js (see Table 6).

Insikt Group assesses that GrayCharlie (or the third party GrayCharlie works with) likely compromised these websites through a supply-chain vector. One potential avenue is SMB Team, the self-described “fastest-growing law firm acceleration company,” which has supported thousands of firms across North America, according to its website, as its logo and other references appear across many of the websites listed in Table 6 (see Figure 4). Notably, credentials associated with an SMB Team email address used for a WordPress hosting platform surfaced around the same time that the domain persistancejs[.]store first began resolving. This temporal overlap suggests that the threat actors may have gained access to SMB Team-related infrastructure through the use of legitimate, compromised credentials.

Domain
Company
Country
SMB Team
bianchilawgroup[.]com
Bianchi Law Group
US
Yes
brattonlawgroup[.]com
Bratton Law Group
US
Yes
brighterdaylaw[.]com
Brighter Day Law
US
N/A
defensegroup[.]com
The Defense Group
US
Yes
dwicriminallawcenter[.]com
Benjamin Law Firm LLC
US
Yes
fisherstonelaw[.]com
Fisher Stone, P.C.
US
Yes
jarrettfirm[.]com
Jarrett & Price LLC
US
Yes
raineyandrainey[.]com
Rainey & Rainey Attorneys At Law PLLC
US
Yes
rbbfirm[.]com
Buchanan Law Group
US
Yes
rmvlawyer[.]com
The Law Office of Brian Simoneau, P.C.
US
Yes
www[.]brentadams[.]com
Brent Adams & Associates
US
Yes
www[.]cfblaw[.]com
Cohen Forman Barone, PC
US
Yes
www[.]gerlinglaw[.]com
Gerling Law Injury Attorneys
US
Yes
www[.]immigration-defense[.]com
Law Offices of Daniel Shanfield
US
Yes
www[.]schwartzandschwartz[.]com
Schwartz & Schwartz Attorneys at Law, P.A.
US
N/A

Table 6: Compromised law firm websites linked to GrayCharlie (Source: Recorded Future)

Figure 4: Website of Gerling Law Injury Attorneys (top) and SMBTeam logo (bottom) (Source: URLScan)

Notably, while an SMB Team compromise is possible, Insikt Group also assesses that the actors may have exploited a specific version of WordPress or its plugins used by SMB Team, which could explain the simultaneous compromise of all affected websites.

In some instances, the same compromised WordPress sites are compromised by multiple threat actors simultaneously. For example, bianchilawgroup[.]com was also breached by TAG-124 (also known as LandUpdate808 or Kongtuke) since at least December 2025, which used the domain vimsltd[.]com.

Higher-Tier Analysis

GrayCharlie administers its staging infrastructure primarily over SSH, though other ports are used intermittently. The group manages its NetSupport RAT C2 servers over TCP port 443. Overall, Insikt Group assesses that GrayCharlie relies extensively on proxy services to administer its infrastructure. Additionally, based on presumed browsing activity from higher-tier servers, at least some individuals linked to GrayCharlie are assessed to be Russian-speaking.

Attack-Chain Analysis

GrayCharlie has been observed using two different attack chains to deliver NetSupport RAT. The first chain uses compromised websites to distribute a fake browser update that triggers the retrieval and installation of a script-based payload; the second chain uses compromised WordPress sites and a ClickFix-style lure that copies a command to fetch and install the RAT. Both culminate in NetSupport execution from %AppData%, Registry Run key persistence, and C2 connectivity; the technical details are expanded below.

Attack Chain 1: Fake Browser Update Leading to NetSupport RAT

According to public reporting, when GrayCharlie first became active in mid-2023, it relied on fake browser updates to deliver the NetSupport RAT. Although the group later shifted to the ClickFix technique, Insikt Group observed a return to fake browser updates as early as October 12, 2025. Figure 5 provides an overview of Attack Chain 1.

Figure 5: Attack Chain 1 (Source: Recorded Future)
  1. Website compromise and lure delivery. Threat actors modify legitimate sites to load malicious scripts that render a browser-specific “update” prompt. Selecting the prompt initiates download of a ZIP “update” package containing a primary JavaScript file alongside decoy .dat files.
  2. User-executed JavaScript loader. The victim manually runs the .js script. The script mimics a benign browser component to reduce suspicion while silently initiating the next stage of the attack.
  3. PowerShell staging via WScript. The JavaScript launches wscript.exe, which spawns powershell.exe. PowerShell reaches out to a remote host to fetch an obfuscated JavaScript containing encoded tasking.
  4. Secondary payload retrieval. PowerShell decodes instructions and downloads the actual payload ZIP archive. This archive contains a complete NetSupport RAT client set, including client32.exe and required DLLs.
  5. File deployment and execution. The archive is extracted under the user profile (for example, %AppData%\Roaming\...). client32.exe is started in the background to minimize visible indicators to the user.
  6. Persistence establishment. A Windows Run registry key is created to automatically launch client32.exe at logon, ensuring the NetSupport RAT remains active after reboots without requiring further user interaction.
  7. C2 readiness. With the NetSupport RAT client running on the infected host, the endpoint is prepared to establish command-and-control connectivity with the attacker's infrastructure.

Attack Chain 2: WordPress Redirects and ClickFix Leading to NetSupport RAT

As early as April 2025, GrayCharlie began using ClickFix as a secondary attack chain, consistent with industry reporting that many threat actors have adopted ClickFix techniques due to their effectiveness. Figure 6 provides an overview of Attack Chain 2.

Figure 6: Attack Chain 2 (Source: Recorded Future)
  1. Initial delivery and redirection. Phishing emails, malicious PDFs, or links on gaming sites direct users to compromised WordPress pages that embed attacker JavaScript.
  2. Background script and profiling. A background script loads when the site is visited, injects an iframe, and profiles the environment (such as the operating system and browser) to deliver the next stage.
  3. ClickFix fake CAPTCHA. The page presents a fake CAPTCHA that quietly copies a malicious command to the user’s clipboard and instructs them to paste it into the Windows Run dialog (Win+R), turning social engineering into user-assisted execution (see Figure 7).
Figure 7: Fake Captcha (Source: Elastic)
  1. Command-driven staging. The pasted command retrieves a batch file that downloads a ZIP containing NetSupport RAT and uses PowerShell to extract it into %AppData%\Roaming\ (see Figure 8).
powershell -Win^dow Style Hidden -Command "Add-Type -AssemblyName 'System. IO.Compression FileSystem'; [IO.Compression.ZipFile]::ExtractToDirectory('!CF0JOAXML!','!WFHEYHKMZ!')"

Figure 8: PowerShell command (Source: Cybereason)

  1. NetSupport RAT launch and persistence. The batch file starts client32.exe and sets a Run registry key to automatically relaunch the NetSupport RAT client at startup, establishing persistence on the endpoint.
  2. Remote access and follow-on actions. Once connected to C2, operators can interact with the system, perform reconnaissance (for example, domain group membership queries), transfer files, execute additional commands, and potentially move laterally using access acquired from the host.

Observed Operator Activity

In October 2025, Insikt Group detonated a NetSupport RAT sample (SHA256: 31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c) with the C2 server 5[.]181[.]156[.]234[:]443 linked to GrayCharlie within a controlled environment. Later that day, approximately three hours later, the threat actor connected using NetSupport RAT, compressed and moved two files, and then executed group and account reconnaissance commands. The same actor returned three days later and repeated the previously observed reconnaissance commands (see Figure 9).

net group /domain "Domain COmputers"
C:\Windows\system32\net1 group /domain "Domain COmputers"

Figure 9: Reconnaissance commands (Source: Recorded Future)

When both files were compressed into a single ZIP archive and the executable was detonated, the process sideloaded a DLL identified as Sectop RAT (SHA256: 59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78) with the C2 server 85[.]158[.]110[.]179[:]15847. The executable (SHA256: 5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428) was identified as “Merge XML Files”, version 1.2.0.0, developed by Vovsoft, and was signed with a digital certificate that expired on October 31, 2025.

Mitigations

  • Leverage the IoCs in Appendix A and Appendix B to investigate potential past or ongoing infections, both successful and attempted; Recorded Future customers can use the Recorded Future Intelligence Operations Platform to monitor for future IoCs associated with GrayCharlie.
  • Monitor for validated infrastructure associated with the malware families discussed in this report, including NetSupport RAT and Stealc, as well as numerous others identified and validated by Insikt Group, and integrate these indicators into relevant detection and monitoring systems.
  • Leverage the Sigma, YARA, and Snort rules provided in Appendices D, E, and F in your security information and event management (SIEM) or endpoint detection and response (EDR) tools to detect the presence or execution of NetSupport RAT. Customers can use additional detection rules available in the Recorded Future Intelligence Operations Platform.
  • Use Recorded Future Network Intelligence to detect instances of data exfiltration from your corporate infrastructure to known malicious infrastructure.
  • Use the Recorded Future Intelligence Operations Platform to monitor GrayCharlie, other threat actors, and the broader cybercriminal ecosystem, ensuring visibility into the latest tactics, techniques, and procedures (TTPs), preferred tools and services (for example, specific threat activity enablers [TAEs] used by threat actors), and emerging developments.
  • Use Recorded Future AI’s reporting feature to generate tailored reports on topics that matter to your company. For example, if you want to stay informed about activities related to GrayCharlie, you can receive regular AI-generated updates on this threat actor.

Outlook

GrayCharlie has been operating for more than two years, and despite shifts in its tactics, such as alternating between fake updates and ClickFix techniques or transitioning from SmartApe to other hosting providers like MivoCloud, the group’s core behaviors have remained consistent. Given its sustained activity, GrayCharlie is highly likely to remain active and continue targeting organizations worldwide, with a current emphasis on US entities, as indicated by Recorded Future Network Intelligence.

Insikt Group will continue to closely monitor GrayCharlie to detect emerging threats and evaluate the group’s strategic direction within the broader cybercriminal ecosystem.

Appendix A: Indicators of Compromise

Cluster 1 NetSupport RAT C2 IP Addresses:
5[.]181[.]159[.]60
5[.]252[.]178[.]23
5[.]252[.]178[.]123
94[.]158[.]245[.]13
94[.]158[.]245[.]63
94[.]158[.]245[.]66
94[.]158[.]245[.]81
94[.]158[.]245[.]104
94[.]158[.]245[.]111
94[.]158[.]245[.]115
94[.]158[.]245[.]118
94[.]158[.]245[.]131
94[.]158[.]245[.]135
94[.]158[.]245[.]137
94[.]158[.]245[.]140
94[.]158[.]245[.]174
185[.]163[.]45[.]30
185[.]163[.]45[.]41
185[.]163[.]45[.]61
185[.]163[.]45[.]73
185[.]163[.]45[.]87
185[.]163[.]45[.]97
185[.]163[.]45[.]130
185[.]225[.]17[.]74
194[.]180[.]191[.]17
194[.]180[.]191[.]51
194[.]180[.]191[.]168
194[.]180[.]191[.]171
194[.]180[.]191[.]189

Cluster 2 NetSupport RAT C2 IP Addresses:
5[.]181[.]159[.]9
5[.]181[.]159[.]38
5[.]181[.]159[.]112
5[.]181[.]159[.]139
5[.]181[.]159[.]140
5[.]181[.]159[.]142
5[.]181[.]159[.]143

Other NetSupport RAT C2 Servers:
5[.]181[.]156[.]234
5[.]181[.]156[.]244
5[.]181[.]159[.]29
5[.]181[.]159[.]62
5[.]252[.]177[.]15
5[.]252[.]177[.]120
5[.]252[.]178[.]35
94[.]158[.]245[.]153
94[.]158[.]245[.]170
185[.]163[.]45[.]16
194[.]180[.]191[.]18
194[.]180[.]191[.]121
194[.]180[.]191[.]209

NetSupport RAT Hashes:
06a0a243811e9c4738a9d413597659ca8d07b00f640b74adc9cb351c179b3268
0e9df9294c36702eee970efcb4a70b6ddb433190ab661273e2e559185c55b6c1
112bf17e7c0d0695e9229d60f0d2734c6b96d7edfb41ea3e98e518f4fb1ae6e9
11370e108c8e7a53e52f01df0829c8addb5833145618a7701fbedbb1d837a43d
15dfe9d443027ba01b8f54f415fd74d373b3a06017db8ef110fb55b33357b190
16c8b5e10135d168d73a553a4bda51628e5b4fd419c0ecd47ca4cd7aa864ebd5
18df68d1581c11130c139fa52abb74dfd098a9af698a250645d6a4a65efcbf2d
1900ca9b482273df3127e221526023c025808d8fd65769a418fe1f346e7d41e2
1c389bf1859a00c58b6a97c02fc26c2fe9766c43e06242a94e92b6585b62398b
21a24922b29742977c4f7e25dd2be056dc02bc5e70c98e32ec3e0c6206f4d9ef
312a0e4db34a40cb95ba1fac8bf87deb45d0c5f048d38ac65eb060273b07df67
31804c48f9294c9fa7c165c89e487bfbebeda6daf3244ad30b93122bf933c79c
31f69d67eca6f3fc837e8d10dff4e2fb6643e33c118cff87df4fee2b183bf0e0
37e8b57ff4d724053b1917dc6edaca0708d44ceecd00cab7e4cabb336c2868d7
3ac57bea954ce68dc937f6954ae8a6a19a367a579aeeda7cc93ddd5968fae250
3ada20fbd80ec7f536db8303a5fa029af741a6914de61376ac8f81ac3ac728fd
3b5658532bc4058131689c5641def85d7ae25d5b837d3d1aff3af7bb25581f17
3c499faac4b973c237670f046973691a245ecd735ffebcca3e93337d94b71cde
3c4b87be8450e3120b7ad2b11ff59850950beb39906dc1636b3ee7b6390f2086
4732f025a2a69f6c40787854c5da122689702f00f4f423061bb30ab7fa1e98d3
5381b2a7a77448c4908f5c79d21631f56c88ead0365981cac1dcaafe493c313e
53e9511401000f61c9d910b92cd6d5a58e38ae541975135944885e53fa91ecb7
5dfbd8cf98ebd4977d4f240dcabd5cd67b936c0095c2d5b9a77896daea877df6
5eebdb584a1acd6aacc36c59c22ec51bbd077d2dbbe0890b52e62fa6fb9cf784
5ff742e134e3d17ec7abea435f718e8f5603b95e7984e024b2310ac9ef862ddf
60ff43424c0ba9dc259ab32405345ef325a4cb4d0baf0c0b0c13f9d3672e99eb
68c6411cc9afa68047641932530cf7201f17029167d4811375f1458cae32c7bd
6b2c41b42f75e64d435ba56c2f2b6d79a11b862a2d994487dab3e51e298bc5c9
6b93b7372941a09f1ea69f8b71c5c4e211ea0f8a24061e702002ca84457bcddd
6d0857a9c77f9c5f2a5e6921e1cb9f7e1a5d6b947ad63b364d291157d3f840fb
70f3a6fdbbc5e2ae79c28b48b6478ee3c8ea6f2b705ca9dc9bf8e63a4f6e0c8d
72baf2ecb0a9df607e54b64c0925ffc6739ab5a8b18900bf5c1930bcc799395d
748d546c6db44f6aa4bbb8e586d79f56c63fa87580eb19a0f2d5079cbe0952b7
79040421b5a48dcc6e611dfe187b2f3e355791ad8511adb84f5c0948aa1d6c89
797ae2dbb2c538710fefe75dbe380b9f55b614cb03c4ae09bb3172e8234dd9d9
7a73ae8cca6ce6fa88f89d6154811cb453d6e6db9fa8ed5fbdaf8895aae601a5
7b19538dcf6d4bb84590c458f09c5707c8db53a42861fa56533c49c1a3acd953
7e3634bfd66e601d7585b237437f11f7d614b33705ba5f7bd75ab176c8250d38
858dfa529b960c6f6226b53beb55ba1900d3f498ba7be40724ed5c16d7d5a44b
871e5629d9c8898babf3ed579586e3f5f94a6c4623d3a0a7f9a99bf9d95ffc7b
8763749fd09245e7fa8c0ee2cc797d5520a9ef5d6846f044a0cd7c969c4bd7d4
89d839bbdc786c006304f3c6c6939150380aaa9e84d82bc31cdf0cf7609a6243
8b21fbd40c89763f51d5e06680c0971623500f4724c25958446bac794797057b
8baebd525324297faf86639266060172ded963767c832a609a991fa92c8463ab
8d1ed904d90e08048f42cdc9a25c2159f0f8dc4aa9dc01b0207645ea53abe189
957ab8417606ad41ad31f006d997af3f647dd5215af899551d08b3b472a4bc85
a0332fe0baa316fe793e757f9cf5938b099e97dc4624ead6f3bad8555c8a419b
a1482e62ecc89696a75adea7052c2e98a75c9d37304723abd110d60962bafdb7
a28d0c82a2a37462c2975b5eda7f91e8fc3c2ed50abfe357948ec4faabbd4951
a6637685091835826e62af279cc6c648188797f9edc05a2399a6686349102774
a6f1f68827303e655488c8d54b3be3ce8b1097f3ff374a2e4bc82ff96812781c
abc5b2118bc1d8c82f3726a5e30cf22ae3fa1c572dd3327b281ea6fd97ae9c06
afc45cc0df7f7e481bff45c6f62a6418b6ae4c8b474ec36113e05ab7ca7e2743
b1f91355a8472e364e07f05dc69bbd9c74dc1943e9c4475f46c2b448bb6d6e5d
b2b7218c3f649b9077510aac309357e884c314e0f488abed391415defb249f4c
b6b685fe020c481161060df9dbef0fc205cde479056c18aaeae184daa3f8a9c0
b784301cb2edafea875f779cf24e018f06732561069f6c4c3d86548029671642
ba557bd6b2c1d3297b2c9bd7294e47b9ad9ec6a937cddc879dd563c61a9abcbd
bb451151e52f0868f98e32d26ffa7c2be412b47cd470bf90d3cfe777b4a19f85
bd39f32177dc7a20f5087c5460ebf589035d9051336c69f07a26398f76aec40e
bf37542e9eb7a3b2f51d107e56d7551e6248f06ce18918e3dda2ebe9da1b0e80
bf97c4ff35b5e2c039aa1f1a9a164b7ec4d9339a631c84910b9a4d03b7927b8a
c2ba0018de8dcf0abfb2669cce95ed09377e9a9da7ff8e74e95688c99a025634
c3d797e67edf0dd435808f2f79ff4bfd0cf9177307f4a112b7da09f7dfdd8f2e
c441afb337c4803eed20ae255fbad3cdfac2800475c51e00a55369909efb4c89
cc6ad344d30178e04e49ab16cd43744925676562aded051835fb3f73401f31fa
ceab18331f785d0bf215f551b90f00567e36d339ba8e3ed8e45c0ad410b25808
d02a1eb597c66b602ac7d55095f771345ff5e90905ea12e523df2095030752b6
d6142f48664208710bab9fcab8dfcda66ad75ad756d2ce9c3aa243dcbc29bf4a
d665a8547baf067f2216821ecd4145eab1c75868f024d09140fb265b819d5194
d8d2092e174240d7bac63a9e1c199b442e1cb0f39d7fa32510b1aa7717c3ae38
e24de02415946133176b66017d54a5dcd7270c83f5ef01d79faff4e64d13c63b
e5502722c2bb84876903549445534c47cdaa586a0bb1e5b3a53162d75cc6cb28
e66ae0ac443b5140a1b35b5aaa6899eea296d9d633988eb044a395a34a887431
e92e01977d85f6834f57bd09e29e654b10da798844e4a64470cb22dac78bef93
e9723a2a9ca45787c35b864605a6be71ccf12b2d96dad8e7fc39117f7ba29abb
f28bb7bc5c801d5444ba6816e3a91d5bfaf0307578b7a1529415fc220fd9e9e8
f86b6aa11a276c24dd80db48f43c8a2f0c8df6e5426a7a0fee322c0427421ebb

“Type 1” Staging Server IP Addresses:
77[.]83[.]199[.]3
77[.]83[.]199[.]15
77[.]83[.]199[.]31
77[.]83[.]199[.]42
77[.]83[.]199[.]73
77[.]83[.]199[.]82
77[.]83[.]199[.]88
77[.]83[.]199[.]90
77[.]83[.]199[.]112
77[.]83[.]199[.]123
77[.]83[.]199[.]132
77[.]83[.]199[.]142
77[.]83[.]199[.]170
79[.]141[.]160[.]24
79[.]141[.]160[.]34
79[.]141[.]161[.]50
79[.]141[.]161[.]171
79[.]141[.]162[.]35
79[.]141[.]162[.]37
79[.]141[.]162[.]50
79[.]141[.]162[.]132
79[.]141[.]162[.]149
79[.]141[.]162[.]169
79[.]141[.]162[.]177
79[.]141[.]162[.]181
79[.]141[.]162[.]187
79[.]141[.]162[.]204
79[.]141[.]162[.]229
79[.]141[.]163[.]138
79[.]141[.]163[.]176
79[.]141[.]172[.]204
79[.]141[.]172[.]223
79[.]141[.]172[.]229
79[.]141[.]172[.]232
79[.]141[.]172[.]240
79[.]141[.]173[.]60
79[.]141[.]173[.]161
79[.]141[.]173[.]168
85[.]158[.]111[.]29
85[.]158[.]111[.]38
85[.]158[.]111[.]53
85[.]158[.]111[.]75
85[.]158[.]111[.]81
85[.]158[.]111[.]126
89[.]46[.]38[.]34
89[.]46[.]38[.]48
89[.]46[.]38[.]88
89[.]169[.]12[.]48
91[.]193[.]19[.]32
91[.]193[.]19[.]64
91[.]193[.]19[.]78
91[.]193[.]19[.]127
91[.]193[.]19[.]163
91[.]193[.]19[.]188
91[.]193[.]19[.]190
98[.]142[.]240[.]165
98[.]142[.]240[.]188
98[.]142[.]240[.]214
98[.]142[.]240[.]221
98[.]142[.]240[.]246
98[.]142[.]251[.]26
98[.]142[.]251[.]32
98[.]142[.]251[.]42
98[.]142[.]251[.]53
185[.]33[.]84[.]131
185[.]33[.]84[.]153
185[.]33[.]84[.]169
185[.]33[.]85[.]20
185[.]33[.]85[.]26
185[.]33[.]85[.]33
185[.]33[.]85[.]38
185[.]33[.]85[.]52
185[.]33[.]86[.]37
193[.]42[.]38[.]11
193[.]42[.]38[.]79
193[.]42[.]38[.]85
193[.]42[.]38[.]86
193[.]111[.]208[.]2
193[.]111[.]208[.]17
193[.]111[.]208[.]19
193[.]111[.]208[.]23
193[.]111[.]208[.]24
193[.]111[.]208[.]46
193[.]111[.]208[.]75
193[.]111[.]208[.]97
193[.]111[.]208[.]100

Additional IP Addresses Likely Linked to “Type 1” Staging Infrastructure:
23[.]140[.]40[.]66
45[.]153[.]191[.]245
46[.]29[.]163[.]28
89[.]169[.]12[.]48
89[.]253[.]222[.]25
89[.]253[.]222[.]156
95[.]182[.]123[.]86
185[.]231[.]245[.]158
217[.]114[.]15[.]253

“Type 2” Staging Server IP Addresses:
45[.]61[.]134[.]76
77[.]83[.]199[.]162
79[.]141[.]162[.]135
79[.]141[.]163[.]169
91[.]193[.]19[.]220
144[.]172[.]115[.]211
172[.]86[.]90[.]84
185[.]33[.]86[.]11
185[.]80[.]53[.]79
194[.]15[.]216[.]118

“Type 2” Staging Server Domains:
filmlerzltyazilimsx[.]shop
foolowme[.]com
joiner[.]best
lowi1[.]com
morniksell[.]com
persistancejs[.]store
pomofight[.]com
port4loms[.]com
signaturepl[.]com
yungask[.]com

Domains Linked to oreshnik[@]mailum[.]com:
108zhao[.]shop
1sou[.]top
6hms[.]top
789pettoys[.]shop
7serv[.]top
99wc[.]top
abocamuseum[.]icu
actionmovies[.]top
alcmz[.]top
alhasba[.]com
amxdh1[.]icu
anoteryo[.]top
arearugs[.]top
as5yo[.]top
ashesplayer[.]top
avodaride[.]top
azyaamode[.]shop
baihao[.]shop
baihuah[.]top
bedoueroom[.]top
bestproductreviews[.]xyz
bestrollerballpen[.]top
blogdojhow[.]com
bnpparibas[.]top
bokra[.]top
bond007[.]xyz
boxworld[.]top
bstionline[.]com
buildingjobs[.]xyz
buscavuelosbaratos[.]top
buyedmeds[.]top
buylisinopril[.]top
celebrex[.]top
chaojiwang[.]top
chenyiwen[.]top
chinapark[.]top
christianlouboutin2017[.]top
cialissale[.]top
cinselurunler[.]xyz
coinseasygenerator[.]top
couterfv[.]top
couturella[.]shop
covaticonstructioncorp[.]shop
cozartan[.]top
cryptohardware[.]shop
dcdh4[.]shop
dealermobil[.]top
depechemode[.]shop
directoryframework[.]top
discountmontblanc[.]top
discoveronline[.]top
doodstream[.]shop
downloadfreak[.]top
erectilehelp[.]top
filmezz[.]top
filmlerzltyazilimsx[.]shop
fjs95[.]shop
fmovies123[.]top
forging[.]top
fragzone[.]top
franquicias[.]top
fuckhdmov[.]top
gededewe[.]shop
getin[.]top
glitterygadgets[.]shop
gmartph[.]shop
gmt-a[.]shop
grandzxc[.]bet
guosong[.]top
haidao10[.]top
headtechnologies[.]xyz
healthcareplans[.]top
heim-k[.]shop
helperection[.]top
hilfe-ed[.]top
hirek[.]top
howtogetaloan[.]top
ida-ci[.]com
islighting[.]top
iwine[.]top
izone[.]digital
jerseysus[.]top
jiezishijie[.]top
jkse[.]shop
jsmakert[.]shop
k2bsc[.]top
kaestner[.]top
kamagrafr[.]icu
kanshuwang[.]top
kazumaka[.]top
kfzversicherungskosten[.]top
khusinhthaidanphuong[.]top
kingdomholding[.]top
krediteonlinevergleichen[.]top
lang3666[.]top
langwonet[.]top
layardrama21[.]top
lebensversicherungvergleich[.]top
levciavia[.]top
linhua97[.]top
linksoflondononsale[.]top
linksoflondonsale[.]top
liruo[.]top
liveskortv[.]shop
loanonline[.]top
loispaigesimenson[.]com
losartan[.]top
lovedou[.]top
lqsword[.]top
lx7v9[.]top
lycosex[.]top
machine-a-plastifier[.]com
manwithedhelp[.]top
marmocer[.]top
mbpen163[.]top
medicamentsbonmarche[.]top
meimei68[.]top
menjimmychooonline[.]top
milebox[.]shop
mindsetgrowth[.]shop
mm37[.]icu
monclerjackets[.]top
moruk[.]xyz
motocyclenews[.]top
moviefone[.]top
moviesone[.]top
movtime76[.]shop
movtime78[.]shop
musicdownloader[.]top
my-privatebanker[.]top
mybeststream[.]xyz
nackt-bilder[.]top
nana44[.]shop
newbalancesport[.]top
palcomp3[.]top
parisforrent[.]top
pasangiklan[.]top
patekphillipwatches[.]top
pielsteel[.]top
pravaix[.]top
rag382[.]top
rasin[.]shop
refanprediction[.]shop
regopramide[.]top
rnsddse[.]top
sales2016[.]top
sdnews[.]top
searchgo[.]shop
searchweb[.]top
semikeren[.]icu
simvascor[.]icu
simvascor[.]top
snapcans[.]top
sneakermall[.]top
soap2dayfree[.]top
socialsignals[.]shop
socksforrocks[.]shop
streaming-films[.]xyz
syavsp5[.]top
tdsc[.]top
techradar[.]top
tiffanyearringforwomen[.]top
todoarmarios[.]top
todocalefactores[.]top
todocarritos[.]top
travelplace[.]top
trendings[.]top
universaltechnology[.]top
uochut[.]shop
via345[.]top
villahome[.]top
viloriterso[.]icu
viptravelcentres[.]com
vog168[.]top
wandan[.]top
wap9[.]top
warpdrive[.]top
watchesbest[.]top
wavob[.]top
wdwnp[.]top
xelesex[.]top
ydh7[.]shop
yntz6[.]shop
yourcialsupply[.]top
youtubevideo[.]top
yxta[.]top
yybvf[.]top
zaheirx[.]shop
zakachka[.]top
zerolendnow[.]top
zt45gg[.]top

Compromised Law Firm Websites:
bianchilawgroup[.]com
brattonlawgroup[.]com
brighterdaylaw[.]com
defensegroup[.]com
dwicriminallawcenter[.]com
fisherstonelaw[.]com
jarrettfirm[.]com
raineyandrainey[.]com
rbbfirm[.]com
rmvlawyer[.]com
www[.]brentadams[.]com
www[.]cfblaw[.]com
www[.]gerlinglaw[.]com
www[.]immigration-defense[.]com
www[.]schwartzandschwartz[.]com

Sectop RAT Hash:
59e7e7698d77531bfbfea4739d29c14e188b5d3109f63881b9bcc87c72e9de78

SecTopRAT C2 IP Address:
85[.]158[.]110[.]179[:]15847

Other Hashes:
5f1bd92ad6edea67762c7101cb810dc28fd861f7b8c62e6459226b7ea54e1428

Email Address Linked to GrayCharlie:
oreshnik[@]mailum[.]com

China’s Zero-Day Pipeline: From Discovery to Deployment

17 December 2025 at 01:00

Executive Summary

  • China’s observed use of zero-days has declined since 2023. However, it has expanded its capacity to discover and manage vulnerabilities, signaling a continued effort toward stockpiling exploits for strategic or military advantage.
  • The Data Security Law (DSL) and Provisions on the Management of Network Product Security Vulnerabilities (RMSV) give the Chinese state first access and control over zero-days. Combined with government-backed competitions, incentives, and private contractors, this framework likely sustains one of the world’s largest reserves of exploitable vulnerabilities.
  • The creation of the Information Support Force (ISF) and Cyberspace Force (CSF) signals China’s consolidation of cyber capabilities, likely enabling more effective offensive and defensive cyber operations, with vulnerabilities likely serving as a central resource.
  • Defenders should adopt an “assume breach” posture and build for containment, implementing zero trust and layered defenses to limit attacker movement and impact after an exploit.
Figure 1: How China stockpiles vulnerabilities (Source: Recorded Future)

Analysis

Zero-Days as Strategic Weapons

A zero-day is a previously unknown software flaw for which no patch exists at the time it is discovered or exploited. Once weaponized, it allows adversaries to gain access, escalate privileges, or execute remote commands. These capabilities are especially effective against perimeter and enterprise systems, where a successful compromise can provide initial access and allow attackers to maintain persistence and carry out further cyber actions.

Choosing whether to disclose or keep a zero-day vulnerability is a strategic decision. Governments must balance public safety with the potential intelligence or military value of keeping the flaw secret. In the US, this process is guided by the Vulnerabilities Equities Process (VEP), which is designed to be transparent and generally favors disclosure to help maintain internet security.

China’s Vulnerability Management Regime

China’s vulnerability management system is centralized and led by the state. Its laws, incentives, and institutions work together to feed new exploits and technical capabilities directly to the government, turning software vulnerabilities into strategic assets under state control.

  • Mandatory Reporting

The RMSV (2021) requires that all discovered vulnerabilities be reported to the Ministry of Industry and Information Technology (MIIT) within two days and prohibits disclosure to foreign entities. The Data Security Law (DSL) and National Intelligence Law (NIL) further compel all individuals and organizations to support state security objectives, with strict penalties for non-compliance. Together, these laws grant Beijing first access and complete control over all newly discovered flaws.

  • Incentivizing Compliance

This legal framework is reinforced through financial and professional incentives. The China National Vulnerability Database of Information Security (CNNVD), managed by the Ministry of State Security (MSS), offers researchers and firms monetary rewards, certificates, honorary titles, and preferential access to government contracts. This system encourages compliance by making vulnerability disclosure both mandatory and materially rewarding.

  • Talent Development and Recruitment Pipelines

China combines strict regulations with a well-organized system for developing cybersecurity talent. Competitions such as the Tianfu Cup, Matrix Cup, and QiangWang Cup serve as key recruitment and training platforms for the state’s cyber programs. The 2024 Matrix Cup’s $2.75 million USD prize pool, nearly twice that of Canada’s Pwn2Own, highlights the size of this investment.

  • Private Sector Relationships

    China’s private sector also plays a pivotal role. Major firms such as Qi An Xin, Huawei, Qihoo 360, and NSFocus contribute vulnerabilities and technical expertise directly to the government. Large technology companies also fund or subcontract offensive work to smaller firms, creating a dense ecosystem of start-ups engaged in exploit research and hacking services. The i-SOON leaks (2023) revealed the scale and interconnectedness of this ecosystem: The company sold hack-for-hire services and targeting platforms to government customers while subcontracting work for Qi An Xin and Chengdu 404.

From Discovery to Deployment: Operationalizing China’s Vulnerability Pipeline

This centralized vulnerability ecosystem is producing measurable results, enabling Chinese state-sponsored groups to convert vulnerability discovery into operational access at a speed and scale far beyond that seen in other national programs. A clear manifestation of this is their sustained focus on enterprise and edge technologies, including Fortinet, VMware/ESXi, and Ivanti, where access is durable and often high-privileged, and detection is limited. In 2025, China-linked groups exploited Ivanti VPN and Trimble Cityworks (1, 2) flaws as part of a long-term strategy to remain undetected within networks, expand access, and position themselves for potential critical infrastructure disruption.

China continues to expand its network of CNNVD technical support units (TSUs) and related programs, increasing its overall research base. TSUs are specialized organizations, often universities, state-linked labs, and cybersecurity firms that directly feed vulnerability research and intelligence into the national system. Since 2021, the number of TSUs has increased significantly, broadening the state’s research capacity and deepening its ability to identify and operationalize software flaws at scale.

Figure 2: Number of new CNNVD TSUs by month, June 2021 to July 2025 (Source: Natto Thoughts)

Most vulnerability disclosures to affected vendors and the broader security community still originate from universities, labs, and cybersecurity firms associated with CNNVD, CNVD, and the expanding TSU network. However, even as the ecosystem grows, the overall volume of these disclosures continues to decline, indicating that a larger share of discoveries is now being routed internally rather than published. This suggests that more vulnerabilities are being withheld for state-directed use. Secrecy surrounding hacking competitions is also growing: The Tianfu Cup was not held publicly in 2024, and the 2024 Matrix Cup shared little to no details about discovered exploits. These competitions have historically been major sources of high-quality vulnerabilities, and reduced transparency further aligns with the shift away from open disclosure.

Together, these trends — the rapid expansion of TSUs, the decline in public vulnerability reporting, and the tightening secrecy around exploit-generation events — likely point to a deliberate state strategy that emphasizes centralized stockpiling and selective operational use of vulnerabilities rather than public disclosure.

Strategic Stockpiling and Selective Use

China’s reported use of zero-days declined from twelve in 2023 to five in 2024, and it is responsible for only ten of the 104 zero-day exploits identified globally so far in 2025. While this may partly reflect limited visibility into zero-day deployment and attribution, the trend may also suggest a more selective, strategic approach to when and how its zero-day capabilities are used.

Figure 3: Of the 104 zero-days identified in 2025, ten were attributed to Chinese state-sponsored threat actors (Source: Recorded Future)

Beijing’s control mechanisms under the RMSV and DSL enable it to selectively weaponize or withhold zero-days, preserving its most impactful capabilities for crises or strategic objectives. At the same time, n-day vulnerabilities — older but still unpatched flaws — remain highly effective due to inconsistent global patching.

Using these known flaws allows Chinese operators to gain access to networks and gather intelligence without revealing their zero-day exploits. Overall, this reflects a system designed for long-term preparedness rather than immediate gain.

Military Integration and Strategic Significance

China’s April 2024 military reforms introduced three new divisions within the People’s Liberation Army (PLA), including two centered on cyber and information security:

  • The Information Support Force (ISF), which is responsible for the security and continuity of China’s military networks, data systems, and command infrastructure
  • The Cyberspace Force (CSF), which is dedicated to both offensive and defensive cyber operations

Together, the two units consolidate China’s cyber and information capabilities, which were previously primarily nested under the PLA Strategic Support Force. These units form the backbone of its digital warfighting structure. The restructuring is likely to enhance Beijing’s ability to coordinate kinetic and cyber operations, with zero-days serving as key enablers and potential first-strike tools.

Figure 4: New structure of the People’s Liberation Army (PLA) (Source: The Jamestown Foundation)

The future use of zero-days will depend on how China decides to pursue its geostrategic goals, such as future unification with Taiwan. However, by compromising critical networks in advance, China can secure persistent access and deploy disruptive cyber effects alongside kinetic operations, as seen in Russia’s coordinated cyber-military campaigns in Ukraine. Chinese state-sponsored Volt Typhoon activity has been widely assessed as fulfilling such a purpose.

Outlook

  • Increased Willingness to Use Zero-Days: As China reduces its reliance on US technology through its “Delete America” campaign, the cost of exploiting Western software will decrease, making zero-day use more attractive in future conflicts over the long term.
  • Expanded Pre-Positioning: Expect continued infiltration of critical infrastructure and enterprise systems through both n-day and zero-day exploits to ensure durable wartime access.
  • Increased N-day Use: The rapid adoption of AI-assisted coding and automation is accelerating the accumulation of software vulnerabilities. This expanding security debt — the accumulation of unpatched and unreviewed vulnerabilities — will give adversaries, including China, a broader and more persistent pool of n-day exploits to weaponize.
  • Evolving Contractor Ecosystem: State-aligned private firms are likely to accelerate automation and AI-assisted vulnerability discovery, thereby expanding the Chinese state’s operational stockpile of viable exploits.

Mitigations

  • Adopt an “Assume Breach” Posture: Implement zero-trust architectures that enforce identity and device verification at every access point. Use Recorded Future® Threat Intelligence to monitor for China-nexus infrastructure and malicious activity, feeding enriched indicators directly into security information and event management (SIEM) and security orchestration, automation, and response (SOAR) workflows.
  • Prioritize Edge and Enterprise Patching: Focus remediation efforts on virtual private networks (VPNs), firewalls, hypervisors, and identity platforms most commonly targeted by China-nexus threat actors. Use Recorded Future Vulnerability Intelligence to track emerging zero-day and n-day threats, prioritize patching by exploitation risk, and validate remediation across critical systems.
  • Detect Post-Exploitation Behavior: Use D3FEND mappings such as Process Access Pattern Analysis (D3-PAPA) and Remote Access Detection (D3-RAD) to identify stealthy follow-on actions. Combine these controls with Recorded Future Attack Surface Intelligence to identify exposed assets and verify that detection coverage extends to externally facing environments.
  • Secure Identities and Access: Leverage Recorded Future Identity Intelligence to detect compromised credentials that may complement exploit-based intrusions.

Risk Scenario

EnerTech Global, a European energy technology firm providing control systems and smart grid software to multiple NATO-aligned countries, becomes the target of a Chinese state-sponsored cyber campaign. Using undisclosed zero-day vulnerabilities, Chinese operators infiltrate EnerTech’s production and customer environments to gather intelligence, manipulate software updates, and pre-position for potential disruption.

First-Order Implications

Chinese threat actors exploit a zero-day in a network management or VPN appliance to gain initial access to EnerTech’s internal systems and engineering networks.

A zero-day in industrial control or software build pipelines is used to insert malicious code into firmware updates distributed to downstream customers.

Organizational Risks:

  • Operational: Compromise of development and production networks halts manufacturing and disrupts customer support operations.
  • Legal: Breach of export-control and cybersecurity regulations triggers EU and US compliance investigations.
  • Brand: Public confirmation of a “state-backed breach” undermines trust with government and defense customers dependent on EnerTech’s technology.

Second-Order Implications

Attackers use stolen code-signing certificates to distribute trojanized software updates to energy utilities across Europe. Collected intelligence on grid infrastructure is used to map potential disruption points for future contingency operations.

Organizational Risks:

  • Operational: Some utilities begin to see irregularities in their operational technology (OT) environments, including unexpected behavior in grid-monitoring tools, delayed telemetry updates, and unexplained authentication failures on systems that rely on EnerTech software.
  • Brand: EnerTech’s reputation deteriorates as customers and regulators question its software assurance and supply chain controls.
  • Legal: Disclosure of tampered software triggers international incident response coordination and potential export-license suspension.

Third-Order Implications

Persistent access enables China to remotely sabotage or disable systems during a geopolitical crisis, thereby amplifying disruption across allied power grids. Stolen intellectual property is used by Chinese competitors to replicate EnerTech’s industrial software, undercutting global market bids.

Organizational Risks:

  • Competitive: Loss of proprietary code and technology enables China-based competitors to dominate regional procurement markets.
  • Brand: Association with a high-profile critical infrastructure breach erodes long-term credibility in both commercial and government sectors.
  • Legal: Multinational investigations and sanctions create enduring compliance exposure and financial penalties.

Further Reading

Cyber on the Geopolitical, Battlefield: Beyond the, “Big Fourˮ

17 December 2025 at 01:00

Executive Summary

Regional conflicts and weakened international institutions are driving the use of offensive cyber operations beyond the “Big Four” (China, Russia, Iran, and North Korea). Monitoring these threat actors requires organizations to proactively assess their geopolitical risk to understand where future threats are most likely to emerge.

In 2025, Recorded Future identified at least twenty actors across thirteen “non-Big Four” countries conducting cyber operations, primarily linked to regional conflicts, domestic surveillance, or foreign espionage.

Companies should closely monitor regional geopolitics and maintain strong continuity and resilience plans to protect against cyber espionage or disruptive cyberattacks.

Figure 1: Trends influencing how and why state-sponsored actors beyond China, Russia, Iran, and North Korea carry out cyber operations (Source: Recorded Future)

Analysis

Overview of Other State Sponsors of Cyber Operations

While the “Big Four” account for the majority of reported cyber threat activity, many other countries use cyber operations to advance their strategic interests. Recorded Future data shows that most observed activity outside of the “Big Four” stems from regional conflicts. Patriotic hacktivist groups, which advance state interests alongside state-sponsored espionage operations, represent the highest volume of reported activity. The degree of coordination between hacktivists and the government remains unclear and likely varies. However, their actions are included in this assessment because of their close alignment with state objectives, which means their activity correlates with interstate conflict risk.

Outside of active conflict, espionage against foreign and domestic targets continues to be a major driver of cyber operations. The most cyber-capable states invest heavily in avoiding detection and attribution, given the significant negative political consequences of exposure.

Tracking threat actors beyond the Big Four requires organizations to understand their geopolitical risk in order to anticipate where threats are most likely to emerge. Operating in certain regions or conflict zones likely increases the risk of cyber espionage or destructive attacks.

Regional Cyber Conflicts

Territorial disputes drove nearly two-thirds of observed cyber activity in 2025, according to Recorded Future data. Cyber operations focused on intelligence collection against government, defense, and other critical infrastructure. Hacktivists escalated their activity during conflicts, carrying out nuisance-level attacks amplified through influence operations. Like hacktivists, influence operations align closely with state interests during conflict, but have varying degrees of connection to the state. These activities rarely affect battlefield outcomes but are designed to signal technical sophistication or moral superiority over the adversary.

India and Pakistan

Between May 7 and 10, 2025, India and Pakistan exchanged a series of missile strikes — the most serious escalation between the two nuclear-armed countries in decades. Throughout the crisis, large volunteer hacktivist communities on both sides conducted disruptive attacks, primarily DDoS and website defacements. Pakistan-linked APT36 conducted espionage operations targeting the Indian government and other politically motivated targets, while threat actors linked to the Indian government, such as SideWinder, pursued Pakistani military targets.

Figure 2: Cyber activity between India and Pakistan spiked alongside the outbreak of armed conflict in May 2025 (Source: Recorded Future)

Influence operations intended to shape perceptions of the conflict also intensified. Influence networks amplified hacktivist claims, often overstating their impact, such as widespread reporting on Pakistani social media that hackers had shut down 70% of India’s electric grid. These operations are intended to portray their own side as more capable and their adversary as vulnerable, underscoring the importance of narrative control in conjunction with military operations.

Thailand and Cambodia

Similar to cyber engagements observed between India and Pakistan, hacktivist operations bolstered by influence campaigns significantly escalated between Thai hackers and Cambodian hackers following the May 2025 conflict. These were largely carried out by self-proclaimed patriotic hacktivist groups. Operations included DDoS attacks, website defacements, and data leak operations. More targeted hack-and-leak operations were also intended to reveal politically damaging information about the other country’s leadership. Influence operation narratives emphasized that the opposing side was the aggressor in the conflict, likely in order to garner both domestic and international support.

Morocco and Algeria

While tensions between Morocco and Algeria have not escalated into armed conflict, cyber hostilities increased significantly in 2025. In the context of these tensions, pro-Algerian hacktivists have allegedly carried out a series of high-profile attacks on Moroccan institutions, striking the National Social Security Fund, the National Agency for Land Conservation, and the Ministry of Justice. The hackers, going by JabaROOT, leaked personal and financial data of millions of Moroccan citizens, potentially exacerbating existing domestic tensions over income disparity. The cyberattacks may have been intended to demonstrate Moroccan vulnerability while maintaining a level of deniability for the Algerian government. Moroccan hacktivists responded with retaliatory data breaches against the Algerian government and education institutions.

Espionage Operations Outside of Armed Conflict

While many more countries almost certainly engage in cyber espionage, the following threat actors have been tracked attempting to collect information on targets of political significance:

  • While India-linked threat actors such as SideWinder and Bitter have traditionally targeted neighbors like Pakistan, Sri Lanka, and Bangladesh, espionage against European diplomatic entities increased significantly in 2024, demonstrating a broader targeting scope.
  • Vietnam has accelerated its development of cyber capabilities. APT32, likely linked to the Vietnamese government, has carried out operations against Chinese cybersecurity researchers as well as against internal dissidents. In the past, this group has also targeted car manufacturers, foreign governments, and others, driven by geopolitical and economic priorities.
  • At least two threat actor groups observed conducting espionage operations have been linked to Türkiye: Marbled Dust and StrongPity, who prioritize regional and domestic targets. In addition, a robust online community of patriotic hacktivists targets regional and international adversaries, whether historical (such as Armenia and Greece) or in modern disputes (France and Germany).
  • Stealth Falcon, linked to the United Arab Emirates, has been observed exploiting a zero-day vulnerability to target a Turkish defense organization. The group has been active since at least 2016, targeting government and defense organizations primarily in the Middle East and Africa.

Political and diplomatic priorities make intelligence targets predictable. Organizations should assess not only their regional exposure but also whether their industry aligns with strategic priorities, as sectors tied to national strategy are the most likely targets for espionage.

Domestic Surveillance Activity

Many states use their cyber capabilities to monitor domestic security concerns, which can include law enforcement or national security priorities, monitoring political opposition, or conducting economic espionage on behalf of a key national industry. Domestic surveillance capabilities are often supplemented with commercial off-the-shelf spyware, such as Intellexa’s Predator or Candiru’s DevilsTongue. Similar to understanding political priorities for cross-border espionage, companies should assess whether they possess data that may be of political significance to the government of a country in which they operate. States that lack sufficient oversight or legal privacy protections pose an increased risk of intrusive cyber monitoring and surveillance.

Figure 3: (Left) Graphical representation from the Insikt Group report titled Dark Covenant of the direct and indirect links between Russian Intelligence Services and individuals in the Russian cybercriminal underground; (Right) Infographic of reported cyberattack by Russian state-backed ransomware operators against German military contractors

(Source: Recorded Future)

Outlook

  • Cyberattacks are likely to increase as international alliances weaken: The Thailand-Cambodia and India-Pakistan conflicts demonstrate an increased willingness to use force to pursue regional goals. Deployments in multilateral peacekeeping operations decreased by 40% over the last decade, likely due to challenges in generating the necessary support for intervention. This makes it more likely that states will turn to violence to resolve disputes, as opposed to non-violent negotiations. Cyber and influence operations are becoming increasingly common features in these conflicts, serving as a low-cost means of signaling strength, shaping narratives, and imposing limited disruption.
  • Cyber capability build-up may follow conventional military build-up: NATO countries in Europe, as well as South Korea and Japan, are increasing their military spending. While many of these countries already have advanced cyber capabilities, they may seek to invest in more sophisticated offensive capabilities to augment conventional forces. Legal and doctrinal changes, such as in Japan and South Korea, are also laying the groundwork for a shift from a defensive cyber policy to an offensive posture.
  • Commercial cyber capabilities may be sought for interstate conflict: Countries seeking to gain a cyber advantage in advance of a regional conflict may turn to commercial offensive tools, similar to the growing reliance on these tools for internal law enforcement or counterterrorism operations. This reduces the barrier to entry for smaller or less technically mature states, enabling more actors to conduct sophisticated intrusions, targeted espionage, and high-impact disruption.

Mitigations

  • Use Recorded Future’s Geopolitical Intelligence to monitor regional conflicts and geopolitical developments for risks to international and outsourced operations.
  • Use Recorded Future’s Threat Intelligence to track threat actor groups and detect TTPs associated with non-Big Four countries.
  • Understand the risk of surveillance for personnel traveling to high-risk countries and take mitigating actions such as using alternative devices. Use Recorded Future’s Country Risk Data in the Geopolitical Intelligence module to assess surveillance and other travel risks.
  • Ensure continuity-of-operations plans are in place to mitigate the impacts of disruptive or destructive attacks. Use Recorded Future Analyst-on-Demand for bespoke research on how your organization might be targeted.
Figure 4: Starting with these four questions can help you understand threat actors’ motivations for targeting your organization (Source: Recorded Future)

Risk Scenario

A longstanding territorial dispute between Country A and Country B erupts into a military skirmish at the border, with risks of further escalation. Country A is home to a robust business process outsourcing industry serving some of the world’s largest international corporations.

First-Order Implications

Groups claiming to be patriotic hacktivists from both countries conduct hack-and-leak operations and website defacements. These are amplified by partisans on social media who often exaggerate the impact of these attacks.

  • Competitive disadvantage: Hack-and-leak operations expose sensitive internal documents, including proprietary trade secrets and embarrassing communications.
  • Increased surveillance risk: The conflict increases domestic surveillance activity in Country B to monitor for internal threats. International employees traveling to Country B are subject to enhanced surveillance.

Second-Order Implications

Actors claiming to be hacktivists supporting Country A escalate cyber operations, carrying out persistent cyberattacks against Country B’s electrical grid. As a result, Country B experiences rolling blackouts in the capital city.

  • Operational disruption: The blackouts prevent call centers from performing essential business functions, resulting in significant service delays and revenue losses for corporations worldwide.
  • Physical security risk: Anger over blackouts increases public support for escalating operations against Country A. The escalation of conflict increases the risk of harm to employees or the destruction of facilities.

Third-Order Implications

The United States and China become increasingly involved in the conflict between Country A and Country B, providing military, logistical, and cyber capabilities to their preferred country. The external support prolongs the conflict and increases the risk of involving neighboring countries.

  • Conflict escalation: With more weapons and logistical support from great power backers, fighting between Country A and Country B expands from the border to strikes further in the interior. Both military and civilian casualties increase as violence escalates.
  • Regional economic impact: Extended disruptions may cause international corporations to move operations to more stable regions, leading to a negative economic impact in the region.

Further Reading

❌