Critical elements and rare earth elements REEs are no longer commodities; they are strategic dependencies. Chinaสผs dominance in processing and refining provides it with enormous geopolitical leverage over other industrialized economies.
Geopolitical competition over mining and refining critical elements and REEs is accelerating. Competition to mine them will almost certainly expand into the Arctic, Greenland, Antarctica, the seabed, and space. These emerging arenas introduce legal ambiguity, environmental tension, and strategic rivalry, creating new geopolitical flashpoints.
Cyber operations are increasingly intertwined with resource competition. Insikt Group has identified state-sponsored and criminally aligned cyber threat actors targeting mining organizations to gain a strategic advantage. As critical mineral supply chains grow in importance, cyber activity targeting the sector is expected to increase, with criminal groups potentially serving as proxies or access brokers for state-backed operations.
Figure 1: Map of where critical elements and REEs are being mined or have been located, along with key findings in the report Source: Recorded Future)
Analysis
What Are Rare Earth Elements and Critical Elements?
Rare earth elements (REEs) are a group of seventeen metals that are essential to modern technologies. REEs are vital to the Fourth Industrial Revolution, a term for the current era of connectivity, advanced analytics, automation, and advanced manufacturing technology. REEs are used in small but essential quantities; they significantly impact the efficiency, precision, and reliability of equipment. They also differ from most other critical elements because they are difficult to process and refine. The refining process requires complex separation, making supply chains slow to build and capital-intensive.
Figure 2: Simplified REE production process from mining to refining (Source: Recorded Future)
Critical elements such as lithium, copper, nickel, cobalt, and graphite are primarily used as structural, conductive, or energy-storage materials and are consumed in much larger quantities. These elements form the physical backbone of products like batteries, wiring, and digital infrastructure. In simple terms, critical elements build the systems, and REEs enable the systems to perform at high levels.
Where Are REEs and Critical Elements Located?
On land, critical elements are unevenly distributed globally, with mining concentrated in a few countries. REEs are primarily mined in China, with significant deposits in Australia and the United States (US).
Figure 3: The distribution of where critical minerals were mined in 2023 Source: World Resources Institute)
The seabed is an emerging arena for mining due to vast critical mineral reserves that are believed to lie on the ocean floor. On the seabed, minerals are packed into potato-sized nodules, form hard crusts, accumulate in sediment layers, and are emitted from hydrothermal vents. In April 2025, the Trump administration issued an executive order directing the US to rapidly scale its capability to mine and process seabed critical elements. Meanwhile, China continues to expand its deep-sea mining capabilities. Japan is also accelerating its deep-sea mining program and, in February 2026, recovered REEs from 6,000 meters below the surface of the Pacific Ocean.
Figure 4: Diagram showing how minerals containing critical elements can be extracted from the seabed Source: US Government Accountability Office)
Arctic ice volume has declined by more than 70% since the 1980s, opening new shipping routes and exposing vast natural resources. As ice retreats, significant deposits of critical elements such as cobalt, tin, and REEs are becoming accessible, alongside oil and gas reserves. Mineral-rich seabed nodules are also being uncovered, attracting increasing interest from both nation-states and private investors.
Greenlandcontains 25 of the European Commissionโs 34 designated critical raw materials as well as substantial oil and gas potential. Mining remains difficult due to harsh conditions and limited infrastructure, but continued ice retreat combined with sufficient capital investment could unlock resources of major economic and geopolitical importance.
Figures 5 and 6: Map showing critical minerals located on Greenland (left) Source: The Telegraph);Map showing critical minerals in the Arctic region (right) Source: The Economist)
Antarctica is currently off-limits to mining until at least 2048 under a 1991 environmental agreement that designated the continent as a natural reserve. Antarctica is believed to hold significant reserves of oil, coal, and iron ore, which are already attracting growing interest for the future. China and Russia have announced plans to expand their presence in Antarctica. Chinaโs intentions appear to be focused on resource exploitation, which could open up a new geopolitical fault line, this time in the South Pole.
Space is quickly becoming the next frontier for critical resource extraction. Critical elements are abundant on asteroids and on the Moon. As companies move toward space mining, the US and China are simultaneously racing to establish a permanent presence in space by the 2030s, intensifying an already highly competitive astropolitical environment.
What Is the Geopolitical Importance of REEs and Critical Elements?
Because industrialized nations need critical elements and REEs to manufacture advanced technologies, global demand is rapidly accelerating. Chinaโs control over critical elements and REEs stems primarily from its dominance of processing and refining rather than extraction. By controlling much of the worldโs REE separation and refining capacity, China holds significant leverage over global supply chains and strategic technologies.
This reliance has heightened anxiety in the US over access to critical and rare earth elements. In 2025, China demonstrated its leverage by threatening to suspend REE exports to the US, which compelled Washington to back away from plans to restrict the transfer of critical semiconductor technology.
The US government has since accelerated international critical minerals deals and begun investing in US mining operations to minimize its reliance on China, where over 90% of the worldโs REEs are processed. Furthermore, we are now seeing the US strategically stockpiling critical minerals and seeking to form โcritical minerals trade blocs.โ
Have Any Cyberattacks Been Linked to REEs and Critical Elements?
State-sponsored cyber capabilities are deployed to support national objectives linked to mining operations and the exploration of new critical minerals.
In 2021, Insikt Group identified infrastructure previously linked to APT15, a Chinese state-sponsored threat actor targeting a Canada-based mining company focused on mining zinc, copper, and lead. While there is no public record of Chinese investment in that specific mining company, Chinese firms invested approximately CAD 40 million (USD $30 million) in other Canadian lithium miners during the same period. Ottawa later forced those companies to divest on national security grounds.
In 2025, Insikt Group identified several Chinese state-sponsored threat actors targeting an organization focused on monitoring and regulating seabed mining. These cyberattacks occurred around the same time that China entered into seabed exploration and mining partnerships with nations such as the Cook Islands, Kiribati, and Tonga. This campaign was almost certainly driven by a desire to gain advanced insight into deep-sea mining rules and rival nations' positions, helping it protect its critical minerals dominance and secure strategic seabed access ahead of its competitors.
Between January 2021 and January 2026, Insikt Group identified multiple sophisticated cyber operations targeting Indonesia. While not every intrusion can be conclusively attributed to mining activity, these attacks align with Chinaโs strategic interest in Indonesiaโs natural resources; for example, Chinese companies control about 75% of Indonesiaโs nickel refining capacity. Furthermore, Indonesia holds approximately 55 million metric tons of nickel reserves, which is over 40% of global reserves.
Figure 7: Timeline of Chinese cyber threat actor campaigns identified by Insikt Group targeting Indonesia from January 2021 to January 2026,alongside large mining deals Source: Recorded Future)
In 2025, a hacker group known as Silent Lynx (or YoroTrooper) was reported to be targeting Russia's mining sector. Security researchers assessed that Silent Lynx is likely Kazakhstan-based, due to its language fluency, use of local currency, and regional targeting.
Ransomware and criminal cyber groups frequently target the mining sector, primarily for financial gain. As the sectorโs global economic importance grows, it may attract increased extortion efforts. Insikt Group has previously identified ransomware groups operating in close coordination with state actors, effectively using ransomware as a smokescreen; as a result, we cannot rule out criminal groups increasingly providing access to mining organizations for state-sponsored cyber operations.
Figure 8: Data from Recorded Futureสผs Ransomware Dashboard showing the top five ransomware groups targeting the mining and metals sector in 2025 Source: Recorded Future)
Figure 9: Timeline from January 2021 to January 2026 showing mining companies being named on ransomware extortion sites,
alongside mining company access being sold on dark web sites Source: Recorded Future)
In 2024, Northern Minerals, an Australian rare earths producer, was compromised by the ransomware group BianLian. They published stolen data on the dark web shortly after Northern Minerals ordered Chinese-linked investors to divest their 10.4% stake. BianLian is a financially motivated group that opportunistically targets multiple sectors and is believed to be operated by Russia-based threat actors. While this leak was likely financially driven, state collusion cannot be ruled out, as state-sponsored threat actors increasingly hide operations behind criminal activity.
Outlook
The US and its allies will almost certainly intensify efforts to reduce strategic dependence on China for critical minerals. This is because control of mineral supply chains will be a decisive factor in determining leadership in the Fourth Industrial Revolution.
Mining activity will almost certainly expand into new frontiers, including the deep sea, the Arctic, and Antarctica, permanently reshaping both economic competition and geopolitical risk.
Space will very likely emerge as the final frontier for resource extraction. The US and China will accelerate competition to secure access to lunar and asteroid-based minerals, extending terrestrial resource rivalries beyond Earthโs orbit.
State-sponsored cyber threat actors operating on behalf of industrialized nations will almost certainly increase their focus on targeting mining companies and governments operating in strategically significant mining regions.
Criminal cyber activity will very likely increasingly serve as a smokescreen or initial access vector for state-sponsored operations targeting critical mineral mining companies.
Know your exposure to changes in critical mineral supplies: Map the locations of critical minerals in your products and suppliers, and identify potential single points of failure. Resilience question:Are there any single points of failure in critical products or business lines if China were to restrict the supply of REEs?
Build a fallback plan: Put backup suppliers, alternate materials, and realistic inventory buffers in place for the highest-risk supplies your organization relies on. Resilience question:What is our Plan B for our top three critical electronic supplies, such as laptops?
Prepare for criminal and state-sponsored cyberattacks: If you operate in or supply the mining and critical minerals sector, treat criminal intrusions as potentially more than financially motivated. In some cases, they may serve as cover for espionage. Actively monitor the latest indicators of compromise (IoCs) and the tactics, techniques, and procedures (TTPs) associated with threat actors known to target the sector or government bodies responsible for nation-state mining interests. Use Recorded Futureโs Threat Intelligence Module to monitor for dark web and closed-source mentions tied to mining targeting. Resilience question:If weโre hit with ransomware, how quickly can we restore operations? Do we have backup systems and data?
Map out your supply-chain risks: If your organization operates in or near the mining industry, you might have robust security measures โ but your suppliers might not. Use Recorded Futureโs Third-Party Intelligence Module to identify risks in your supply chain. Resilience question:Which supplier or contractor would cause us the most problems if they were hacked, and could they be easily hacked from what we can identify?
Monitor the new mining hotspots: Track developments in the Arctic, Greenland, Antarctica, deep-sea mining, and space, as rules and conflicts there can quickly affect supply and reputation. Use Recorded Futureโs Geopolitical Intelligence Module to gain visibility into new mining contracts and potential geopolitical risks from new deals. Resilience question:What early warning signs are we monitoring that could disrupt our supply chain in the next 6โ12 months?
Chinese-language, Telegram-based โguaranteeโ marketplaces are increasingly popular among Chinese-speaking criminal groups despite the widely publicized shutdown of Huione Guarantee in 2025. Although these guarantee marketplaces operate similarly to Huione Guarantee, they differ in their focus on particular aspects of cybercrime and in their targeting of specific geographies. To better understand these Chinese-language guarantee marketplaces, Insikt Group observed and analyzed another increasingly popular guarantee marketplace, dubbed Dabai Guarantee (โๅคง็ฝๆ ไฟโ).
Given that guarantee marketplaces typically involve hundreds to thousands of public and private channels, this report outlines how Insikt Group analysts navigated through just one of the Telegram channels belonging to Dabai Guaranteeโs large infrastructure. The channel is known as Dabai Guarantee Public Group 301 (@DBTM301), and its main objective is to conduct โsweepingโ operations (using illicit techniques to make purchases of physical goods at retailers or to withdraw and transact at country-specific ATMs) in South Korea and Japan. This report also includes the visible organizational structure of Dabai Guarantee Public Group 301, key rules, staff, and customer service functions.
This report primarily serves as an introduction to understanding how Chinese-language, Telegram-based guarantee marketplaces work and how to navigate them. It also includes interpretations of multiple criminal terminologies used by Chinese-speaking criminals, which are pivotal to understanding how Chinese cybercrime evolves over time. The cyber and fraud campaigns being promoted and launched on Dabai Guarantee and other similar guarantee marketplaces can negatively impact retail, banking, contactless payment providers, insurance companies, and individuals vulnerable to scam-related campaigns.
Key Findings
Dabai Guarantee is a platform that enables multiple Chinese-speaking threat groups with strong presences across multiple countries to coordinate and launch global-scale fraud and cyber campaigns.
Chinese-speaking syndicates are using Dabai Guarantee as a platform to facilitate campaigns involving financial and retail fraud, such as ATM withdrawal and ghost-tapping.
Criminal groups participating in campaigns are often siloed, acting independently, and restricting the sharing of information, resources, and goals, thereby creating barriers to tracking their activities.
Unlike conventional ghost-tapping campaigns that mainly target luxury businesses, โsweeping teamsโ typically purchase goods that are less expensive but still considered valuable to criminal groups and are relatively easy to transport (such as womenโs cosmetics and tobacco products), likely to avoid detection by law enforcement. The sweeping teams eventually resell them in other markets for cash.
Dabai Guaranteeโs bot search function makes it easy for Chinese-speaking criminals to enter specific search terms and be matched with existing public groups running those campaigns.
Background
Chinese-language guarantee marketplaces first emerged around 2021 with the launch of Huione Guarantee, serving as reliable alternatives to traditional dark web marketplaces accessible via the Tor network. Owners of traditional dark web marketplaces, such as Exchange Market and ChangโAn Sleepless Night, have close to full control over advertisements and transactions. These guarantee marketplaces seek to eliminate distrust stemming from criminal groups scamming one another, dark web marketplaces shutting down, potential exit scams, and parties failing to honor terms that were previously agreed upon. Furthermore, guarantee marketplaces operate on publicly accessible Telegram channels by design; these public channels are meant to be found and appeal to a wider Chinese-speaking audience that uses Telegram, noting that most Chinese criminals still use Telegram rather than Tor for communication.
Guarantee marketplaces are often different from typical peer-to-peer (P2P) transactions between threat actors. Guarantee marketplaces are one-stop shops that handle and facilitate all cryptocurrency transactions (typically Tether/USDT) and mediation services between parties, whereas P2P transactions typically take place directly between users or through a third-party escrow service. The preferred cryptocurrency of Chinese-speaking threat actors is USDT, a stablecoin pegged to the US dollar that maintains anonymity. Stablecoins are a type of cryptocurrency designed to maintain a stable value by pegging themselves to reserve assets, most commonly the US dollar, to mitigate the volatility of cryptocurrencies like Bitcoin. According to Chainalysisโs 2026 Crypto Crime Report, stablecoins have come to dominate the landscape of illicit transactions, accounting for 84% of all illicit transaction volume in 2025. Chinese cybercriminals prefer using stablecoins such as USDT due to their combination of price stability, ease of border transfer, and relative anonymity. USDT also helps Chinese cybercriminals bypass Chinaโs strict capital controls and traditional banking scrutiny to move money across borders.
In January 2025, Insikt Group published a report on the Chinese-language guarantee marketplace Huione Guarantee, โHuione Guarantee Serves as a One-Stop Shop for Chinese-Speaking Cybercriminals.โ The report described the activities facilitated by Huione Guarantee, which include investment fraud, money laundering, and various online scams. Despite Huione Guaranteeโs shutdown on May 13, 2025, Insikt Group observed that other guarantee marketplaces, such as Tudou and Xinbi, stepped in to fill the void left by Huione Guarantee's closure. According to Elliptic, Tudou Guarantee also shut down its operations in January 2026, after processing $12 billion in transactions. Even though Xinbi Guarantee was previously reported to have shut down, it has since been rebuilt and maintains a presence on Telegram as of this writing. Other, but not widely reported, active Chinese-language guarantee marketplaces operating on Telegram (besides Dabai Guarantee) are Yinuo, BoChuang, and Ouyi.
Guarantee marketplaces can also facilitate new attack vectors such as ghost-tapping. In July 2025, Insikt Group published a report titled โGhost-Tapping and the Chinese Cybercriminal Retail Fraud Ecosystem,โ which details how Chinese-speaking cybercriminals and syndicates work together to conduct retail fraud using near-field communications (NFC) relay tactics. As of February 2026, Insikt Group observed that Dabai Guarantee has emerged as a major player in Chinese-language cybercrime, with its Telegram-based infrastructure resembling that of Huione Guarantee and offering malicious services similar to those advertised on Huione Guarantee, which is now defunct.
Dabai Guarantee Overview
Dabai Guarantee is a Telegram-based marketplace, consisting of thousands of public and private Chinese-language Telegram groups, that operates in a manner similar to Huione, Tudou, and Xinbi guarantees; many of these services cater to โsmall to medium-sized clients.โ However, the operators of Dabai Guarantee do not maintain a clearnet website; they operate solely on Telegram, likely due to operational security (OPSEC) concerns. Operators of Dabai Guarantee likely chose not to have a clearnet website in light of Huioneโs โbad OPSECโ practices โ Huione Guaranteeโs clearnet website made tracking much easier for law enforcement officials and researchers, which likely contributed to FinCEN sanctioning the organization in May 2025. The Dabai platform is populated with third-party vendors providing various services that facilitate cybercriminal and fraud activities, including money laundering methods and services, compromised social media and e-commerce accounts, SIM cards, personally identifiable information (PII), malware-as-a-service (MaaS), deepfake technology, know-your-customer (KYC) bypass services, and more.
Dabai Guarantee was likely founded in December 2024, based on its Telegram Channelโs creation date. There are currently six known official main Telegram channels:
โๅ ฌ็พคๅฏผ่ช @dabaiโ (@dabai_a): โPublic Group for Navigation Purposeโ, 15,372 subscribers, as of this writing
โๅคง็ฝๆ ไฟๅคง็พคโ (@dabai_c): โDabai Guarantee Big Groupโ, 19,225 members, as of this writing
โๅคง็ฝไพ้้ข้โ (@dabaiyajing): โDabai Supply and Demand Channelโ, 17,085 subscribers, as of this writing
โๅคง็ฝๆ ไฟ่งๅโ (@dabai_e): โDabai Guarantee rulesโ, 428 subscribers, as of this writing
โๅคง็ฝๆ ไฟๅฎขๆไบบๅๅๅโ (@dabai_f): โDabai customer service listโ, 527 subscribers, as of this writing
Dabai Guaranteeโs public navigation channel, ๅ ฌ็พคๅฏผ่ช @dabai, is used to direct threat actors to different private/public Telegram channels to coordinate and collaborate on campaigns targeting both Chinese-speaking and non-Chinese-speaking victims. Below is a list of the service categories offered on the public Telegram groups on Dabai Guarantee. Each category has subcategories for more specific services. Each public Telegram group has a unique group number, the amount of the deposit made to Dabai Guarantee in USDT, the handles of group administrators and customer service representatives, the transaction rules, and a dedicated cryptocurrency wallet. More information can be found in Figure 1. These specialized channels include the following:
โๆตทๅค้้ฑผ็ฑปโ (โOverseas Phishingโ) โ Coordinate phishing campaigns against individuals residing outside of China
โไนฐๅ็ฑปโ (โTradingโ) โ Buy and sell gift cards, databases, SIM cards, social media burner accounts, IP addresses, and physical goods
โๅผๆต็ฑปโ (โTraffic generation methodsโ) โ Overseas SMS blasts, Baidu promotions, chat scripts, and other services
โๆฟๅ ็ฑปโ (โAcceptance methodsโ) โ Payment methods accepted by merchants include Alipay, WeChat Pay, and cryptocurrencies
โ้้ๅไฝ็ฑปโ (โCooperation Channelsโ) โ Motorcade teams to conduct overseas operations such as collecting or making payments via cash and cryptocurrencies, and logistic operations to move physical goods
โ็ญ่ง้ข็ฑปโ (โShort Videosโ) โ Short Douyin videos for promotions
โๅไฝ็ฑปโ (โCooperationโ) โ ID Loans, Apple IDs, courier delivery services, and burner mobile phones
โๅกๅ็ฑปโ (โCarding Merchantsโ) โ Money laundering through bank cards and contactless cash withdrawal without cards
โๆญๅปบ็ฑปโ (โDevelopersโ) โ Software and bot setup services, and Apple signing/server/VPN/domain setup services
โๅ ถไป็ฑปโ (โOthersโ) โ Other miscellaneous fraud services, social escort services, police impersonation, artificial intelligence (AI), and search engine optimization (SEO)-related services
โๆธธๆ็ฑปๅ ฌ็พคโ (โGaming-related public groupsโ) โ Online gambling and video games
Figure 1:Dabai Guaranteeโs public navigation purpose Telegram channel โๅ ฌ็พคๅฏผ่ช @dabaiโ, with listed categories(Source: Telegram)
Dabai Guaranteeโs Rules (@dabai_e)
Dabai Guaranteeโs rules channel (@dabai_e) has posted rules to prevent impersonation of the marketplace and to prevent users from creating their own โpublic groupsโ that are not officially regulated by Dabai Guaranteeโs administrators. Some of the rules also showcase Dabai Guaranteeโs OPSEC measures to prevent scamming and impersonation. The original Chinese text is in Appendix B. The following are some key rules:
Members are not allowed to create their own public group channel without Dabai Guarantee`s approval.
Members are not allowed to have private dealings with other parties or platforms, as Dabai Guarantee only guarantees transactions conducted on its platform. Dabai Guarantee also does not provide assurances for transactions with the Public Group โbossโ or any other administrator. This means that no individual should have any transactions with the boss directly and should instead use Dabai Guaranteeโs funds transfer mechanism.
Individuals who initiate a chat session with you are 100% scammers; members are to block and refrain from chatting with them.
The cryptocurrency address belonging to Dabai Guarantee is unique, and anyone sending other deposit addresses is a scammer.
After members have staked their cryptocurrency as deposits, they are required to send Dabai Guaranteeโs leadership screenshots of the deposit to @dabai for verification and confirmation. Any losses resulting from failure to contact @dabai will be the memberโs responsibility.
Case Study: Public Group 301
Group Structure
For this report, we will use the Telegram channel โPublic Group 301,โ which belongs to Dabai Guarantee, as a case study. This is not meant to be a comprehensive analysis of Dabai Guaranteeโs massive infrastructure and that of other Chinese-language guarantee marketplaces. It is difficult to accurately quantify how many โPublic Groupโ channels and threat groups are on Dabai Guarantee, as the numbers tagged to Public Groups are not assigned in chronological order, resulting in a lack of visibility โ unlike Huione Guarantee, which had a clearnet website that listed the Public Group channels to redirect threat actors. Although there are thousands of channels belonging to Dabai Guarantee alone, understanding Public Group 301โs structure can at least provide insight into how threat actors use Dabai Guarantee in their campaigns.
In guarantee marketplaces, threat actors looking to launch campaigns typically deposit USDT to start a public Telegram group approved by Dabai Guarantee. This model ensures that criminal syndicates do not have to deal with other threat actors directly, but have Dabai Guarantee as a mediator. In the case of Dabai Guaranteeโs Public Group 301, affiliate threat groups do not have to engage directly with the groupโs leader, @J0hnNo1, and instead receive payments from Dabai Guarantee after the completion of tasks required by @J0hnNo1. Guarantee marketplaces such as Huione, Tudou, Xinbi, and Dabai seek to eliminate the โlack of trustโ among Chinese-speaking threat actors. These marketplaces are designed to become trusted platforms that foster coordination and cooperation between different Chinese-speaking criminal groups to achieve their objectives.
Insikt Group navigated through Public Group 301โs Telegram infrastructure in order to identify the redirection flow. As shown in Figure 1, each category contains a hyperlink that redirects to other channels. From Figure 1, selecting category 5, sub-category 2 (โๆตทๅคๆซ่ดง่ฝฆ้โ, or โOverseas Goods Sweeping Teamโ) redirected to a pinned message as seen in Figure 2. This message lists four different public channels (โๅ ฌ็พคโ) containing campaigns targeting the US, Canada, South Korea, and Japan.
Figure 2:Selecting โๆตทๅคๆซ่ดง่ฝฆ้โ (Overseas Goods Sweeping Team) redirects users to four different Telegram groups, where threat actors are seen discussing and showing off their financial crime-related achievements in countries such as the US, Canada, South Korea, and Japan (Source: Telegram)
As seen in Figure 2, โๅ ฌ็พคโ refers to unique Public Group channels for specific purposes or operations. Each public channel here contains a numerical group identifier and a โUโ deposit amount, where โUโ refers to USDT. For example, โๅ ฌ็พค935ๅทฒๆผ2000Uโ refers to Public Group Number 935, with 2,000 USDT already being deposited in Dabai Guarantee to start the campaign. The naming convention for these Public Groups is โdbtmxxxโ; in this case, Public Group Number 935 will have the Telegram channel @dbtm935. When selecting the second option, โๅ ฌ็พค301ๅทฒๆผ1000U้ฉๅฝ๏ผๆฅๆฌๆซ่ดง็ปโ, which means Public Group Number 301, with 1,000 USDT already deposited to โsweep goodsโ in South Korea and Japan, the corresponding Telegram channel is @dbtm301.
Upon further investigation and analysis of the channel, Insikt Group assesses that โsweeping goodsโ refers to the use of illicit means, such as ghost-tapping, to purchase physical goods at physical retail stores (in this case, in South Korea and Japan). This activity also includes ATM cash withdrawals at Japanese or South Korean ATMs.
Key Personnel Involved in Public Group 301
The following terms are important for understanding the operations of criminals involved in Public Group 301, and the entire Dabai Guarantee infrastructure more broadly:
Boss (โ็พค่ๆฟโ): The main coordinator overseeing a groupโs operations. These individuals are not directly related to Dabai Guarantee and operate more like customers, making use of Dabai Guaranteeโs infrastructure to lay out tasks and promising payouts in USDT upon completion. The boss will typically start a campaign by placing significant deposits into Dabai Guaranteeโs USDT cryptocurrency addresses (โไธๆผๅฐๅโ) in order to get Dabai Guaranteeโs administrators to approve the creation of a Public Group channel. In Dabai Guaranteeโs Public Group 301 (@dbtm301), @J0hnNo1 is the boss of the channel. We observed that this threat actor intends to conduct ghost-tapping and fraud campaigns in Japan and South Korea, with the key objective of obtaining physical goods, cash, and funds through unauthorized transactions. Once the boss confirms receipt of the items and is satisfied with the outcome, they can ask Dabai Guarantee to release the payment to the criminals who participated in the requested task.
Channel Administrators (โ็ฎก็ๅโ): Dabai Guaranteeโs personnel who act as intermediaries between the boss and other Chinese syndicates, ensuring that the boss gets the items and physical cash, while the Chinese syndicates are paid in USDT. These are the people who will process the payments. Channel administrators will also inspect video evidence provided by sweeping and โgoods-receivingโ teams and wait for confirmation from the boss that everything is satisfactory before releasing payments to the various Chinese-speaking criminal groups.
Chinese Syndicates (โ็ฏ็ฝช็ป็ปโ): Teams in charge of providing the people (โmulesโ) to form sweeping and goods-receiving teams. These syndicates will coordinate with the boss and receive payment in USDT after completing the required jobs.
Sweeping Teams (โๆซ่ดง้โ): Personnel tasked by the boss or other administrators with obtaining physical goods or conducting ATM cash withdrawals, typically through illegal methods such as ghost-tapping or financial fraud, and to eventually transfer the goods to โgoods receivingโ teams.
Goods Receiving Teams(โๆถ่ดง้โ): Personnel tasked by either the boss or their respective Chinese syndicates with receiving goods from sweeping teams; the items will eventually have to reach the โgoods inspection teams.โ
Goods Inspection Teams(โๆฃ่ดง้โ): Personnel tasked with physically inspecting the goods and cash being delivered by the sweeping or goods-receiving teams, typically appointed by bosses. When the โgoods receivingโ team is appointed by the boss, it is also possible that the โgoods receivingโ and โgoods inspectionโ teams are composed of the same personnel, each fulfilling multiple roles. These teams will inform the boss whether the physical goods are satisfactory, and the boss will proceed to ask Dabai Guarantee to release the payment to the sweeping and goods-receiving teams.
Insikt Group assesses that individuals in the sweeping, goods receiving, and goods inspection teams act as mules, and these teams likely consist of Chinese-speaking tourists who can amass large quantities of physical goods and cash and exit the targeted countries as soon as possible. It is also likely that Chinese-speaking groups have members who are long-term residents of the countries targeted by the operations, such as South Korea and Japan.
Figure 3:Simplified illustration of Dabai Guarantee Public Group 301โs structure (Source: Recorded Future Data)
Figure 3 is a simplified illustration of Dabai Guaranteeโs Public Group 301โs organizational structure. The barrier to entry for participating in โsweeping operationsโ is low, as participants just need to have the legal right to enter Japan or South Korea, pose as tourists, and follow the instructions given by the boss and other administrators. We estimate that there are likely more than a dozen sweeping teams linked to Dabai Guarantee operating in Japan and South Korea alone. Sweeping teams are likely assigned to obtain certain goods and cash in very specific areas and do not coordinate with one another because they are being deployed by different Chinese syndicates. This model suggests that operations are siloed, where teams act as independent, isolated units that restrict the sharing of information, resources, and goals.
Figure 4 shows the Telegram structure of Public Group 301, where @J0hnNo1 is the channel's boss. The channel is also composed of multiple Dabai Guarantee customer service staff, who serve as administrators. The original creator of the channel is @dbwb22; the Telegram account is no longer active, and @dbwb22 is no longer listed as one of Dabai Guaranteeโs official customer service agents.
Figure 4:List of key personnel in Dabai Guaranteeโs Public Group 301 (@dbtm301); @J0hnNo1 is listed as this groupโs public channel boss (Source: Telegram)
The distribution of these teams significantly complicates efforts by researchers and law enforcement agencies to track and deter such criminal activities. For example, if members of โSweeping Team Aโ are arrested for retail or financial fraud, law enforcement agencies will still need to locate the members of the โGoods Receiving Teamsโ and โGoods Inspection Teamsโ before they can even get close to decoding the identity of the boss, who is most likely coordinating operations from a location outside Japan or South Koreaโs jurisdiction, such as Cambodia or Myanmar. Additionally, these sweeping teams most likely consist of low-level mules who are considered โexpendablesโ by their Chinese syndicate recruiters. The screenshots in Figures 6, 7, 8, 9, and 10 illustrate the siloed operations conducted by different sweeping teams.
Figure 5 shows Dabai Guarantee customer service personnel @dbtm9 helping to set up public Telegram channel 301 on March 21, 2025, and serving as the channelโs key administrator. This individual serves as a mediator to facilitate transactions and dealings between the boss and other threat actors. The total amount of USDT deposited on that date was 485 USDT; as of this writing, it has risen to 1,000 USDT. The purpose of this channel is to encourage other threat actors to cooperate by taking part in sweeping and goods-receiving operations in Japan and South Korea. In the conversation below, the boss stated that the deposit amount will increase in proportion to the transaction amount. Insikt Group assesses that this would mean the sum of deposit scales with the size of operations in Japan and South Korea.
Figure 5:Screenshot of Public Group 301โs (@dbtm301) administrator (@dbtm9) establishing a group for โsweeping goodsโ and โreceiving goodsโ operations in South Korea and Japan
Figure 6 shows that the boss is looking to recruit sweeping teams to conduct operations in Seoul, South Korea. The main objective is to purchase cosmetics, and once the goods have been delivered, the rewards will be โhigh.โ The final sentence uses the term โ้ๅบฆๅฟซโ, which means that the boss welcomes any sweeping team that can conduct and complete these operations quickly.
Figure 6:Screenshot of Public Group 301 โbossโ @J0hnNo1 recruiting sweeping teams to purchase cosmetics in Seoul, South Korea (Source: Telegram)
Figure 7 features a sweeping team involved in purchasing tobacco-related products from the Terea brand at a CU store, a South Korean convenience store chain in Seoul, South Korea. It is clear that the boss has goods from specific brands they wish to obtain, and such goods may be resold for cash in other foreign markets at a later date, likely at a lower price to obtain hard currency as soon as possible. Insikt Group assesses that the items are very likely purchased using the ghost-tapping attack vector or through stolen payment card information. This reflects a shift from targeting luxury retailers to smaller-sized businesses, likely to avoid arousing suspicion from law enforcement authorities
Figure 7:Public Group 301โs boss @J0hnNo1 showing a CU receipt of tobacco sticks belonging to the Terea brand totaling 288,000 won, worth approximately $196 on March 25, 2025 (Source: Telegram)
Figure 8 shows an Apple Store receipt listing unspecified Apple products totaling 499,600 yen (approximately $3,145.66, as of this writing). Public Group 301โs boss @J0hnNo1 also stated, โWho said there are no large transactions in Japan? Just a single receipt amounted to 500,000 Yen.โ This is likely a post encouraging syndicates to send more sweeping teams to acquire as many Apple products as possible, while hinting that the rewards could be lucrative.
Figure 8:Public Group 301โs boss @J0hnNo1 showing an Apple store receipt of items totaling 499,600 yen, approximately $3,145.66 on December 28, 2025 (Source: Telegram)
Figure 9 provides some evidence that Vietnamese individuals are also involved in sweeping operations. In the top-left corner of the iPhone in the image, the Vietnamese phrase "Khรดng cรณ SIM" means "No SIM card." This indicates that the person holding the phone is very likely a Vietnamese-speaking individual conducting unauthorized banking transactions using burner iPhones. Every single burner phone appears to be tagged with a label, which is very similar to the tactics, techniques, and procedures (TTPs) we documented in our Insikt Group report on ghost-tapping. It is also likely that this individual understands Japanese in addition to Chinese, as they were observed interacting with a Japanese banking application that displayed processed transactions. The transactions shown in the screenshot are dated between July 30, 2025, and August 28, 2025. The ability to use Japanese banking applications is an indicator that this individual is legally residing in Japan. In general, most Japanese banks require foreigners to close their bank accounts before leaving permanently; these regulations are implemented by major Japanese banks such as Shinsei Bank.
Figure 9:Image posted by Public Group 301โs boss @J0hnNo1 involving multiple unauthorized banking transactions from July 30, 2025, to August 2025. Insikt Group assesses that this is indicative of a ghost-tapping campaign targeting Japanese retail businesses involving multiple Apple burner iPhones on August 28, 2025 (Source: Telegram)
Figure 10 shows what appears to be an ATM cash withdrawal or transfer attempt at a Japanese ATM at an unspecified bank. This screenshot is also likely shown as an example of what sweeping teams in charge of withdrawing and transferring cash are expected and required to do.
Figure 10:Public Group 301โs boss @J0hnNo1 posted an image of what Insikt Group assesses to be an ATM cash withdrawal/transfer using a Japanese ATM machine on April 23, 2025 (Source: Telegram)
Figure 11 shows a cryptocurrency transaction of 10,629 USDT via the Tron (TRX) network to a sweeping team for the successful completion of the โmission.โ The boss @J0hnNo1 thanked the sweeping team coordinator without identifying them. The exact phrase used while posting the image was โๆ่ฐข่ๆฟไฟกไปปโ, which translates from Chinese to โThank you boss for trusting me.โ Boss, in this context, refers to the Chinese syndicates that provide the sweeping teams for successful operations. In the entire Dabai Guarantee Public Group 301 channel, there were many screenshots of such cryptocurrency transactions being sent to teams that participated in sweeping operations. The boss redacts recipients' cryptocurrency wallet addresses to prevent law enforcement agencies from tracking them. The TRON wallet address used by Public Group 301 is TByDzGWCirpCABaUorkhz5eWhjyDdYWgSo, as shown in Figure 11; this wallet address has facilitated a total of 2,943 transactions as of this writing.
Figure 11:Multiple screenshots involving USDT transactions are posted on the channel, likely for transparency and to reassure the sweeping teams (Source: Telegram)
Dabai Guaranteeโs Staff and Customer Service Functions (@dabai_f)
Dabai Guarantee maintains a list of its official staff and customer service agents on its Telegram channel @dabai_f to facilitate the creation of Public Group channels and transactions. This system also helps prevent impersonation and scamming. Members are to contact customer service agents directly for any queries or concerns. The staff and customer service teams usually provide the functions listed in Tables 1 and 2; the customer service agents are listed in Figure 12 by their functions and Telegram handles.
Chinese Term
English Term
Explanation of Function
Telegram Moniker/Channel
ๅคง็ฝๅ ฌ็พค
Main Dabai Public Group
Dabai Guaranteeโs directory, to help threat actors navigate through different aspects of cybercrime
@dabai_a
ไพๆฑไฟกๆฏ
Supply and demand information
A channel where Dabai Guaranteeโs administrators post advertisements on behalf of their customers (other threat actors)
@dabaiyajing
ๆ ธๅฟๅคง็พค
Core group
A channel where other threat actors can post their own advertisements and URLs for their websites, as well as key contact information, such as Telegram monikers
@dabai_c
ๅฎขๆ้ข้
Dabai Guaranteeโs official customer service channel
A channel for individuals to reach out to customer service officers who cater to different categories of cybercrime
@dabai_f
ไบบๅทฅๅฎขๆ @dabai ๅจ่ฏขใๆ็พคใๅนฟๅ
Human customer service agents for consultation, group chat, and advertising
A bot channel that redirects individuals to human customer service agents for consultation, group chat, and advertising
@dabai
ไบบๅทฅๅฎขๆ @dabai ไผๅใ่งฃๅฐใๆ่ฏ
Human customer service agents for membership queries, unblocking accounts, and complaints
A bot channel that redirects individuals to human customer service agents for membership queries, unblocking accounts, and complaints
@dabai
ไบบๅทฅๅฎขๆ @dabai ้ช็พคใไธขๅคฑ็พคๆขๅค
Human customer service agents for group verification and lost group recovery
This is to prevent impersonation, such as threat actors starting their own Public Group that is not officially approved by Dabai Guarantee.
There may be instances where Telegram deletes public channels for violating the terms of service, and the customer service team offers a service to restore them (This happened to Huione and Xinbi Guarantee; many of their channels were deleted by Telegram).
@dabai
ไบบๅทฅๅฎขๆ @dabai ็บ ็บทไปฒ่ฃใ่ตๆบๅฏนๆฅ
Human customer service agents for dispute arbitration and resource matching
Customer service agents will attempt to resolve disputes between criminal groups when an unsatisfactory outcome is reached for one or more parties. They can also moderate disputes on transactions between buyers and sellers.
Resource matching refers to customer service agents attempting to match criminal groups to certain existing groups that are already participating in specific campaigns. In addition, customer service agents can connect buyers with sellers of goods and services.
@dabai
24ๅฐๆถๅฎขๆๆบๅจไบบ
24-hour customer service bot
@dabai
ๅ ฌ็พคๆฅๅคๆบๅจไบบ
Public Group reporting bot
A bot that assists members in reporting violations of the terms of service
@dbhwbb_BOT
ๅ ฌ็พค่ฎฐ่ดฆๆบๅจไบบ
Public Group accounting bot
A bot that can help to look up transactions, real-time USDT pricing in relation to Chinese Renminbi (RMB), and cryptocurrency wallet monitoring
@dbjz_bot
ๅฎขๆไบบๅๅๅ (@dbtm0 - @dbtm10 ๏ผ
ๆๆๅทๆ ้ +888 ่ๆๅท ๆฒกๆไธๅพ้ชๅญ
Customer service staff lists (@dbtm0 โ @dbtm10)
All customer service numbers come with a +888 virtual number. Any number without this is a scam.
@dbtm0 โ @dbtm10
Table 1:List of Dabai Guaranteeโs official staff and functions (Source: Telegram, Recorded Future)
Chinese Term
English Term
Explanation of Function
Telegram Moniker/Channel
ไธๅกๅท๏ผๅคง็ฝ๏ผ
Business account (Dabai)
A business account belonging to a person called Dabai, with no specific function stated
@dbtm1
ไธๅกๅท๏ผ่่๏ผ
Business account (โMengmengโ โ Adminโs moniker)
A business account belonging to a person called Mengmeng, with no specific function stated
@dbtm9
ไธ็พคไบคๆๅ
Specialist traders
A group of agents well-versed in certain types of trade to facilitate coordination and cooperation in the public channels
@dbtm0
@dbtm3
@dbtm4
ๅ ฌ็พคไบคๆๅ
Public Group traders
A group of agents who facilitate cryptocurrency transactions, receive deposits, and release payments to other criminal groups
@dbtm7
@dbtm8
@dbtm10
ๅ ฌ็พคๅทกๆฅๅท
Public Group patrol account
A group of agents who direct individuals to specific Public Group channels based on what they are looking for
@dbtm2
ๆ ไฟไปฒ่ฃๅท
Guarantee arbitration number
A case reference number assigned by agents for any disputes between parties
@dbtm5
่ตๆบๅฏนๆฅๅท
Resource docking number
A unique number is assigned to a case or transaction to track conversational and transaction records
@dbtm6
Table 2:List of Dabai Guaranteeโs customer service agents (Source: Telegram, Recorded Future)
Figure 12:Dabai Guarantee customer service Telegram channel โๅคง็ฝๆ ไฟๅฎขๆไบบๅๅๅโ (@dabai_f) provides a list of customer service agents (Source: Telegram)
Automated Bot System Directs Chinese Syndicates to Relevant Public Groups for Existing Campaigns
Insikt Group analyzed the public administrator bot @dbdbqg_bot to observe how a Dabai Guarantee user would be routed by the platform to participate in cybercriminal activities. To use this functionality, individuals must enter search terms in Mandarin. We used the terms ่ฟ็จ (remote) and ๆฐๆฎ (data), which returned three and ten public channels, respectively. When querying for the term โ่ฟ็จโ (remote), which typically refers to ghost-tapping campaigns involving NFC relay methods, three Public Group channels appeared as relevant results. When querying for the term โๆฐๆฎโ (data), which typically refers to databases, ten Public Group channels specializing in datasets appeared in the results. In addition, using a country as a search term, such as ็พๅฝ (US), will also return results that show fraud or cyber campaigns targeting the US. This bot function demonstrates how easy it is for criminal groups to search for relevant groups, determine which campaigns they wish to participate in, and identify the types of datasets they are interested in procuring. Table 3 shows the number of Public Group channels involved in fraud or cyber campaigns for the search terms; specific details are not listed due to certain global entities named in the Public Group channels belonging to Dabai Guarantee.
Figure 13:Dabai Guaranteeโs public administrator bot @dbdbqg_bot has a search function that will return results relevant to the individualโs search (Source: Recorded Future Data)
Chinese Criminal Lingo and Corresponding English Meaning
@dbtm153 (64 members, 800 USDT deposit as of writing)
@dbtm439 (49 members, 777 USDT deposit as of writing)
@dbtm307 (268 members, 500 USDT deposit as of writing)
ๆฐๆฎ (Data)
10
Threat actors buying and selling databases
@dbtm123 (519 members, 888 USDT deposit as of writing)
@dbtm99 (49 members, 500 USDT deposit as of writing)
@dbtm688 (151 members, 500 USDT deposit as of writing)
@dbtm369 (65 members, 500 USDT deposit as of writing)
@dbtm567 (80 members, 2,888 USDT deposit as of writing)
@dbtm449 (177 members, 500 USDT deposit as of writing)
@dbtm298 (145 members, 500 USDT deposit as of writing)
@dbtm327 (89 members, 500 USDT deposit as of writing)
@dbtm211 (836 members, 500 USDT deposit as of writing)
@dbtm816 (851 members, 500 USDT deposit as of writing)
็พๅฝ (US)
2
Fraud or cyber campaigns targeting US entities
@dbtm322 (338 members, 500 USDT deposit as of writing)
@dbtm932 (956 members, 500 USDT deposit as of writing)
้้ฑผ (Phishing)
1
Phishing campaigns
@dbtm142 (234 members, 500 USDT deposit as of writing)
่ดฆๅท (Account)
2
Burner accounts being used for fraud campaigns
@dbtm322 (338 members, 500 USDT deposit as of writing)
@dbtm425 (60 members, 500 USDT deposit as of writing)
้ถ่ก (Bank)
2
Fraud campaigns targeting or involving banks worldwide
@dbtm420 (117 members, 500 USDT deposit as of writing)
@dbtm138 (50 members, 1,000 USDT deposit as of writing)
Table 3:Search results of Dabai Guaranteeโs Public Group channels using their bot function (Source: Telegram, Recorded Future)
Outlook
Even with guarantee marketplaces such as Huione Guarantee being shut down, many Chinese criminals are likely turning to these Telegram-based guarantee marketplaces to sell illicit goods and to offer their services. Guarantee marketplaces such as Dabai Guarantee have demonstrated their ability to coordinate operations in countries such as Japan, South Korea, Canada, and the US by using Chinese-speaking individuals who are traveling or residing in those geographies to conduct retail and financial fraud. Over time, Dabai Guarantee may be able to establish itself as a trusted escrow platform for Chinese syndicates to rely on, despite the growing competition from existing and new guarantee marketplaces. There is also a possibility that operators of other guarantee marketplaces could execute an exit scam, leading to a loss of trust in guarantee marketplaces as a whole among Chinese criminals.
Threat actors such as @J0hnNo1, the leader of Dabai Guarantee Public Group 301, seek to obtain physical goods and foreign currency through illegal means, giving specific instructions to different syndicates to complete their objectives. Such operations are scalable on demand and will become harder to track and disrupt over time due to the siloed nature of the sweeping and goods-receiving teams. This report showcases the activities and structure of a single group (Public Group 301), which is only one group among hundreds under Dabai Guaranteeโs decentralized and growing infrastructure. Ghost-tapping and ATM withdrawals are commonly used by Chinese-speaking criminals for money laundering, and we will likely continue to see more threat actors facilitating such financial and retail-related crime on multiple guarantee marketplaces.
Insikt Group assesses that Chinese syndicates will continue to recruit and deploy non-Chinese individuals with specific language skills to participate in campaigns, as exemplified by the Vietnamese individual mentioned in Figure 9.
Insikt Group assesses that guarantee marketplaces have solidified themselves as a major alternative to traditional Chinese-language dark web marketplaces. This decentralized model is becoming increasingly popular among the global Chinese-speaking criminal diaspora, enabling criminals without sophisticated skillsets to coordinate with syndicates and participate in operations that require physical elements.
Appendix A: Glossary of Terms
Chinese
Direct Translation
Definition with Relevant Context
ๅ ฌ็พค
Public Group
Public Telegram channel/group facilitates a specific campaign, usually ending with a number; for example, ๅ ฌ็พค 1025 means Public Group 1025
้ฃๆบ
Plane
Cryptocurrency
้ๆผ
Backing down
Withdrawal of funds from a Public Group
ไบคๆๆๅฐๅ
Transaction address
Cryptocurrency transaction wallet address
ไธๆผๅฐๅ
Betting/Staking Address
Unique cryptocurrency addresses owned by Dabai Guarantee are usually listed in Public Groups. Threat actors who wish to launch a specific campaign must stake enough cryptocurrency as a deposit to create a Public Group channel; they will become the channel's โboss.โ
็งไธๆ็พคๅๅ
Privately soliciting orders
ๆ้ป
Blackmail
When an individual blocks someone who contacts them directly (Dabai Guaranteeโs staff will never initiate private chats with any individual)
ๆ็พค
Pull the crowd
Start a new public Telegram group and get people to join it so other criminal groups can participate in a new, specific campaign
ๆซ่ดง
Sweep goods
To obtain physical goods or conduct ATM cash withdrawals, typically through illegal methods such as ghost-tapping or financial fraud
ๆถ่ดง
Receive goods
To receive goods, typically obtained by sweeping teams via illegal means
็พค่ๆฟ
Group boss
Main coordinator to coordinate with other Chinese-speaking criminal groups for cyber and/or fraud campaigns; individuals who staked USDT to get approval to start a Public Group channel on Dabai Guarantee
ๅๅ
Impersonate
Some scammers may impersonate group bosses or create Telegram groups with the intention of scamming other Chinese syndicates.
้ฑๅ ็ๅฌ
Wallet monitoring
To monitor cryptocurrency transactions in real time
ๅฎๆถUไปท
Real-time USDT value in relation to the Chinese Renminbi
Agentic AI adoption is accelerating rapidly as enterprise software and applications increasingly incorporate task-specific AI agents, enabling autonomous execution of complex tasks at machine speed.
The autonomy and scale of AI agents introduce significant enterprise risk, as errors, misconfigurations, or malicious manipulation can propagate quickly across interconnected systems, amplifying the potential impact of incidents.
Agentic AI will exacerbate existing weaknesses in software supply chains, as vulnerable or malicious open-source components can be deployed faster and at scale.
Identity and access management risks will also expand dramatically, as agents require broad, cross-environment permissions; compromised credentials, SSO platforms, or agent identities could enable large-scale service disruption or data exfiltration.
Prompt engineering enables threat actors to manipulate agents into carrying out malicious actions, underscoring the importance of layered security controls, zero-trust principles, and human-in-the-loop checkpoints to mitigate agent-driven threats.
Figure 1: AI agents have the potential to improve efficiency, reduce costs, and improve decision-making. However, the same features that make them so powerful will bring new security risks, and scale up old ones, if not managed effectively. (Image source: Recorded Future)
Analysis
Agentic Artificial Intelligence Is Set to Expand Rapidly
โAgentic artificial intelligenceโ refers to AI systems that can do things with limited human intervention. For example, traditional AI can draft code for a user who wants to build a website; agentic AI not only writes the code, but registers the domain and sets up hosting to launch the site.
Gartner predicts that as many as 40% of enterprise applications will incorporate task-specific AI agents by the end of 2026. A Deloitte report anticipates that at least 75% of companies will use agentic AI to some extent by 2028. The benefits of AI agents are that they can carry out complex tasks independently and at machine speed, working individually or as part of a multi-agent system.
However, the same features that make these systems powerful also introduce significant security risks. To operate effectively, agents need to seamlessly interact with other agents, humans, and software. This requires high degrees of trust, which can be exploited by malicious actors. Security best practices, notably zero-trust principles, are specifically designed to slow down these interactions, creating an inherent tension between AI agent implementation and security.
Agents Amplify Systemic Cybersecurity Weaknesses
Software engineering teams account for nearly 50% of AI use, demonstrating that AI is already deeply integrated into software development processes. This suggests that AI agents will likely play a significant role in future software development, working alongside human developers to generate, test, and deploy code.
The introduction of agents will amplify software supply-chain security weaknesses, allowing threat actors to take advantage of vulnerable or intentionally manipulated code to embed exploits in enterprise software. While these issues have existed long before AI or AI agents, the introduction of agents will cause these mistakes to be carried out faster and at scale. Initial studies suggest that AI-generated code is less secure than human-generated code, though AI coding performance is improving rapidly. Ensuring transparency and documentation in agent coding workflows is critical to ensuring a rigorous, secure development operations (SecDevOps) process.
Identity and access are additional enterprise security issues that AI agents are likely to amplify. For AI agents to operate effectively, they will also need access to various cloud applications and environments. This increases the complexity of identity management, as identity and permissions will need to extend to virtual agents.
Currently, many AI tools that connect to external data or to other tools operate in a trust-by-default mode, creating significant vulnerabilities. If this is extended to agentic AI, the potential harms from exploitation could increase significantly, as agents are capable of acts such as sending emails, deleting files, or authorizing payments. Defenders will need to ensure access permissions are properly managed and tracked for agentic users in the same way they manage permissions for traditional software and human users.
Figure 2: How AI agents may amplify current security weaknesses
(Image source: Recorded Future)
Prompt Engineering Remains a Pervasive Threat to Agents
While AI agents will accelerate existing enterprise security problems, they also introduce risks unique to artificial intelligence. Threat actors can deliver malicious instructions to AI agents via prompt engineering, causing the agents to act in alignment with the threat actors rather than with their legitimate users. Prompts can be delivered directly (through a chat interface), encoded in malware, or hidden in emails or other innocuous communications.
With the increased adoption of AI agents, threat actors may move further away from traditional malware and prioritize manipulating agents to scale and enhance operational efficiency. Targeting agents directly enables threat actors to leverage the speed and scale of AI agents, causing greater harm with a lower chance of detection or mitigation.
Figure 3: Potential attack scenarios weaponizing AI agents (Image source: Recorded Future)
Completely securing agents against prompt engineering is likely impossible. The need for AI agents to be useful will likely prevent developers from imposing fully effective guardrails against prompt engineering. This risk is similar to the difficulty of making humans resilient to social engineering operations. While training and awareness may help mitigate the effectiveness of some scams, threat actors continually find new ways to use peopleโs incentives against them.
Defenders can make AI agents more resilient to prompt engineering attacks by implementing layered security. Building in checkpoints where a human or another agent can assess or approve an action will help detect misaligned behavior and limit the potential harm. This is similar to fraud prevention or mitigation for human employees, such as procedures requiring additional approvals for transferring large sums of money.
Multi-agent AI Increases Unpredictability
As AI agents become more common, they will increasingly interact independently with each other to complete tasks. Multiple agents are susceptible to both intentional and accidental manipulation, which can manifest in unpredictable ways. Researchers have categorized these outcomes as:
Miscoordination: Agents cannot align behaviors to achieve an objective
Collusion: Unwanted cooperation between AI agents
Conflict: AI agents act to enhance their position at the expense of others
These outcomes can occur accidentally due to misaligned incentives and safety guardrails, or they can be programmed or intentionally manipulated. Despite safety guardrails, agents have been observed engaging in behavior they would otherwise have avoided. For example, AI agents on MoltBook, a social media network for bots, were observed disclosing potentially sensitive information about their users, including names, hobbies, hardware, and software (in addition to serious security failures associated with the site itself). Unwanted or unanticipated outcomes can occur when agents have free will to decide how they will carry out an objective.
Outlook
The first agentic data breach will very likely be the result of overly permissive environments: When threat actors succeed in using AI agents to carry out a breach, it will very likely be the result of an enterprise environment that operated using default permission settings.
Identity security will very likely shift toward โagent identity governanceโ: Enterprises will very likely expand identity and access management (IAM) frameworks to treat AI agents as priority digital identities, requiring lifecycle management, least-privilege enforcement, behavioral monitoring, and dedicated audit controls similar to (or stricter than) those in place for human users.
Prompt injection will likely evolve into a mainstream enterprise attack technique: Threat actors will likely increasingly prioritize manipulating AI agents over deploying traditional malware, using prompt injection, poisoned data inputs, and agent swarms to scale financial scams, cyber-physical disruption, and market manipulation โ driving demand for layered guardrails and human-in-the-loop validation controls.
AI will likely reshape cyber insurance risk modeling and pricing: As AI agents become embedded across enterprise environments, the cyber insurance industry will likely face greater uncertainty in modeling risk exposure. Insurers are likely to respond by tightening underwriting standards around AI governance, requiring demonstrable controls such as agent identity management, human-in-the-loop safeguards, and prompt injection resilience.
Enforce zero-trust for agent identities: Treat AI agents as privileged digital identities subject to least-privilege access controls. Use Recorded Future Identity Intelligence to monitor for data breaches that expose agentic identities as well as human identities.
Resilience Question:Do we have a strategy for onboarding virtual identities into our IAM solution?
Ensure visibility into agent behavior: Deploy continuous monitoring tailored to agent behavior, including logging agent decisions, prompts, and actions, and setting up detections for anomalous task execution patterns.
Resilience Question:Do we understand how and why agents are making decisions, and can we quickly detect misaligned actions?
Strengthen supply-chain and code governance: Extend SecDevOps controls to AI-generated and agent-modified code. Assess AI-generated code for vulnerabilities and monitor for hallucinated or typosquatted dependencies. Use Recorded Futureโs Third-Party Risk to monitor for downstream vulnerabilities in third-party software.
Resilience Question:Have we adapted SecDevOps to account for agentic coding?
Harden against prompt injection and input manipulation: Treat all external inputs as untrusted. Increase layered defenses to include multiple validation points and guardrails to minimize the impact of actions due to malicious prompts or inadvertent misalignment.
Resilience Question:What detections are in place to monitor for suspicious prompts?
The Iran situation remains volatile and uncertain, with material impacts for organizations.
Leaders should plan for multiple future scenarios, prioritizing resilience and effective decision-making
Current State (April 10)
Severe tensions persist despite a two-week ceasefire: The agreement remains fragile and conditional on reopening the Strait of Hormuz; each side has already accused Iran War: Future Scenarios and Business Implications the other of violations.
Maritime flows partially resume but remain uncertain: Disruptions and elevated security risks persist. President Trump has signaled readiness to resume strikes on Iranian infrastructure if ceasefire conditions are not met.
Economic conditions remain unstable: Energy markets remain volatile, with continued pressure on supply chains. Shipping, insurance, and aviation activity are only partially restored. Inside Iran, infrastructure damage is driving power shortages and industrial disruption.
Cyber activity has intensified: Operations targeting energy and critical infrastructure are increasing, reinforcing systemic risk across key sectors.
Figure 1: An explosion in Tehran, February 28, 2026 (Source:PBS)
Figure 2:Cone of Plausibility Overview: Iran Conflict(Source: Recorded Future)
Framework Overview
To assess how the Iran conflict could evolve over the next 6โ12 months, Insikt Group analyzed regional and global dynamics using the PESTLE-M framework, covering Political, Economic, Social, Technological, Legal, Environmental, and Military domains, with a focus on Iran, the United States, Israel, and Gulf States.
Figure 3: PESTLE-M Framework (Source: Recorded Future)
This analysis informed a scenario generation exercise using a Cone of Plausibility (CoP) method. The objective was not to predict a single outcome, but to explore a range of alternative futures based on observed signals and emerging trends.
Wildcard
Plausible
Baseline
Plausible
Figure 4: Cone of Plausibility Framework (Source: Recorded Future)
Methodology
For each PESTLE-M category, we identified key drivers that could increase or decrease the likelihood of escalation, de-escalation, or sustained instability, and assessed how these dynamics may evolve under different assumptions. These were combined to develop six scenarios: one baseline, two plausible (best and worst case), and three wildcard scenarios, enabling organizations to evaluate how the conflict may unfold and the potential impacts on their operating environment.
Within the CoP framework:
Drivers are signals and trends that could shape future developments
Assumptions reflect how those drivers may evolve over time
Scenarios describe how these dynamics could combine to produce distinct future states
We define scenarios as follows:
Baseline: A forward projection of current trends and conditions
Plausible: A realistic alternative outcome based on evolving drivers and assumptions
Wildcard: A low-probability, high-impact scenario that challenges existing assumptions
Baseline Scenario: Fragile Ceasefire with Sustained Economic Disruption
Infrastructure targeting -> Energy disruption continues
Figure 5: Brent oil prices and projections (Source: Oxford Economics)
Figure 6:Iran is also threatening maritime traffic through the Bab al-Mandab, another key route (Source:Times of India)
Baseline: A forward projection of current trends and conditions
Ceasefire holds, but conflict shifts into sustained economic warfare.
A fragile ceasefire reduces the pace of direct military exchanges strikes, but the drivers of conflict remain unresolved. Iran lacks the capacity for decisive escalation but retains asymmetric leverage, while the US prioritizes energy market stability and conflict containment. The Strait of Hormuz reopens only intermittently, with recurring disruptions, inspections, and security incidents, keeping shipping, insurance, and energy markets under sustained pressure. Gulf financial, logistics, and technology sectors operate intermittently, airlines maintain some route suspensions, and cyber activity remains elevated against regional infrastructure and Western-linked organizations. The conflict evolves into economic coercion as a primary tool, driving elevated oil and gas prices, persistent market volatility, and tighter financing conditions. Supply chains gradually reconfigure away from high-risk routes, increasing costs and reducing efficiency. Russia benefits from sustained high energy prices and reduced Western focus, strengthening its position in Ukraine. China capitalizes on fragmentation by expanding alternative trade and financial networks, reinforcing a more bifurcated global system.
Likelihood
Most likely if ceasefire holds without resolution: Conflict remains below full-scale war, but economic disruption persists as the dominant mode of competition.
Business Implications
Priority Actions (0-90 days)
Operational: Intermittent shipping, route, and supplier disruption increases cost and complexity
Stress-test exposure to Hormuz-related shipping and energy disruption
Financial: Elevated energy prices and volatility sustain margin pressure and tighter financing
Harden resilience for energy, logistics, and cyber-dependent operations
Competitive: Firms with diversified routing and lower energy exposure gain advantage
Review sanctions, insurance, and counterparty risk across key jurisdictions
Legal: Evolving sanctions and emergency measures raise compliance burden and enforcement risk
Reputational: Scrutiny over pricing, shortages, and regional exposure increases brand risk
Plausible Scenario (Best Case): Managed Stalemate
Key Drivers and Assumptions
US threats and military strikes fail to coerce Iran into concession -> Limited appetite for sustained conflict
Significant economic disruption -> Economic costs drive political decisions
US military footprint in region -> Potential for re-escalation
Figure 7: US President Trump delivers a warning to Iran at a White House Easter event (Source: PBS News)
Figure 8: Iran has used maritime traffic through the Strait of Hormuz as leverage in the conflict (Source: CNBC)
Plausible: A realistic alternative outcome based on evolving drivers and assumptions
The US portrays its leadership decapitation campaign as successfully facilitating โregime change,โ creating space for diplomatic engagement with โnewโ leadership. Iran maintains increased level of oversight over the Strait of Hormuz, while internally the IRGC plays a greater role in strategic decision-making.
Domestic economic and political pressure leads to the US to scale back military operations without clear resolution of key regional security issues, including Iranโs right to nuclear enrichment, ballistic missile program, and support to regional proxies. Maritime traffic slowly returns to pre-war levels, with a new protocol for vessel traffic under an internationally accepted mandate. Iran retains an increased level of oversight over the Strait of Hormuz passages and profits from the traffic. This relieves some economic strain, though lingering supply chain effects remain. Cyber attacks persist as a means of asymmetric coercion. The US lifts some sanctions against the โnewโ regime, but other sanctions remain in place, complicating the regulatory environment. Interest in renewable energy increases as companies seek to mitigate against future disruption, though oil demand returns to pre-conflict norms. Israel continues limited, highly targeted strikes, while the US retains its military presence in the region, keeping the possibility for re-escalation open.
Likelihood
Less likely as conflict continues: This scenario assumes the USโs limited appetite for full-scale war, but the opportunities for de-escalation diminish as the conflict persists.
Business Implications
Priority Actions (0-90 days)
Operational: Recurring disruption risk for regional transport corridors, ports, and cross-border trade
Keep sanctions, export-control, and third-party due diligence on heightened alert
Financial: Long-term effects of recovery
Build redundancy into critical suppliers
Competitive: Competitors with diversified sourcing, redundancy, and mature sanctions controls are best positioned to withstand ongoing shocks
Maintain an elevated cyber posture
Legal: Continued tensions mean sanctions and export controls may tighten again with little notice
Tighten executive decision rights and trigger points for regional exposure
Reputational: Price increases tied to lingering supply-chain effects may trigger accusations of profiteering
Accelerate resilience investments with strategic upside, especially energy efficiency, renewable sourcing, and inventory visibility
Plausible Scenario (Worst Case): Regional Conflict with Gulf Involvement
Figure 9: The Saudi crown prince reportedly urged President Trump to continue war (Source: NYT)
Figure 10: The UAE has been proactive in the conflict, taking nonmilitary measures against Iran (Source: South China Post)
Plausible: A realistic alternative outcome based on evolving drivers and assumptions
Ceasefire collapses, triggering multi-state regional war.
A temporary ceasefire breaks down following renewed strikes and failure to secure maritime access. Iran escalates missile and proxy attacks, including targeting Gulf energy infrastructure. With critical thresholds crossed, Saudi Arabia, the UAE, and Bahrain enter the conflict directly to protect economic and political stability. The Strait of Hormuz and Bab al-Mandab become sustained conflict zones, with repeated attacks, mining, and vessel seizures. Shipping and insurance markets withdraw at scale, severely constraining global energy flows. Energy prices surge, driving inflation and recession risk globally. Fuel shortages emerge in import-dependent economies, triggering industrial slowdowns, reduced mobility, and rolling outages. Cyber operations escalate into coordinated campaigns targeting energy, logistics, and financial systems. Legal fragmentation accelerates, with overlapping sanctions regimes, asset controls, and enforcement actions constraining cross-border operations. Russia exploits elevated energy revenues and reduced Western focus to press its advantage in Ukraine. China remains indirect but leverages Western overstretch to increase pressure on Taiwan.
Likelihood
More likely if ceasefire collapses and Gulf assets are targeted: Escalation becomes self-reinforcing once regional actors are drawn into direct conflict.
Business Implications
Priority Actions (0-90 days)
Operational: Supplier and production relocation, increased redundancy, and higher cost and complexity
Harden critical infrastructure dependences (energy, logistics, third parties)
Financial: Energy costs and inflation drive margin pressure, while financing becomes tighter and more expensive
Test business continuity under outage scenarios
Competitive: Resilient, energy-secure firms gain advantage; exposed firms lose share
Segment and isolate high-value systems; prioritize offline backups and rapid recovery
Legal: Fragmented, fast-changing sanctions increase compliance burden and legal risk
Review third-party and regional concentration risk, particularly for Middle
Reputational: Scrutiny over pricing, shortages, and exposure drives brand and trust risk
Establish crisis governance and decision cadence
Wildcard Scenario 1: Lasting Peace Agreement
Key Drivers and Assumptions
Severe degradation of Iranian infrastructure -> Iran compelled to concede
Global economic disruption โ International support for peace process
Sustained disruption to Hormuz and energy markets โ Mutual incentive to stabilize
Figure 11:Pakistan has offered to host talks to broker peace between US, Iran (Source:Time)
Figure 12:Traffic through the Strait of Hormuz dropped significantly since conflict began (Source:Lloyd's List)
Wildcard: A low-probability, high-impact scenario that challenges existing assumptions
Negotiated settlement reached between the US and Iran, allowing for longterm drawdown of conflict. Significant degradation of Iranโs energy, military, and industrial infrastructure, combined with mounting economic strain, power shortages, and reduced capacity to sustain conflict, compels Tehran to reassess its position and signal willingness to accept concessions. In parallel, the United States faces rising economic costs from prolonged energy disruption, inflation, and market instability, increasing pressure to stabilize conditions. A negotiated settlement emerges through indirect talks, mediated by Oman, with Iran accepting concessions on maritime security and nuclear constraints in exchange for phased sanctions relief and assurances against further strikes. Iran seeks a revised Strait of Hormuz security framework and limited economic concessions, though broader demands such as reparations are only partially addressed. The Strait of Hormuz fully reopens under agreed security mechanisms, restoring stable shipping and energy flows. Sanctions ease gradually, enabling reintegration of Iranian energy exports and limited foreign investment. Military activity declines sharply, cyber operations reduce, and global energy markets stabilise, easing inflationary pressures and improving financial conditions.
Likelihood
Low probability: Requires significant concessions from one side under sustained pressure.
Business Implications
Priority Actions (0-90 days)
Operational: Supply chains stabilize, enabling efficiency gains and reduced redundancy
Monitor stabilization signals and time market re-entry strategically
Financial: Lower energy prices ease margin pressure and improve access to capital
Secure long-term energy and supply contracts at favorable prices
Competitive: Early movers capture growth opportunities in recovering markets
Re-optimize supply chains and reduce excess redundancy
Legal: Sanctions easing reduces compliance burden and enables cross-border activity
Reassess sanctions exposure and compliance frameworks
Reputational: Stabilization and reinvestment strengthen stakeholder trust
Align growth and investment strategy to recovering regional markets
Wildcard Scenario 2: Iranian Regime Collapses
Key Drivers and Assumptions
Decades of political repression -> No viable alternative to Iranian regime
Sectarian and political unrest -> Protracted internal conflict
Targeting of leadership -> Regime instability and eventual collapse
Figure 13: Mass protests against the regime in December 2025 were brutally repressed (Source: Le Monde)
Figure 14: Displaced Syrians have lived in refugee camps for ten years, demonstrating the long-term impacts of internal conflict (Source: UNHCR)
Wildcard: A low-probability, high-impact scenario that challenges existing assumptions
The Islamic Republic collapses, plunging the country into a civil war and complex humanitarian crisis.
The US and Israelโs persistent โdecapitation strategyโ weakens the regime to the point where it is no longer able to assert internal control. With no viable alternative, the country falls into a multiparty civil war made up of pro-regime, pro-democracy, and assorted regional and ideological militias. Food and fuel shortages are severe in certain regions. Refugee camps are built in Iraq while Europeโs asylum system faces overwhelming demands. The US claims Kharg Island in the chaos and asserts control over the Strait of Hormuz, mitigating international economic damage. However, the political instability gives pro-regime and other ideological groups a base for asymmetric operations, leading to persistent regional disruption. Cyber capabilities degrade amid internal fighting, though some hacktivist operations persist against a wider variety of ideological enemies. Damage to water and energy facilities sustained during the conflict exacerbates humanitarian crisis and slows recovery. Russia supplies military support to pro-regime factions, but not enough to significantly tilt the balance of power.
Likelihood
Long-term resilience of regime and viability of alternatives is unknown, making it difficult to assess likelihood with confidence.
Business Implications
Priority Actions (0-90 days)
Operational: Reduced reliability of just-in-time inventory models, especially for firms dependent on Gulf maritime corridors
Segment critical operations
Financial: Long-term increase in operational and energy costs
Harden sanctions and third-party controls
Competitive: Larger firms use stronger government relationships or balance sheets to secure logistics
Require an immediate review of regional dependencies, with backup routing and alternate sourcing plans for critical business lines
Ensure employee protection measures are ready across the region
Reputational: Activist or online campaigns tying the firm to foreign intervention or opportunism
Create a 90-day resilience plan including decision triggers for escalation or market withdrawal
Wildcard Scenario 3: Nuclear Crisis
Key Drivers and Assumptions
Protracted high-intensity conflict -> Increased likelihood of miscalculation
Location of facility -> Risks of radiological contamination spread by air and water
Diplomatic failures -> Inability to coordinate on response
Figure 15:Bushehr has not yet been a direct target, though missiles have landed near it (Source:Development Aid)
Figure 16:Weather patterns following the Chernobyl nuclear disaster spread radiological material affecting up to 6 million people (Source:UNSCEAR)
Wildcard: A low-probability, high-impact scenario that challenges existing assumptions
Missile strikes hitting a nuclear facility lead to a radiological incident, causing immediate global shock and rapid escalation.
A missile strike causes extensive damage to Iranโs Bushehr civilian nuclear power facility, causing radiological release with cross-border contamination. This occurs due to escalation, miscalculation, or degraded command and control. Immediate impacts include evacuation zones and disruption to regional energy supply. Emergency response efforts are delayed by ongoing conflict, limiting containment and extending environmental and economic damage. As a result, southern Iran and Gulf States experience long-term harm to drinking water supply and maritime food sources. The conflict also prevents long-term monitoring in Iran, which extends the long-term health and environmental damage from inadvertent exposure. Contamination further restricts maritime trade routes in the Gulf, while energy markets react sharply to both supply disruption and elevated systemic risk. Cyber and information operations amplify panic and misinformation.
Likelihood
Low probability, high impact: Risk of intentional or unintended strike increases under sustained conflict.
Business Implications
Priority Actions (0-90 days)
Operational: Disruption to regional operations and supply chains; site closures
Activate crisis management and continuity protocols
Financial: Extreme market volatility and energy price spikes
Protect personnel and account for regional workforce exposure
Competitive: Firms with geographic diversification gain advantage
Secure critical systems and prepare for sustained disruption
Legal: Emergency regulations, sanctions, and liability exposure increase
Identify alternative routes and supply chain contingencies
Reputational: Heightened scrutiny around safety, workforce protection, and response
Manage disinformation through strong crisis communications process
Venezuelan Acting President Delcy Rodrรญguezสผs policy decisions will affect economic and political stability in Venezuela in the coming months. Her approach will likely be shaped by a deep familiarity with the state security apparatus, her revolutionary identity, a demonstrated willingness to break from orthodoxy and seek coordination with Washington, an interest in restoring support for the ruling United Socialist Party of Venezuela PSUV, and a long memory for perceived slights. These principles, paired with changing local power dynamics after the January 3, 2026, United States US special operation to capture former Venezuelan President Nicolรกs Maduro and his wife, Cilia Flores, suggest Rodrรญguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning. At the same time, she will likely find ways to cooperate with the US in ways designed to preserve the rule of PSUV and her credibility with other members of the ruling coalition. Rodrรญguezสผs core objectives are very likely to preserve PSUV rule and resist an opposition-led transfer of power, while maximizing the economic benefits of reengagement with Washington, including sanctions relief, investment, and a possible economic recovery. This will likely contribute to Rodrรญguez governing in a manner that avoids high-risk moves that could fracture her coalition or trigger instability that undermines her utility to the White House. In this approach, the biggest internal threat she faces in the short term is very likely PSUV rivals, including Interior Minister Diosdado Cabello, and other military and economic elites who perceive US engagement as a direct threat to their interests. While it is impossible to predict every move the Venezuelan government may take, public and private organizations can better anticipate risks to stability and investments โ such as resistance to US-supported reforms or evidence of internal divisions in the regime โ by systematically monitoring the rhetoric and actions of Delcy Rodrรญguez, Diosdado Cabello, and other senior officials using the Recorded Futureยฎ Intelligence Operations Platform
Key Findings
The January 3, 2026, US operation provoked panic among Venezuelan elites and fueled deep uncertainty regarding the plan to succeed Maduro, which was only resolved when US signaling prompted Venezuelan institutions to confirm that Rodrรญguez would assume presidential duties.
Rodrรญguezสผs hold on power is threatened internally by rival PSUV figures, chief among them Interior Minister Diosdado Cabello and his network of allies across Venezuelaสผs security apparatus and among pro-government armed groups.
Externally, the main threats to Rodrรญguezสผs power stem from US leverage over Caracas, including US geopolitical aims to bring Venezuela further under Washingtonสผs influence as well as US officialsสผ stated pursuit of a transition and support for the opposition faction led by Marรญa Corina Machado.
To avoid a destabilizing rupture that could trigger US backlash, Delcy Rodrรญguez will very likely prioritize internal governability and economic stabilization, cooperating with Washington enough to see sustained sanctions relief while seeking to manage rather than expel hardline rivals from her coalition.
To preserve her own credibility and influence in Venezuela, Rodrรญguez is likely to pair compliance with Washingtonสผs demands with โface-savingหฎ gestures that assert Venezuelan sovereignty, and to resist genuinely competitive elections unless economic gains materially improve the PSUVสผs electoral odds.
Assessing Current Dynamics in Venezuela
Over the past 25 years, US-Venezuela relations have worsened as Venezuelaโs government actively sought to oppose US interests in the Western Hemisphere, deepened relations with US rivals around the globe, and became increasingly authoritarian. This began under the deceased former president Hugo Chรกvez, whose movement, known as โChavismo,โ has governed the country since 1999. After Nicolรกs Maduro took power in Venezuela following Chรกvezโs death in 2013, he accelerated the consolidation of power and the erosion of democratic institutions begun by his predecessor. The US responded by imposing financial and oil sanctions meant to limit Venezuelaโs ability to profit from its vast oil reserves and sanctioning over 200 members of the Venezuelan elite. The US pressure campaign on Venezuela accelerated in late 2025 under President Donald Trump, who deployed a historic number of naval assets to the Caribbean.
This military campaign culminated at around 02:00 Venezuelan Standard Time (VET) on January 3, 2026, when US special forces carried out airstrikes and a surgical intervention into Venezuela as part of an operation to capture and extract Maduro and his wife, Cilia Flores, to face drug trafficking and terrorism charges in New York. These events were the most significant US military operation in Latin America since the 1989 invasion of Panama, and ratified a new US doctrine that emphasizes primacy and willingness to use all available tools (economic, diplomatic, and military) to advance US interests in the Western Hemisphere, as laid out in the 2025 National Security Strategy. In Venezuela, the events of January 3 precipitated the most impactful shakeup of the countryโs political order in decades.
While Acting President Delcy Rodrรญguez has signaled an openness to working with US priorities, this cooperation is affected by active tensions among the ruling elite and longstanding mistrust between Washington and Caracas. Understanding the events of January 3, 2026, and the immediate aftermath is crucial to evaluating the state of play on the ground and in the bilateral relationship.
Uncertainty in the Immediate Aftermath of the US Operation
In the immediate aftermath of the January 3 operation, there was widespread uncertainty in Venezuela regarding the future of PSUV rule. While the constitutional line of succession makes clear that the vice president should assume power in the presidentโs absence, initial messages from Venezuelan officials emphasized solidarity with Maduro and Flores rather than offering clarity on the future of PSUV governance. There was no official public reaction to the operation from the Venezuelan government until 04:14 VET, when former Defense Minister Vladimir Padrino Lรณpez published a video on social media condemning the attack. He stated that Venezuelaโs military โ the Bolivarian Armed Forces (FANB) โ was declaring a national emergency and deploying at strategic points around the country and called for unity against โimperialist threats.โ Statements from Venezuelan officials since then confirmed the raid but did not clarify the makeup of the Venezuelan government.
Figure 1:Venezuelan state TV broadcast showing Rodrรญguez presiding over a meeting of the
The first clarity on Venezuelaโs future leadership came from Washington. At roughly 11:50 EST (12:50 VET), US president Donald Trump gave a public address in which he explicitly stated that Washington would work with Rodrรญguez as it assumed a more direct role in overseeing the countryโs energy and security policies. Trump also said that Marรญa Corina Machado, the most popular opposition figure in the country (who had been outside the country since December 2025 and is currently in Washington) did not โhave the support within or the respect within the countryโ to rule. While Trump claimed that Rodrรญguez had been "sworn in," Rodrรญguezโs hold on power was not publicly ratified until 15:20 VET. At that time, state television aired footage of the Council of National Defense, a body made up of the main institutional leaders of the country, featuring Rodrรญguez chairing the meeting and Cabello, Lรณpez, and National Assembly President Jorge Rodrรญguez (Delcy Rodrรญguezโs brother) present. It was not until roughly 22:00 VET that state media began circulating a decision from the Constitutional Chamber of the Venezuelan Supreme Tribunal of Justice (TSJ) that made clear that Rodrรญguez would assume the duties of the president. In its ruling, the TSJ invoked a Chรกvez-era precedent to overrule constitutional language that would otherwise require her to schedule an early election, effectively indicating that Rodrรญguez is very likely seeking a mandate until Maduroโs term ends in January 2031. Neither Rodrรญguez nor any other official has yet made this claim explicit, and US officials have suggested that new elections should be held before then. On January 5, she was officially sworn into office in a televised ceremony held in the National Assembly in the presence of key figures in the regime and diplomats from China, Iran, Russia, and Cuba.
US-Venezuela Relations Since January 3
Since January 3, the US has generally signaled support for a working relationship with Delcy Rodrรญguez, while making clear that Washington expects full cooperation with its energy and security priorities. In the immediate aftermath of the operation, President Trump told reporters that he might consider a second strike if Rodrรญguez did not cooperate, but then, on January 9, announced on Truth Social that he had โcancelled the previously expected second Wave of Attacksโ in response to the Venezuelan government releasing a number of political prisoners. Since this announcement, Trump has sought to 1 convey that he and Rodrรญguez work closely together. On March 5, 2026, Trump posted on social media that Rodrรญguez is โdoing a great job, and working with US Representatives very well.โ
US Secretary of State Marco Rubio has also expressed a willingness to work with Rodrรญguezโs interim government, but provided more explicit emphasis on a transition as the ultimate end goal of US policy. Speaking to reporters on January 7, Rubio described the US approach as consisting of three main phases: stabilization, recovery, and transition. Stabilization, he stated, is needed to prevent Venezuela from โdescending into chaos,โ which would be avoided by US control over oil-sale proceeds. Rubio clarified that the โrecoveryโ phase would be aimed at reopening the oil sector to US and other Western firms, and it would ultimately be followed by a โprocess of transitionโ that would include reconciliation among Venezuelans. This three-phase framing has been echoed by other US officials, although to date, no fixed timeframe for a transition has been made public. US officials have also said that severing Venezuelaโs ties to Russia, China, Cuba, and other US geopolitical adversaries is a top priority in the relationship.
US-Venezuela coordination on energy policy appears to be advancing rapidly. On January 29, Venezuelaโs PSUV-controlled National Assembly passed a reform to the countryโs Organic Hydrocarbons Law, aimed at increasing autonomy for private companies involved in the countryโs oil and gas industry. While the revised law continues to assert state ownership over hydrocarbon reserves, it broadens the mechanisms through which private companies can participate in upstream activity, including allowing private operators โ via contracts with state-owned energy company Petrรณleos de Venezuela S.A. (PDVSA) or joint ventures โ to assume operational control while retaining a share of production. The reform also introduces a much more flexible framework for royalties and taxes, which can be set on a case-by-case basis by the Ministry of Energy, with royalties of up to 30% and taxes of up to 15%. Previous windfall taxes have been eliminated in this reform.
US support for revitalized energy cooperation with Venezuela has been enthusiastic, and President Trump has actively encouraged US and other Western oil companies to invest as much as $100 billion in Venezuela. Two days after the passage of the Organic Hydrocarbons Law reforms, the US sent Chargรฉ dโAffaires Laura Dogu, who leads the Venezuela Affairs Unit out of the US Embassy in Colombia, to Caracas, where she is tasked with overseeing the restoration of diplomatic ties with Venezuela. While Dogu has conveyed US support for closer relations, she has reiterated US support for an eventual transition. On February 2, she met with Rodrรญguez, and afterward posted on X that in the meeting she reiterated โthe three phases that Secretary Rubio has outlined for Venezuela: stabilization, economic recovery and reconciliation, and transition.โ
In the wake of the Organic Hydrocarbons Law reform, the US Treasury Departmentโs Office of Foreign Assets Control (OFAC) issued a series of general licenses allowing US and other Western companies to produce, refine, transport, and sell oil without seeking individual exemptions, effectively lifting sanctions that had previously restricted these activities (see Appendix A). These OFAC licenses mandate that any authorized transactions with Venezuela's government or state energy company PDVSA must follow US laws (with disputes being resolved in the US), and that payments to the Venezuelan government or any other Venezuelan sanctioned entity be made into a US-overseen fund. US support for energy investment in Venezuela was emphasized from February 11 to 12, when US Energy Secretary Chris Wright led a delegation to Caracas to meet with Rodrรญguez, becoming the highest-ranking US official to visit Venezuela in years.
Figure 2:US Energy Secretary Chris Wright examining crude oil at a PDVSA project site with Rodrรญguez (Source:Social Media)
Internal and External Threats Confronting Acting President Rodrรญguez
Since Acting President Rodrรญguez took over from Maduro in the immediate aftermath of the US operation on January 3, she has voiced support for cooperation with Washington โ but her incentives to cooperate fully are very likely limited. Rodrรญguez is aware of Washingtonโs โthree point planโ for Venezuela and is likely supportive of US plans to stabilize the country, lift sanctions, and promote investment. However, she is almost certainly seeking to preserve her rule and a government led by the PSUV, and will very likely resist any attempt to preside over a transition of power to an opposition-led government. Her ability to do so will very likely depend on her ability to consolidate power and manage potential spoilers within her own coalition, as well as her ability to deepen cooperation with US interests and demonstrate utility to the White House. In doing so, she faces a number of internal and external threats to her rule, which include challenges by rivals inside the ruling PSUV over the next six to twelve months, and pressure by Washington to hold new elections over the next twelve to twenty-four months.
Internal Threats to Rodrรญguezโs Rule
The main internal threat to Rodrรญguezโs power in the short term is other members of the ruling elite. She has steadily worked to consolidate power and secure the support of the military and intelligence services, but her support among the countryโs political and economic sectors is far from settled. There are almost certainly key figures in the security forces, the business community, and in the ruling party who view Rodrรญguez, and her relationship with the US, as a challenge to the previous status quo and its associated privileges, economic arrangements, and patronage schemes. They may be concerned about their future influence, immunity
As Rodrรญguez continues to establish her rule, some of these individuals may seek to oppose her, either by seeking to derail or sabotage her rapprochement with Washington or by openly rebelling against her. In this context, an attempted palace coup cannot be ruled out. Her primary rivals include the following figures and networks, each of whom has a distinct power base and incentive to view Rodrรญguez as an adversary or rival:
Diosdado Cabello, Minister of Interior, Justice and Peace. Cabello is a senior power broker within the ruling party and has been the PSUVโs Secretary General since 2011. He has deep connections to the security services and hardline enforcement networks, including to pro-government armed paramilitary organizations known as โcolectivosโ (see Figure 3). State media has sought to downplay reported tensions between Cabello and Rodrรญguez, but Cabelloโs incentives to undermine her are straightforward: Her consolidation of power threatens his influence over the party, the security apparatus, and his networks. He is also the only current cabinet member who was named in the unsealed drug trafficking indictment US prosecutors issued to capture Maduro, and he likely suspects that Rodrรญguez may eventually hand him over to the US.
General Vladimir Padrino Lรณpez, former Minister of Defense. Padrinoโs Lopezโs likely core incentive is to preserve the influence he accumulated after over a decade as the institutional head of the FANB, and to preserve the patronage networks he developed as the countryโs longest-serving defense minister. He also likely seeks to protect himself and senior officers loyal to him from eventual prosecution for corrupt activities or involvement in repression, and therefore very likely views Rodrรญguezโs government as a challenge to longstanding FANB impunity. While there is no public evidence of any cracks between Padrino Lรณpez and Rodrรญguez, it is very likely that he will resist meaningful reforms inside the armed forces
Major General Alexis Rodrรญguez Cabello, Director of the Servicio Bolivariano de Inteligencia Nacional (SEBIN). Cabello is a cousin of Diosdado Cabello and is believed to be close to him. As head of the primary intelligence service, Rodrรญguez Cabello has strong incentives to resist reforms that would expose him or his network to prosecution, and to preempt any purge that might impact him or his network.
Major General Ivรกn Rafael Hernรกndez Dala, former director of the General Directorate of Military Counterintelligence (DGCIM). Hernรกndez Dala, a close confidant of Maduro, was head of DGCIM until replaced by Rodrรญguez in January 2026. He is also believed to be a longstanding opponent of both Rodrรญguez and Cabello, and of their respective factions in the PSUV. Even if sidelined from formal command, Hernรกndez Dala likely retains networks inside the intelligence and security apparatus. He likely has incentives to undermine Rodrรญguez if he anticipates facing prosecution for past abuses, loss of status, or exclusion from any protection or economic deals between Washington and Caracas.
Business and Political Elites Tied to Maduro. Maduro and Flores dominated Venezuelan politics for nearly thirteen years. During that time, they cultivated a vast network of well-connected economic, military, and political elites that helped them sustain power. Many of them are not overtly tied to the Rodrรญguez siblings, and instead may be willing to ally themselves with rival factions to advance their own interests. Possible figures in this category include:
Tarek William Saab, Acting Ombudsman. Until his resignation in February 2026, Saab served as attorney general since 2017 and held significant influence over how the repressive apparatus was deployed, overseeing detentions and prisoner releases. Saabโs resignation was very likely forced, and he has clear incentives to resist any reform process that reduces his discretion or creates a credible path to independent investigations into past repression or corruption.
Nicolas Maduro Guerra, also known as โNicolasito.โ A member of the National Assembly and son of Maduro and Flores, Maduro Guerra is not one of the top PSUV powerbrokers in his own right but has played a crucial role in securing continuity by appearing publicly with Rodrรญguez and claiming she has his parentsโ full support. Given lingering questions over internal Chavista involvement in the January 3 operation, he has leverage to complicate Rodrรญguezโs narrative and may seek to use it if he feels that his interests are threatened by the Rodrรญguez administration.
Alex Saab. Saab played a crucial role in facilitating sanctions evasion networks until his arrest by US law enforcement in 2020. Saab was later returned to Venezuela in a 2023 prisoner swap, and Maduro rewarded him by making him Minister of Industry and National Production. Rodrรญguez replaced him in January 2026, likely understanding that Saab was not palatable for US business interests, but Saab likely retains enough social capital within Venezuelaโs private sector to pose a challenge to Rodrรญguez. This is the likely reason why Saab was reportedly detained by Venezuelan intelligence in February 2026, although his lawyer has maintained that he is not under arrest.
Figure 3:Illustration of key internal rivals of Venezuelan Acting President Delcy Rodrรญguez (Source: Recorded Future)
External Threats to Rodrรญguezโs Rule
US Pressure to Box Out Geopolitical Adversaries
In the short term, the most significant external threat that Rodrรญguez faces is a reversal of United States policy โ either via renewed military or intelligence operations intended to force her removal, or through a more indirect pressure campaign meant to trigger a domestic fracture. A second US special forces operation to depose her outright is unlikely, but it remains a scenario Rodrรญguez and her circle will have to treat seriously, given the direct and disproportionate leverage that Washington currently holds over Caracas. More likely than further military action is the prospect of renewed pressure: the US can calibrate sanctions relief, revoke OFAC licences, and facilitate or block diplomatic recognition in ways that shape incentives and perceptions of the regimeโs survivability among Venezuelan elites. Recent reporting suggests Washington is simultaneously pursuing deepened energy engagement while remaining skeptical about whether Rodrรญguez will fully align with US strategic demands, which increases the possibility of an abrupt shift away from Rodrรญguez if she does not deliver on US priorities.
A major fault line in the US-Venezuela relationship is Venezuelaโs ongoing relationships with US geopolitical adversaries, namely China, Russia, Iran, and Cuba, even as the US has increasingly sought to box them out of Venezuela. US officials publicly demanded that Venezuela cut ties with adversary nations and have actively moved to push them out. The US has successfully pressured Venezuela to end fuel shipments to Cuba, and OFAC general licenses intended to facilitate Venezuelan oil and gas activity explicitly do not authorize transactions involving Russian, Chinese, or Iranian entities. In spite of this, Rodrรญguez has sought to publicly demonstrate an interest in retaining these partnerships.
Opposition Efforts to Limit US-Venezuela Engagement
Another short-term external threat to Rodrรญguez is opposition figure Marรญa Corina Machado. While she remains the most popular opposition figure in Venezuela, and her faction has a demonstrated capacity to organize protests on the ground, these have so far not presented a significant threat to stability or to PSUV governance. Her presence in Washington since December 2025, however, has provided her with a major platform to directly shape the US foreign policy debate over Venezuela. With Machado and close advisors operating from Washington, she has advanced a narrative publicly supportive of the US agenda while privately calling on allies in Congress and in the international community to press for a clearer timetable for new elections and the ouster of the PSUV. She has also used her platform to promise she will return soon, and to highlight perceived inconsistencies between Rodrรญguezโs actions and her rhetoric, noting, for instance, the gap between the governmentโs claimed political prisoner release numbers and the figures cited by independent rights organizations.
Figure 4:Photo of Venezuelan opposition leader Maria Corina Machado at a rally ahead of the 2024 presidential election (Source:Reuters)
Machado has received strong support from bipartisan lawmakers in the US House and Senate, who have questioned US engagement with Rodrรญguez. While Machadoโs efforts to raise the political cost of engagement with the Rodrรญguez government have earned her support from some allies in Washington, the White House has reportedly expressed frustration with her criticism, with officials claiming it undermines US policy. These efforts very likely represent a lesser threat to Rodrรญguezโs hold on power, given White House insistence on working with Rodrรญguez, but introduce persistent uncertainty into the sustainability of US support for her.
Calls for a Competitive Election
Beyond these immediate pressures, the most important mid-term threat to Rodrรญguez and to future PSUV rule is the election timeline reportedly being promoted by the Trump administration. While the US has refrained from presenting a specific timetable, officials ranging from Chargรฉ dโAffaires Dogu to Secretaries Rubio and Wright have increasingly signaled publicly that the US expects to see new elections in the next eighteen to twenty-four months. The specifics of these elections, like whether they would be only presidential or include broader general elections (to replace the PSUV-dominated National Assembly), have not been disclosed, but the US insistence on elections in some form very likely forces Rodrรญguez to reconcile her approach to coalition management with a desire to seek electoral legitimacy on a compressed timeline.
At the moment, Rodrรญguez, her inner circle, and PSUV elites almost certainly view a competitive presidential election as an existential threat. Polls have repeatedly demonstrated that the PSUV is unpopular. While Rodrรญguez is the most popular figure in the PSUV, she would very likely lose a presidential race with Machado by a two-to-one margin, and Machado would very likely defeat any PSUV candidate absent a significant shift in public opinion. Maduroโs removal has not automatically revived grassroots loyalty to the ruling party, with local PSUV leaders describing fractures, demobilization, and severe drops in participation inside local party structures since January 2026.
Given the PSUVโs lack of legitimacy, US support for elections will likely become a flash point in the relationship with Rodriguez. These tensions will also very likely be exacerbated by opposition mobilization inside the country and Machadoโs efforts to marshal support in Washington. While US authorities have not yet demanded that Machado be allowed to return to Venezuela (and has reportedly asked her to delay any plans to this effect), her return is almost certain to occur well in advance of an election as she has openly said she will run. The temporary re-arrest of opposition figure Juan Pablo Guanipa in February after he began organizing anti-government rallies suggests the ruling party will likely seek to use the repressive apparatus to restrict Machadoโs campaigning efforts, elevating the likelihood of pre-election instability. Even if a competitive election is held under the PSUV, the experience of the July 2024 election suggests that the ruling party is unlikely to recognize the results if the opposition wins, raising the likelihood of post-election instability, protests, and violence.
Delcy Rodrรญguezโs Origins and Principles of Her Approach to Decisionmaking
Before her emergence in recent years as the face of relative economic pragmatism in Chavismo, Delcy Rodrรญguezโs background was not well-known internationally. But her rise to power reveals a number of factors that likely inform her approach to governance and likely impact the prospect for political and economic stability moving forward. These include:
Familiarity with Venezuelaโs Intelligence and Repressive Apparatus: In addition to her reputation as an economic reformer, Rodrรญguez likely has a deep familiarity with intelligence work that, according to state media, goes back to the Chรกvez years. In 2002-2003, she reportedly worked with the SEBINโs predecessor agency, the Direcciรณn General Sectorial de los Servicios de Inteligencia y Prevenciรณn (DISIP), on undisclosed counterintelligence work involving โgeopolitical reportsโ with former DISIP head Eliezer Otaiza. From the time she rose to the office of Executive Vice President in 2018 until 2021, the SEBIN technically fell under her office. While there is no publicly available evidence that she explicitly directed SEBIN-led repression of dissidents, her role likely afforded her a deep familiarity with the main Venezuelan intelligence agencyโs response during the governmentโs crackdown on the post-2018 election protests and the 2019 protest wave led by opposition figure Juan Guaidรณ. It is likely that she was, at a minimum, aware of acts of torture, extrajudicial executions, arbitrary detentions, and other alleged human rights violations and crimes against humanity since 2014 that have been credibly documented by the Independent International Fact-Finding Mission on Venezuela created by the United Nations (UN) Human Rights Council.
Identity Shaped by Revolutionary Politics: Rodrรญguez was born in Caracas in 1969 and grew up in a politically active left-wing family. Her father, Jorge Antonio Rodrรญguez, founded an armed urban guerrilla group and was killed in police custody in 1976, allegedly under interrogation. His death made him a martyr among the Venezuelan left, which cemented the revolutionary identities of Rodrรญguez and her older brother Jorge from an early age. Rodrรญguez has framed her decision to study law as an effort to โdo justice for her fatherโs case,โ and both she and her brother routinely cite his death as a justification for their support for Hugo Chรกvez and the movement he founded. In public, Rodrรญguez has repeatedly expressed strong support for the ruling partyโs socialist ideology. In a September 2019 address to the United Nations General Assembly, she criticized โcapitalist supremacismโ and ended with a call to โsave the world from capitalist violence.โ
Willingness to Break from Ideological Purity: In practice, Rodrรญguezโs rise demonstrates that she is open to abandoning ideological purity in order to accomplish her objectives. Unlike Maduro and other ruling party figures who developed close personal ties to Chรกvez, she had a notoriously poor relationship with the former leader and spent significant time outside Venezuela in her formative years. Rodrรญguez studied law at the Central University of Venezuela, but later pursued postgraduate studies abroad in labor law in London and Paris, and reportedly spent time in the United States. She speaks English and French. Rodrรญguez returned to Venezuela after an opposition-led failed coup attempt against Chรกvez in 2002, and first worked as an advisor in the Foreign Ministry, and then as Deputy Minister for European Affairs before ending up as Chรกvezโs Minister for Presidential Affairs. She did not last long in this position, however, and was abruptly dismissed after she reportedly argued with and insulted him during a presidential visit to Moscow. Rodrรญguez then adopted a lower profile in Venezuelan political life until Maduro took power, who made her his foreign minister in 2014. As foreign minister (2014-2017), president of the pro-government National Constituent Assembly (2017-2018), and then as executive vice president (2018-2026), she developed a reputation as a shrewd political operator and staunch Maduro ally.
Interest in Addressing PSUVโs Declining Popularity: Although Rodrรญguez was and arguably remains a Maduro ally, she has demonstrated a clear awareness of how the PSUVโs economic mismanagement has led to its declining popularity and has shown an interest in reversing it. Ahead of the 2018 presidential election, she briefly led a satellite party of the PSUV called the Movimiento Somos Venezuela (โWe Are Venezuela Movementโ) and served as its leader in a likely attempt to โrebrandโ Chavismo and connect with a younger generation of Venezuelans. She was officially reincorporated into the PSUVโs leadership in late 2018 after her party failed to account for more than six percent of Maduroโs reelection vote. When Maduro made Rodrรญguez his Minister of Economy in 2020, she began to advance an agenda of relative economic liberalization, and brought on a team of Ecuadorean advisors to impose tighter fiscal discipline and stabilize the exchange rate, eventually promoting the de facto dollarization of the economy. The success of the policies contributed to a modest but important economic rebound and led Maduro to appoint her in 2024 as Energy Minister as well, a post she technically still occupies. In overseeing this economic agenda, she began to cultivate a reputation for herself as less of an ideologue and more of a pragmatist, and began to pursue closer relationships with major energy companies and other investors. This reputation almost certainly contributed to the US decision to engage with her government after removing Maduro.
Calculating Operator with Sense of Persecution: Rodrรญguez has a history of keeping track of past instances where she has been slighted, even referring to her support of Chavismo and of its revolution as her and her brotherโs โpersonal revengeโ for the death of their father. Rodrรญguez herself has alluded to this trait on state media. In a 2024 appearance on the Con Maduro Podcast, she recalled running into former Argentine President Mauricio Macri, a vocal critic of the Venezuelan government, at the 2022 World Cup in Qatar. Macri had recently been made the Executive Chairman of the FIFA Foundation, and, according to Rodrรญguez, she shook his hand and told him: "Did you see where you are now, and where we are? We're with the Venezuelan people. And you? You're here picking up balls.โ Rodrรญguez is also a savvy operator, and her rise to prominence reflects not only her ability to deliver on economic policy objectives but also her ability to outmaneuver rivals. The best-known instance of this is her leadership of an anti-corruption campaign in 2024, which resulted in the imprisonment of former vice president, oil minister, and longtime rival Tareck El Aissami.
Openness to Dialogue with Washington: Even before the current rapprochement between Washington and Caracas, Rodrรญguez was known for consistently favoring a deeper diplomatic relationship with Washington โ albeit one built on mutual respect. During the 2022 phase of exploratory talks in which the two countries negotiated sanctions relief in exchange for holding presidential elections in 2024, Rodrรญguez publicly maintained that the relationship โcannot be conditioned,โ saying that Venezuelaโs doors were open to any country that arrived โwith respectโ and treated it as an equal under international law. During this period, she specifically centered the importance of discussing US oil and gas interests in bilateral diplomacy, saying that Venezuela was willing to pursue โenergy dialogueโ with US firms, indicating a view of energy cooperation as a channel for de-escalating tensions.
A Framework for Anticipating Delcy Rodrรญguezโs Policy Decisions
When Delcy Rodrรญguez faces policy decisions that impact economic and political stability in Venezuela in the coming months, her approach is likely informed by the pillars described above: her revolutionary identity, tactical pragmatism, openness to US engagement, an interest in restoring popular support for the PSUV, a long memory for slights, and familiarity with the security apparatus, as well as the internal and external short- and mid-term threats to her rule. Given these factors, Insikt Group assesses that she is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while likely cooperating with the US in ways that preserve her credibility inside the ruling coalition. This matters for prospective investors because it suggests the Venezuelan government is likely to seek to maintain a pragmatic economic policy environment focused on short-term macroeconomic stability. At the same time, companies seeking to invest will almost certainly continue to face elevated sanctions compliance risks and potential policy reversals depending on the evolving Washington-Caracas relationship, making it critical to closely monitor Rodrรญguezโs evolving policy decisions and internal relationships.
Coalition Management over Open Confrontation with Rivals
Rodrรญguez will likely prioritize maintaining and reconfiguring her coalition over seeking conflict with internal rivals, because the external pressure she faces makes internal rupture more risky than compromise. Her main rival, Diosdado Cabello, has significant sway over the repressive apparatus and over pro-government armed โcolectivosโ loyal to him, and his removal could therefore provoke unrest and destabilizing violence. This is precisely the kind of chaos Washington has sought to avoid, and very likely why it opted to keep Rodrรญguez in place as interim president in the first place. She therefore likely assesses that purging, detaining, or otherwise sidelining Cabello or other top PSUV rivals could risk calling into question her ability to maintain order, and would undermine her position with Washington as a lynchpin of relative calm and continuity.
This is likely the reason that Rodrรญguez has sought to balance the ruling coalition since taking power rather than immediately shaping it to align with her preferences. Although she elevated her allies to higher positions in her government early in her tenure โ such as appointing Calixto Ortega as Vice President of Economy โ she has largely kept the ruling apparatus in place. Not only has she left a number of other figures close to Cabello in their positions, but she has also promoted figures in Cabelloโs network. Just three days after Maduroโs capture, she named Gustavo Gonzรกlez Lรณpez, believed to be a Cabello ally, to lead both the Presidential Honor Guard and the Directorate General of Military Counterintelligence (DGCIM). On March 18, she also named Gonzรกlez Lรณpez to be her Defense Minister, replacing Padrino Lรณpez. She also appointed Cabelloโs daughter, Daniella Cabello, to be Minister of Tourism โ a significant post that will afford her a direct role in reopening Venezuela to international commercial activity. These moves were likely taken out of a desire to effectively secure Cabelloโs support for her economic normalization agenda.
Face-Saving Cooperation with Washington
Rodrรญguez will likely continue to cooperate with Washingtonโs energy priorities, but she will very likely pair this compliance with visible signaling aimed at saving face with PSUV loyalists. This is likely why, even as she has received high-level US officials in Caracas and even spoken with Trump over the phone, she has publicly demonstrated support for retaining partnerships with US adversaries. On January 8, for instance, Cuban Foreign Minister Bruno Rodrรญguez traveled to Caracas and accompanied the interim president to speak at a commemoration event at Venezuelaโs Military Academy for the Cuban and Venezuelan casualties from the January 3 US operation to capture Maduro. This was Rodrรญguezโs first event in which she officially presided over a military ceremony as commander in chief of the armed forces. On the same day, state-run media reported that Rodrรญguez held a meeting with Chinese Ambassador to Venezuela Lan Hu, in which she thanked China for its support for Venezuelan sovereignty and described the encounter as โcordial.โ The ambassadors of China, Russia, and Iran were given front row seats to Rodrรญguezโs January 5 swearing-in ceremony, and state TV broadcast images of the Venezuelan leader greeting them affectionately.
Figure 5:Screenshot of Venezuelan state TV broadcast showing Chinese ambassador Lan Hu, Russian ambassador Sergey Mรฉlik-Bagdasรกrov, and Iranian ambassador Ali Chegueni were prominently seated at Venezuelan Acting President Delcy Rodrรญguezโs January 5, 2025, swearing-in ceremony (Source:Telesur)
Such gestures will very likely continue as they offer Rodrรญguez a way to preserve credibility among PSUV elites and everyday party faithful. She can claim that her rapidly evolving relationship with Washington is a sovereign decision that improves stability and living conditions, rather than a relationship that is shaped by a drastically uneven playing field. As part of presenting an image of mixed compliance with Washingtonโs demands for Venezuelan audiences, she will almost certainly continue insisting that Maduro remains the legitimate president and demand his return, even as she works to consolidate her own power.
Leveraging Hardliners to Justify Non-Compliance
The internal rivalries identified above represent significant threats to Rodrรญguezโs legitimacy inside the PSUV and her claim to power, and attempting to balance her coalition while consolidating her control will almost certainly be a major challenge for Rodrรญguez. However, it is likely that Rodrรญguez will, over time, point to alleged hardliners to justify selective non-compliance with US aims, credibly or otherwise. Ultimately, it may be useful for Rodrรญguez to be able to point to ongoing tensions in her coalition or the prospect of instability as a way of warding off US pressure for an eventual transition or for competitive elections to be held. This justification is likely to lose credibility over time if she continues to consolidate administrative control and accumulate legitimacy, especially if she presides over significant economic gains amid US sanctions relief. Ultimately, the very steps that allow her to consolidate her rule may eventually be used by Washington to justify accelerating the end of it.
Resistance to Elections if Seen as an Existential Threat
Rodrรญguezโs past political experience and the PSUVโs record across more than 25 years of governing suggest the Venezuelan government will very likely seek to maximize political gain from any economic growth resulting from US sanctions relief and economic normalization. And while US officials have routinely conveyed that they expect elections to be held in the next two years, the Venezuelan government is almost certain to resist or sabotage elections unless it perceives that economic improvement has boosted the PSUVโs chances of winning a competitive election. Even then, the PSUV will very likely seek to use its control of government to activate patronage networks, divert public resources to politicized social programs, and attempt to present legal obstacles to opposition campaigning โ just as it did in the lead-up to the 2024 presidential election.
Ultimately, this logic is consistent with how Chavista elites have historically conceptualized elections: In multiple instances of US-backed talks meant to offer sanctions relief in exchange for competitive elections, Venezuelan government negotiators routinely argued that elections can be considered โfairโ only if voters can judge the government without the distorting economic effects of sanctions. If economic growth does not translate into a boost in popular support for the ruling party, Rodrรญguez will likely come under increasing pressure from rivals to resist a US-backed transition. It is therefore likely that democratization in Venezuela will be phased and gradual, not immediate, and will likely depend in large part on whether elements of the ruling elite see a viable future for themselves in the country as a possible outcome after alternating power.
Outlook
Over the coming months, Delcy Rodrรญguez is very likely to prioritize near-term governability and economic stabilization over maximalist ideological positioning, while still finding ways to cooperate with the United States that preserve her rule and credibility inside the ruling PSUV coalition. In the short- to mid-term, the main challenge she faces is the threat posed by internal rivals who may feel threatened by her reforms. This makes her cabinet changes, and evidence of backlash among political and economic elites, crucial variables to watch. In confronting internal threats to her rule, she will likely pursue a strategy of coalition management over one of open confrontation. Even as Rodrรญguez continues to consolidate power and tries to keep hardline rivals contained, she will likely avoid high-risk moves that could fracture elite support and risk threatening her relationship with Washington.
In the short and mid terms, the main flashpoints will be US pressure to end Caracasโs relationships with Moscow, Beijing, and other US adversaries, as well as US pressure to hold competitive elections in the next two years and eventually to advance a political transition. Rodrรญguez and PSUV elites likely view a genuinely competitive presidential vote as an existential threat. As a result, the government is almost certain to resist or sabotage competitive elections unless economic improvement significantly boosts the PSUVโs electoral odds. Even then, it would likely use patronage, politicized social programs, and legal obstacles to constrain opposition campaigning and preserve an institutional advantage. This raises the prospect of instability both in the lead-up and in the aftermath of any elections, given the likelihood of opposition protests and an associated crackdown. Given these dynamics, any transition is more likely to be phased and gradual than immediate, with stability hinging on whether Rodrรญguez is able to consolidate support among the ruling elite and whether the broader Chavista coalition can see a viable future for itself under any eventual alternation of power.
Appendix A: 2026 OFAC Licenses Issued for Venezuela
Authorizes US persons to export/reexport/sell/supply US-origin diluents to Venezuela even when transactions involve the Government of Venezuela, PDVSA, or PDVSA-majority entities, as long as contracts are governed by US law and disputes are resolved in the US
Authorizes โestablished US entitiesโ to engage in transactions that are ordinarily incident and necessary to the lifting, export/reexport, sale/resale, supply, storage, marketing, purchase, delivery, transportation, and refining of Venezuelan-origin oil, including related logistics, even when the activity involves the Government of Venezuela, PDVSA, or PDVSA-majority entities
Authorizes OFAC to permit the provision from the US of goods, technology, software, and services needed for oil and gas exploration, development, production, and maintenance in Venezuela, even when transactions involve the Government of Venezuela and PDVSA
Authorizes transactions otherwise that are โrelated to the negotiation of and entry intoโ contingent contracts with the Government of Venezuela, PDVSA, or PDVSA-majority-owned entities โ so long as the contractโs performance is expressly contingent on separate OFAC authorization
Authorizes transactions related to oil or gas sector operations in Venezuela conducted by specified companies and their subsidiaries, provided contracts are governed by US law (with disputes resolved in the US) and most payments to blocked persons (including taxes/royalties) are routed to specified US-directed deposit funds
Table 1:A list of OFAC general licenses issued since the passage of the Venezuela hydrocarbons law(source: US Office of Foreign Assets Control)
This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025. Insikt Group found that threat actors operating in or targeting the LAC region predominantly use client-server applications and end-to-end encrypted messaging platforms such as Telegram, as well as established English- or Russian-speaking dark web and special-access forums, to communicate and conduct activities. Threat actors demonstrate increased sophistication in their operations, adapting their tactics, techniques, and procedures (TTPs) over time, while still relying primarily on traditional methods such as phishing and social engineering, malware distribution, and ransomware. Based on our analysis, we have determined that Brazil, Mexico, and Argentina were the countries most targeted by financially motivated cybercriminals, likely because they are LAC's largest economies. Additionally, based on this research, Insikt Group found that threat actors often targeted critical industries such as healthcare, finance, and government because they hold high-value data, face operational urgency, and, at times, rely on legacy systems that may be vulnerable.
Key Findings
Insikt Group assesses that criminal forum DarkForums and the messaging platform Telegram are the primary special-access forums and communications platforms used by threat actors operating in or targeting the LAC region.
Threat actors operating in or targeting LAC are typically financially motivated and frequently leverage social engineering, ransomware, and various forms of mobile malware to gain initial access to government, healthcare, and financial institutions.
In 2025, Insikt Group recorded 452 ransomware incidents impacting the LAC region. The top five industries affected were healthcare, manufacturing, government, information technology, and education, all of which observed a noticeable increase in attacks compared to the previous year.
Insikt Group continued to identify banking trojans being leveraged by threat actors, with established variants being the most widely used. Specifically, threat actors used banking trojans in targeted smishing campaigns targeting WhatsApp users to gain access to financial data and steal credentials.
Insikt Group identified LummaC2 as the most prolific information stealer (infostealer) affecting organizations in LAC in the first half of 2025 and Vidar in the second half, following law enforcement disruption of LummaC2.
Background
In the aftermath of the COVID-19 pandemic, the LAC region underwent rapid digital development that outpaced security maturity, leading to asymmetrical cloud adoption, reliance on legacy infrastructure, and the introduction of remote work across all verticals. Many organizations adopted software-as-a-service (SaaS) platforms without effectively implementing strong access controls or multi-factor authentication (MFA) methods, leaving them exposed to ransomware and data theft, among other cyberattacks. Economic instability (inflation and currency controls) in LAC countries has created incentives for cybercrime while weakening institutional defenses. Political volatility, social protests, and corruption have created new opportunities for financially and politically motivated threat actors. Compounded factors such as high youth unemployment, income inequality, and the influence of informal economies have driven individuals to seek alternative sources of income, which in turn fuels much of the cybercrime we see today.
According to a World Economic Forum report, 13% of respondents in the LAC region expressed low confidence in their countryโs preparedness to respond to significant cyber incidents. Despite significant progress in digital government, regulatory advancements, and investments in the region, many countries still lack the technical competence in their workforce and the resources to sustainably harden their environments. Many LAC government networks hold large amounts of sensitive data but are deficient in their security best practices, leaving their systems vulnerable to cyberattacks. Large breaches are routinely circulated, recycled, and resold on dark web marketplaces, enabling identity theft, synthetic identity fraud, SIM swaps, and account takeovers, among other types of cybercriminality to flourish at a larger scale.
Although the LAC region has made significant technological advancements, particularly in the financial services sector, innovations are creating new challenges. The financial technology industry has introduced mobile banking applications, digital wallets, and instant payment systems. LAC countries face rising levels of cyber-enabled fraud in the financial sector because real-time payment rails have weaker identity verification controls, rendering social engineering attempts more effective. Instant payment systems, such as Brazilโs PIX and similar mobile banking platforms, have often been targeted by threat actors. With faster transaction speeds at higher volumes, detection and recovery efforts have become increasingly complex, making scams significantly more profitable and scalable.
The LAC region has the world's fastest-growing rate of disclosed cyber incidents, though many remain unreported. Only seven LAC countries have plans to protect their critical infrastructure from cyberattacks, and only twenty have Computer Security Incident Response Teams (CSIRTs). Despite 31 LAC countries having some form of legislation addressing cybercrime, many face skills shortages, creating barriers to enforcement. Limited law enforcement resources and unreliable interstate cooperation further delay investigation and prosecution, enabling threat actors to operate across jurisdictions with relative ease. A cultural perception that cybercrime carries low risk and offers high reward undermines the deterrent effect that reliable law enforcement action would otherwise have. This incentive structure, coupled with reduced stigma, encourages repeat offenses and recruitment, as reflected in the cybercriminal trends observed by Insikt Group in 2025.
Cybercriminal Activities in LAC
Throughout 2025, Insikt Group investigated and identified different types of cybercriminals operating on clearnet and dark web sources. Cybercriminals routinely leveraged phishing for initial access, and among the most common methods seen was the search and collection of sensitive information directly from a compromised host's file system or databases. This technique is often a critical pre-exfiltration step used to obtain financial records, passwords, and other forms of personally identifiable information (PII), likely to conduct account takeovers or fraud. Insikt Group research found that cybercriminals have also begun evolving their TTPs to exploit near-field communications (NFC) to commit financial fraud and are using malware to target cryptocurrency wallets. Insikt Group intelligence indicates that cybercriminals are primarily interested in selling compromised databases and access methods, as well as participating in hacktivist collectives. In some instances, advanced persistent threats (APTs) have also begun to overlap their activities with cybercrime when targeting the region.
Cybercriminal Sources
Threat actors operating in or targeting the LAC region continued to rely on the infrastructure of established English- and Russian-speaking forums throughout 2025 (see Appendix A). Insikt Group identified Spanish- and Portuguese-language postings on several established dark web and special-access forums. Even though these sources are predominantly English- and Russian-speaking, these posts likely indicate a preference among threat actors targeting LAC to seek more established, traditional platforms for conducting business. Research showed that low to moderate-tier forums are most commonly used by threat actors based in or targeting LAC countries, possibly suggesting lower levels of sophistication, as higher-tier forums often require vouching, payment, demonstration of knowledge or technical abilities, and sometimes private invitation to gain access.
Insikt Group assesses that most communications between threat actors likely occur on encrypted messaging platforms such as Telegram, WhatsApp, and Signal due to speed, ease of access, and higher levels of trust among group members. Given the privacy-enhancing features of many of these platforms, collection efforts can become significantly more constrained. Telegram is predominantly used because it offers larger channel and group capacities, account creation is simple, it enables threat actors to leverage bot automation and support for their malicious activities, and content moderation is typically less stringent than on other platforms. By offering a path of least resistance, threat actors enjoy the added privacy that end-to-end encrypted messaging platforms provide without delaying their operations.
Financially motivated threat actors often advertise a variety of data types, including PII, financial data, login credentials, system access credentials, exploits and vulnerabilities, malware, ransomware, and hacking tutorials. In some instances, Insikt Group observed threat actors selling customer relationship management (CRM) access, virtual private network (VPN) access with domain user privileges and local administrator rights on a database server, and command-and-control (C2) access to LAC-based entities in 2025. Leveraging this access to information, cybercriminals may facilitate further crimes, including but not limited to extortion attempts, digital and social engineering scams, ransomware deployment, data theft, and account takeovers. Insikt Group research indicates that threat actors generally advertise breached databases and payment card data because they can be lucrative, require relatively low levels of sophistication, and are sought after by other cybercriminals.
Threat actors often target government systems because they contain highly sensitive data that can be profitable for scams, identity theft, or extortion. For instance, shortly after a tense general election, Ecuadorโs legislature, the National Assembly, reported it had suffered two cyberattacks aimed at accessing confidential data and disrupting the availability of information services. In another example, threat actors exposed sensitive data on millions of Paraguayan citizens on the dark web; among the alleged exfiltrated data are national ID numbers, dates of birth, physical addresses, and health service records.
DarkForums was the primary dark web and special-access forum where Insikt Group recorded the most posts relating to cybercrime-related events in Spanish and Portuguese in 2025. This forum is an English-language, low-tier forum operated by English-speaking administrators, launched in March 2023, and is accessible via a clearnet domain. Additionally, DarkForums was observed hosting leaked databases and data breaches involving Spanish-speaking countries, with posts describing the compromise of thousands of records and credentials. Other forums, such as XSS, Exploit, RehubcomPro, Cracked, BreachForums 2, ProCrd, and CrdPro, were also among the top forums to contain posts in Spanish and Portuguese. Appendix A presents a sample of Spanish and Portuguese forum threads from these sources.
Cybercriminal Tactics and Attack Vectors
The LAC region has a long history of financially motivated cybercrime; as a result, Insikt Group observed in this analysis that threat actors continue to heavily target the financial sector. Threat actors typically rely on traditional initial access methods, such as phishing via email, SMS, and WhatsApp messages, impersonating financial institutions, and requesting invoices or payments. Threat actors deliver lures via malicious links that redirect to fake login pages and contain malicious attachments with embedded links. Many of these techniques are effective when targeting entities in the LAC region due to an overwhelming reliance on email and messaging applications for business, as well as a general strong trust in branded communications. Artificial intelligence (AI) has introduced more sophisticated methods into the cybercriminal ecosystem in LAC, lowering the barrier to entry for threat actors and significantly increasing the scalability of attacks through automation. AI helps threat actors create more effective phishing messages that could be generated in native Spanish or Portuguese, rendering them more convincing to the local target audience. The advent of agentic AI also presents new opportunities and attack vectors for cybercriminal groups to exploit and greatly facilitates cybercrime-as-a-service. Organized criminal groups have integrated AI into their operations to assist with drug smuggling, money laundering, cyber-enabled fraud, and malware development.
Throughout 2025, Insikt Group observed threat actors targeting the LAC region by compromising remote desktop protocol (RDP), VPNs, and web admin panels, and obtaining credentials from prior infostealer infections, password reuse, brute-force attacks, and other initial access points. Based on data within the Recorded Future Intelligence Operations Platform, there are approximately 29,000 references to exposed LAC-related credentials on Russian Market. These exposed credentials are from domains belonging to the top organizations (by revenue) in the healthcare, government, and financial sectors across the five largest economies in LAC. Russian Market is one of the leading dark web marketplaces for the sale and distribution of infostealer logs. Most of these logs were from LummaC2 and then Acreed Stealer, consistent with what Insikt Group observed in its review of additional infostealer logs. It should be noted that many of the 29,000 exposed credentials are likely customers of these organizations and not necessarily employees, as Recorded Future does not have access to internal-facing employee domain addresses to search for exposed credentials; however, those can be added by an end user. Insikt Group assesses that these attack vectors were likely effective for infiltrating the systems of targets in the LAC region due to increased remote work adoption, legacy infrastructure in many public institutions, and limited monitoring and resources. Insikt Group observed threat actors advertising carding tools, bulk SMS/Email blasting, SIM swapping, hacking assistance, and other similar services on Telegram channels.
In 2025, Insikt Group observed a rise in novel types of malware that actively leverage and exploit NFC. First identified by Threat Fabric, PhantomCard is an Android trojan, notably a variant of China-origin NFC relay malware-as-a-service (MaaS), primarily targeting banking customers in Brazil. PhantomCard enables relay attacks by obtaining NFC data from a victim's banking card and transmitting it to a threat actor's device to perform transactions at point-of-sale (POS) systems or ATMs. PhantomCard is distributed via malicious webpages that impersonate legitimate applications, prompting victims to tap their cards and enter their personal identification numbers (PINs) for authentication. Once credentials are fraudulently obtained, they are relayed to attackers. Similarly, in late 2025, threat actors deployed RelayNFC, a mobile malware that targets contactless payment cards, in a phishing campaign targeting Brazilian users. This evolution in TTPs parallels the shift by threat actors from skimming magnetic stripe data to โshimmingโ Europay, Mastercard, and Visa (EMV) chip data in the payment fraud ecosystem, since unique cybercriminal solutions typically follow new security innovations.
Per the 2025 Cybercriminal Cryptocurrency Annual Activity Report, Insikt Group consistently observed activity in which cryptocurrency wallets were targeted by various forms of malware, such as drainers, clippers, and miners, to steal funds. Given the persistent lag in cybersecurity measures in LAC and the rapid growth of the cryptocurrency market in the LAC region, its users may become attractive targets for cybercriminals. The top five countries in the LAC region that dominate the cryptocurrency ecosystem are Brazil, Argentina, Mexico, Venezuela, and Colombia. However, Brazil is the clear leader, accounting for a third of overall cryptocurrency activity. Insikt Group assesses that, as the mainstream adoption of cryptocurrency continues, threat actors will likely seek targets in these countries, as knowledge and security practices among the user base in these regions will likely be lacking. Additionally, as with threat actors in other regions of the world, those targeting LAC will almost certainly leverage this medium of exchange to transact and launder illicit funds. As countries continue to adopt new regulations and introduce new forms of cryptocurrency, we expect threat actors to identify new vectors for exploitation. As of 2025, Argentina, Brazil, Colombia, Ecuador, Paraguay, Trinidad and Tobago, Uruguay, and Venezuela are participating in INTERPOLโs inaugural pilot phase for the new Silver Notice, which will be published to โhelp trace and recover criminal assets, combat transnational organized crime and enhance international police cooperation,โ likely including cryptocurrency assets if linked to criminal proceeds.
Advanced Persistent Threats (APTs) and Cybercrime
Throughout 2025, Insikt Group observed a rise in APT activity targeting the LAC region using traditional cybercriminal methods, such as phishing and ransomware. This suggests some APT groups may also have financial motivations extending beyond seeking strategic geopolitical influence. Prominent APTs, such as Dark Caracal, conducted cyber espionage and delivered the Poco RAT via financial-themed phishing. TAG-144 (Blind Eagle) primarily targeted government entities in South American countries, notably Colombia, using TTPs such as spearphishing and remote access trojans (RATs) in campaigns blending espionage and financial motives.
Insikt Group assesses that some Chinese state-sponsored activity is likely aimed at protecting economic investments in the region, such as the Belt and Road Initiative (BRI), sovereign loans, and widespread commercial interests. In addition to the above APT groups, Chinese state-sponsored groups are also targeting entities in LAC countries. TAG-141 (FamousSparrow) leveraged SparrowDoor malware against entities in Mexico, Argentina, and Chile. Storm-2603 (Gold Salem) deployed ransomware, including Warlock, LockBit, and Babuk, targeting multiple sectors across agriculture, government, energy and natural resources, and telecommunications in the LAC and Asia-Pacific (APAC) regions. This activity may signal that China is seeking to retain influence in the LAC region through cybercriminal means or is interested in financial gain.
Hacktivism
The LAC region has repeatedly experienced periods of complex political and social unrest fueled by debates regarding economic reforms, corruption, and inequality. Unlike financially motivated cybercrime, hacktivism tends to be political or ideological, and these tense conditions can create an environment where hacktivism spikes. In late 2025, Insikt Group noticed increased activity from Chronus Team, a hacktivist group known for defacement attacks and data leaks aimed at exposing security vulnerabilities, primarily targeting organizations in Mexico. The threat group leverages Telegram channels for communication and propaganda. It has loosely aligned with other hacktivist and cybercriminals groups, such as Elite 6-27 and Sociedad Privada 157, to gain attention and increase its reputation. Insikt Group observed another trend where several hacktivist groups began transitioning to ransomware-as-a-service (RaaS) for financial gain. One such hacktivist group, โFiveFamiliesโ, functions as a collective of several groups; some of their targeted entities included those located in Cuba and Brazil.
Figure 1: Chronus Team hack and web defacement of the website for the budget transparency for the municipality of Hermosillo, Sonora, Mexico (Source: Social Media)
Malware Trends
In 2025, Insikt Group observed elevated ransomware activity targeting organizations in the LAC region. Additionally, banking trojans also remained a prominent issue affecting LAC countries, with Insikt Group noting an uptick in campaigns specifically leveraging WhatsApp for delivery. Infostealers remained a popular initial access enabler in the LAC region. Botnets have grown in the region largely due to small office/home office (SOHO) devices, such as routers and other internet-of-things (IoT) appliances with weak security, outdated firmware, and a reliance on default credentials. Botnet activity can contribute to credential theft, the propagation of phishing campaigns, the distribution of spam, the takeover and abuse of residential IP addresses, and the enabling of distributed denial-of-service (DDoS) attacks. Insikt Group also observed threat actors targeting payment terminals in 2025 with ATM and POS malware.
Ransomware
In 2025, Recorded Futureโs Global Ransomware Landscape Dashboard recorded 452 ransomware incidents impacting the LAC region out of 7,346 total globally, based on all publicly known ransomware victims listed on associated ransomware blogs. Attacks on entities in the LAC region constituted just over 6% of all global ransomware attacks in 2025. The top five industries most impacted by ransomware in the LAC region in 2025 were Healthcare (36 attacks), Manufacturing (49 attacks), Government (28 attacks), Information Technology (21 attacks), and Education (20 attacks), as demonstrated in Figure 3. Insikt Group research on ransomware in the LAC region covers 27 of the 33 constituent countries. Insikt Group did not obtain ransomware data from Antigua and Barbuda, Belize, Cuba, Saint Kitts and Nevis, Saint Lucia, or Suriname in 2025.
Figure 2: Global Ransomware Landscape Dashboard view of attack metrics for the top five ransomware groups impacting LAC in 2025 (Source: Recorded Future)
Figure 3: Global Ransomware Landscape Dashboard view of attack metrics for the top five most impacted industries in LAC in 2025 (Source: Recorded Future)
Insikt Group observed an increase in ransomware activity across all major industries in LAC compared to the prior year. Insikt Group specifically examined ransomware attacks against financial, government, and healthcare entities across the LAC region and identified the following: 16 attacks targeting the finance sector, 28 attacks targeting the government sector, and 36 attacks targeting the healthcare sector. Appendix C highlights a sample of these ransomware attacks.
Regarding LAC countries, the top five countries most impacted by ransomware in the LAC region in 2025 were Brazil (128 attacks), Mexico (78 attacks), Argentina (63 attacks), Colombia (51 attacks), and Peru (27 attacks). These countries are among the largest economies in the region, which may lead to downstream spillover effects for enterprises that conduct business directly with them or with neighboring countries. Insikt Group found that the majority of ransomware groups leverage double extortion. This extortion technique involves encrypting a victimโs data, exfiltrating the data, and then threatening to publicly leak the data on the ransomware groupโs name-and-shame blog if a ransom is not paid. Recorded Future assesses countries by network intrusion and ransomware targeting risk every quarter to provide awareness and help organizations assess risk exposure. Takeaways from the top five impacted countries based on metrics and analysis from Recorded Future include:
Brazilโs network intrusion risk score increased from Medium to Very High, and Brazilโs ransomware targeting risk score remained Medium by the end of 2025. Brazil was the most targeted country in LAC and among the top ten countries worldwide impacted by ransomware in 2025, with a total of 130 victims.
Mexicoโs network intrusion risk score increased from Very Low to Low, and Mexicoโs ransomware targeting risk score increased from Low to Medium at the end of 2025. Notably, data was leaked relating to a Mexican government entity on the dark web name-and-shame extortion website, Tekir Apt Data Leak Site.
Argentinaโs network intrusion risk score increased from Very Low to Low, and Argentinaโs ransomware targeting risk score increased from Low to Medium at the end of 2025. Insikt Group observed that Argentina was targeted by a new rust-based ransomware โRALordโ.
Colombiaโs network intrusion risk score increased from Low to High, and Colombiaโs ransomware targeting risk score remained low with no observed changes at the end of 2025. Colombiaโs financial sector was impacted by the ransomware group Crypto24, which posted victims' names on its blog.
Peruโs network intrusion risk score increased from Very Low to Low, and Peruโs ransomware targeting risk score was low with no observed changes at the end of 2025. A pharmaceutical company headquartered in Peru was named as a victim on the Dire Wolf Blog.
Figure 4:Global Ransomware Landscape Dashboard view of the most affected countries in LAC in 2025 (Source: Recorded Future)
Banking Trojans
According to the Global System for Mobile Communications Association (GSMA), in 2024, approximately 64% of the LAC population used mobile internet; it is projected that this will increase to nearly three-quarters by 2030. Increasing internet penetration and high cell phone subscription rates in LAC signify a rising reliance on mobile devices, likely making them more appealing targets for threat actors. Android remains the predominant operating system (OS) of mobile devices in South America with an 84.59% market share. Android devices may support more sideloaded applications (links and Android application packages [APKs] from social media or third-party stores) than Apple iOS, which typically has tighter ecosystem controls, and Android users may be running older OS versions, thereby making Android devices attractive targets for cybercriminals. The Android ecosystem grants developers more freedom to list apps within the Google Play Store, and the vetting and verification process is less stringent, allowing malicious APK domain mirrors to go undetected. In LAC, users may rely on mobile phones as their primary or only computing device, making them desirable initial access points for threat actors to deploy Android-based malware. According to the World Bank's Global Findex 2025 report, 37% of adults in the LAC region had a mobile money account as of 2024. Mobile banking, digital wallets, and QR payments are commonplace in the area. Based on the World Bankโs findings, Insikt Group assesses that persistent mobile banking malware targeting LAC is likely driven by rapid digital banking integration that has outpaced security controls and the expansion of MaaS ecosystems. Sophisticated localized social engineering attacks and disproportionate regional enforcement capacity are further accelerating this trend within LACโs ever-evolving mobile financial landscape.
Insikt Group research reflected an increase in banking trojans targeting the WhatsApp platform in 2025. Brazilian authorities have, in recent years, focused their attention on disrupting banking trojans. A significant amount of crimeware in LAC consists of mobile banking trojans, though similar in many ways, they are not a monolith and differ in unique ways. Insikt Group analysis from 2025 reflects that, despite some law enforcement disruptions, banking trojans are still a prominent issue in the LAC region and will likely continue to be in 2026. Appendix D highlights the most active banking trojans across the LAC region in 2025.
Infostealers
Infostealers pose a persistent threat worldwide, and the LAC region is no exception. Insikt Group analyzed a small sample of the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors across the top five largest economies in LAC. Analysis showed that the most prominent infostealer threats observed in 2025 were LummaC2, Vidar, Rhadamanthys, RedLine, and Nexus. This is despite multiple law enforcement operations under Operation Endgame conducting takedowns impacting Rhadamanthys and LummaC2.
Figure 5:Infostealers infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)
LummaC2 was undoubtedly the most active infostealer targeting entities in the LAC region despite being targeted by law enforcement. LummaC2 has been discussed in several news sources and Telegram chatter as targeting users in Argentina, Paraguay, and Mexico. Cybercriminals deploy LummaC2 to obtain victim credentials to carry out financial fraud and cryptocurrency theft. Insikt Group conducted research into LummaC2 affiliates and identified a likely Mexico-based threat actor operating under multiple aliases linked to Lumma build ID โre0gvcโ. In mid-2025, law enforcement took measures to disrupt LummaC2; the operation effectively led to the takedown of approximately 2,300 malicious domains integral to LummaC2โs infrastructure, Lummaโs central command, and associated criminal marketplaces. Shortly after this operation, it appears LummaC2 still had infected victims in several countries, including Brazil and Colombia, likely because sinkholing requires some time to have a noticeable effect as it redirects traffic but does not automatically clean infected machines. More complete remediation would require patching and malware removal on affected systems, which is challenging to implement at scale when infected devices are spread across the world. However, Insikt Group observed a significant decrease in credentials exposed by LummaC2 in the second half of 2025, likely due to the success of the joint Microsoft and law enforcement operation, as well as the main threat actor being banned from Exploit.
Figure 6:LummaC2 infection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)
In the wake of the LummaC2 operation, Recorded Future detected an increase in Vidar infections during the latter half of 2025. This increase highlights threat actorsโ ability to migrate between infostealers to facilitate their criminality despite disruptions.
Figure 7:VidarInfection trends in 2025 for the domains belonging to the top organizations (based on revenue) in the healthcare, government, and financial sectors for countries with the top five largest economies in LAC (Source: Recorded Future data)
Botnets
Botnet activity has grown steadily in the LAC region, enabling financial fraud, spam distribution, credential harvesting, initial access for ransomware and large-scale DDoS attacks targeting financial and government institutions. Botnets remained a priority for international law enforcement in 2025. For example, the ongoing Operation Endgame aims to hinder threat actors' remote-control capabilities by dismantling ransomware and other malware infrastructure. Emerging in late 2025, Kimwolf, also known as AISURU, is a botnet that targets compromised streaming devices. News reporting and dark web chatter indicate many of the devices infected with Kimwolf are based in Brazil, India, the US, and Argentina. Additional reporting suggests a threat actor involved with the AISURU botnet is likely based in Brazil. Horabot is a malware family and type of botnet first identified in June 2023, targeting Spanish-speaking users in six LAC countries: Mexico, Guatemala, Colombia, Peru, Chile, and Argentina. Horabot uses invoice-themed phishing emails to gain initial access to victims' systems.
Payment Terminal Malware
Threat actors also continued to target payment infrastructure for financial gain. ATM malware activity has continued to rise in LAC, with some experts noting ATM malware attacks have spiked by 46% across LAC in 2025. For instance, Ploutus is a sophisticated malware family first detected in Mexico in 2013, which compromises ATMs by issuing unauthorized commands to their cash dispensing modules. In December 2025, the US Department of Justice indicted 54 individuals associated with the Venezuelan gang Tren de Aragua (TDA) for participation in a massive ATM jackpotting scheme that exploited Ploutus malware. Moreover, the POS malware MajikPOS, designed to infiltrate systems connected to POS terminals and extract magnetic stripe payment data from bank cards, remained an active threat to companies operating in Brazil.
Mitigations
Use Recorded Futureโs Global Ransomware Landscape Dashboard: Recorded Future customers can proactively mitigate this threat by operationalizing the Recorded Future Global Ransomware Landscape Dashboard and leveraging the victimology tab to filter based on ransomware group, country, and industry of interest. Recorded Future customers can customize their own ransomware risk profile and establish alerts that align with their risk priorities.
Use Recorded Futureโs Threat and Third-Party Risk Monitoring: Configure alerts in the Recorded Future Intelligence Cloud to track activity across Telegram channels, darkweb forums, and other platforms for proactive awareness. Use the Third-Party Intelligence module to assess risk exposure for current and future partnerships.
Update Legacy Systems: Threat actors, whether opportunistic or financially motivated, or both, often seek to exploit vulnerable systems. Organizations that rely on outdated technology stacks leave themselves exposed to preventable cyber threats and attacks.
Engage in Public-Private Information Sharing: To bolster regional collaboration and establish standardized best practices, coordinate with law enforcement, and create intelligence-sharing channels to enhance investigations and decrease incident response times.
Generate Awareness through Education: Advocating for digital literacy through university partnerships and scholarship in the LAC region will encourage good cyber hygiene and prepare for a stronger, more competent workforce. Enterprises can implement mandatory cybersecurity training during new hire onboarding and establish routine drills to ensure protocols are followed.
Outlook
Insikt Group has highlighted the most salient cybercriminal trends and methods observed throughout the LAC region in 2025. Threat actors conducted phishing and credential theft to gain and sell initial access to LAC organizations while often relying on dark web forums and end-to-end encrypted messaging platforms to communicate and monetize compromised data and access methods. Cybercriminals carried out elevated ransomware attacks against the healthcare, government, finance, and other critical sectors. Banking trojan and infostealer activity persisted throughout LAC despite law enforcement disruption attempts. Cybercriminals have proven to be adaptive and resilient, often capitalizing on immature or emerging businesses that lack the skills, tools, and personnel to prevent attacks. Small and medium-sized enterprises (SMEs) constitute over 95% of all businesses in LAC. SMEs are desirable targets for cybercriminals because they typically have limited resources and expertise, lack robust infrastructure, and have a high overreliance on third-party platforms. Insikt Group trend analysis supports these findings.
Absent regional harmonization of cybersecurity policies and best practices, LAC countries will likely continue to use fragmented incident response approaches, complicating cross-border cooperation and collaboration. For effective and sustainable protection of systems and information against cyber threats, LAC countries should focus on working together to establish standardized risk assessments and reporting mechanisms, protocols for information sharing to bolster timely remediation, and implement proactive โsecure by designโ principles. Possible approaches to accomplishing this may include increased investment in workforce development, participation in public-private partnerships, and the establishment of centralized cybersecurity management systems. Despite the lack of prominent Spanish- and Portuguese-language forums, it is likely that threat actors will continue to leverage traditional platforms and methods similar to those used by the English- and Russian-speaking cybercriminal underground. Based on current and historical data, we anticipate these trends will continue, and LAC will likely remain a popular target for ransomware groups and a hotspot for mobile malware in 2026.
Appendix A: Sample Listing of Posts Targeting Entities in LAC Countries on Dark Web and Special Access Forums
Alleged Access or Leak
Source
LAC Country and Sector Impacted
Access to a Brazilian banking entity
XSS Forum
Brazil/Finance
VPN access to a Colombian bank
Exploit Forum
Colombia/Finance
Access to a leaked government database
DarkForums
Mexico/Government
Database access to the official government portal
Exploit Forum
Argentina/Government
Web shell access with root privileges for a healthcare provider
XSS Forum
Chile/Healthcare
Global VPN access to a healthcare network
RehubcomPro Forum
Brazil/Healthcare
(Source: Recorded Future)
Appendix B: Sample Metrics of the Top Five Ransomware Groups Impacting LAC in 2025
Group Name
Total Attacks (All Sectors)
Healthcare
Manufacturing
Government
IT
Education
Qilin (Agenda)
54
4
6
0
2
2
LockBit Gang (BITWISE SPIDER, DEV-0396, Flighty Scorpius)
29
2
3
1
1
4
Safepay
27
2
4
0
0
0
The Gentlemen
22
3
1
0
0
1
Kazu
21
0
0
17
0
2
(Source: Recorded Future)
Appendix C: Sample Data of Ransomware Incidents Impacting Healthcare, Government, and Financial Sectors in LAC Countries in 2025
Ransomware Group
Country
Sector
Safepay
Argentina
Healthcare
The Gentlemen
Brazil
Healthcare
Kazu
Colombia
Government
Kazu
Mexico
Government
Qilin (Agenda)
Ecuador
Finance
Qilin (Agenda)
Argentina
Finance
(Source: Recorded Future)
Appendix D: Trends from the Most Active Banking Trojans in LAC in 2025
Banking Trojan
Attributes
Activity in 2026
Grandoreiro
Spreads through phishing emails with seemingly legitimate documents, such as PDFs. Once on a device, it performs anti-sandbox checks, logs keystrokes, and communicates with C2 servers to exfiltrate sensitive banking credentials
New variants emerged with advanced evasion techniques, rendering them more effective at bypassing modern security measures
Crocodilus
Employs sophisticated tactics such as remote control capabilities, keylogging, overlay attacks to capture user credentials, and the ability to harvest cryptocurrency wallet seed phrases
Expanded operational reach by targeting users in Poland, Spain, Brazil, Argentina, Indonesia, the US, and India
Mispadu (URSA)
Employs sophisticated infection methods, including spam emails containing malicious PDFs that trigger multi-stage download processes that deploy the Mispadu payload after performing anti-sandbox and anti-virtual machine checks
Insikt Group created a YARA rule to detect Mispadu after analysis indicated the trojan had targeted several LAC banks
Astaroth (Guildma)
Distribution methods include spearphishing attacks and the use of compromised cloud infrastructure for hosting malicious content. Insikt Group conducted technical static analysis and detection using sigma rules
Resurfaced with a multi-stage campaign, โSTAC3150โ, involving WhatsApp session hijacking, credential theft, and persistence on compromised systems
SORVEPOTEL
Targeted Brazil in several campaigns; Insikt Group assesses that at least some SORVEPOTEL operators are likely Portuguese-speaking, based on language artifacts in the panels analyzed and consistent targeting of Brazilian victims; analysis of a notable campaign dubbed โWater Saciโ indicates WhatsApp Web was used for distribution
Analysis of the new infrastructure tied to the SORVEPOTEL loader demonstrates that it has distributed Coyote and Maverick
Casabaneiro (โMekotioโ and โMetamorfoโ)
Primarily targets financial institutions in LAC, leverages phishing emails that typically contain malicious URLs, which lead to ZIP archives or ISO files with payloads that execute PowerShell scripts designed for obfuscation and evading detection
Water Saci campaign targeting Brazilian financial platforms via WhatsApp propagation linked to Casbaneiro malware family
BBTok
Distribution methods that trigger infections via LNK files and exhibit advanced capabilities for credential theft and data exfiltration, leveraging techniques such as dynamic-link library (DLL) embedding within downloaded files and the use of legitimate Windows utility commands for evasion
A new tactic emerged where the primary delivery method was WhatsApp
Coyote
Primarily targets Brazilian users, capable of executing keylogging, capturing screenshots, and displaying phishing overlays to steal sensitive credentials; Coyoteโs infrastructure is dynamic and hosted on various platforms, indicating robust evasion techniques by its operators
Coyote remained active in 2025 and was observed in a WhatsApp-based worm campaign that used self-propagating messages containing malicious ZIP archives that further distributed the malware
Herodotus
Distributed through smishing messages that lure victims into downloading malicious APKs; Herodotus has been observed primarily targeting users in countries like Brazil and Italy
Insikt Group analyzed a sample, where Herodotus impersonated a security application named โModulo Seguranca Stoneโ in a campaign in Brazil
Este informe brinda un resumen de las tendencias y los desarrollos en el ecosistema cibercriminal de Amรฉrica Latina y el Caribe (LAC) en 2025. Insikt Group identificรณ que los actores maliciosos que operan en la regiรณn de LAC o que la tienen como objetivo utilizan principalmente aplicaciones cliente-servidor y plataformas de mensajerรญa con cifrado de extremo a extremo como Telegram, asรญ como foros de la dark web y de acceso especial en inglรฉs o ruso, para comunicarse y llevar a cabo sus actividades. Los actores maliciosos demuestran una mayor sofisticaciรณn en sus operaciones, ya que adaptan sus tรกcticas, tรฉcnicas y procedimientos (TTP) con el tiempo, pero siguen apoyรกndose principalmente en mรฉtodos tradicionales como el phishing y la ingenierรญa social, la distribuciรณn de malware, y el ransomware. A partir de nuestros anรกlisis, determinamos que Brasil, Mรฉxico y Argentina son los paรญses mรกs atacados por cibercriminales financieros, probablemente porque son las economรญas mรกs grandes de la regiรณn de LAC. Ademรกs, a partir de esta investigaciรณn, Insikt Group determinรณ que los actores maliciosos a menudo atacan industrias crรญticas, como las de salud, finanzas y gobierno, porque poseen datos de alto valor, afrontan urgencias operativas y, a veces, utilizan sistemas antiguos que pueden ser vulnerables.
Principales hallazgos
Insikt Group estima que el foro criminal DarkForums y la plataforma de mensajerรญa Telegram son los principales medios de acceso especial utilizados por los actores maliciosos que operan en la regiรณn LAC o que la tienen como objetivo.
Los actores maliciosos que operan en la regiรณn LAC o que la tienen como objetivo suelen estar impulsados por motivos financieros y, a menudo, utilizan la ingenierรญa social, el ransomware y diferentes formas de malware mรณvil para obtener acceso inicial a las instituciones gubernamentales, de salud o financieras.
En 2025, Insikt Group registrรณ 452 incidentes de ransomware que afectaron la regiรณn de LAC. Las cinco principales industrias afectadas fueron las de salud, fabricaciรณn, gobierno, tecnologรญa de la informaciรณn y educaciรณn; todas ellas observaron un aumento notable en los ataques en comparaciรณn con el aรฑo anterior.
Insikt Group identificรณ que los actores maliciosos usan troyanos bancarios, especialmente las variantes mรกs establecidas. En particular, estos actores usaron troyanos bancarios en campaรฑas de smishing dirigidas a usuarios de WhatsApp con el objetivo de acceder a datos financieros y robar credenciales.
Insikt Group identificรณ a LummaC2 como el ladrรณn de informaciรณn (infostealer) mรกs prolรญfico que afectรณ a organizaciones de la regiรณn LAC en el primer semestre de 2025, y a Vidar en el segundo semestre, tras la intervenciรณn de las fuerzas del orden contra LummaC2
Este relatรณrio apresenta uma visรฃo geral das tendรชncias e desenvolvimentos no ecossistema do cibercrime na Amรฉrica Latina e Caribe (LAC) em 2025. O Insikt Group descobriu que os agentes de ameaรงas que operam na regiรฃo da Amรฉrica Latina e Caribe (LAC) ou que a tรชm como alvo usam predominantemente aplicaรงรตes cliente-servidor e plataformas de mensagens criptografadas de ponta a ponta, como o Telegram, bem como a dark web estabelecida em inglรชs ou russo e fรณruns de acesso restrito, para se comunicarem e realizarem atividades. Os agentes de ameaรงas demonstram crescente sofisticaรงรฃo nas operaรงรตes, adaptando tรกticas, tรฉcnicas e procedimentos (TTPs) ao longo do tempo, embora ainda dependam principalmente de mรฉtodos tradicionais, como phishing e engenharia social, distribuiรงรฃo de malware e ransomware. Com base na nossa anรกlise, determinamos que Brasil, Mรฉxico e Argentina foram os paรญses mais visados por cibercriminosos com motivaรงรฃo financeira, provavelmente por serem as maiores economias da Amรฉrica Latina e Caribe. Alรฉm disso, com base nesta pesquisa, o Insikt Group descobriu que os agentes de ameaรงas frequentemente visavam a setores crรญticos, como saรบde, finanรงas e governo, pois esses setores detรชm dados valiosos, enfrentam urgรชncias operacionais e, ร s vezes, dependem de sistemas legados que podem ser vulnerรกveis.
Principais descobertas
O Insikt Group avalia que o fรณrum criminoso DarkForums e a plataforma de mensagens Telegram sรฃo os principais fรณruns de acesso restrito e plataformas de comunicaรงรฃo usados por agentes maliciosos que operam na regiรฃo da Amรฉrica Latina e Caribe ou que tรชm essa regiรฃo como alvo.
Os agentes de ameaรงa que operam na Amรฉrica Latina e Caribe (LAC) ou que tรชm como alvo a regiรฃo sรฃo geralmente motivados por interesses financeiros e frequentemente adotam engenharia social, ransomware e vรกrias formas de malware em aparelhos mรณveis, a fim de terem acesso inicial a instituiรงรตes governamentais, financeiras e de saรบde.
Em 2025, o Insikt Group registrou 452 incidentes de ransomware que afetaram a regiรฃo da Amรฉrica Latina e Caribe. Os cinco setores mais afetados foram saรบde, manufatura, governo, tecnologia da informaรงรฃo e educaรงรฃo, que registraram um aumento considerรกvel nos ataques em comparaรงรฃo ao ano anterior.
O Insikt Group continuou a identificar trojans bancรกrios sendo usados por agentes de ameaรงas; os mais usados sรฃo as variantes jรก estabelecidas. Especificamente, os agentes maliciosos usaram trojans bancรกrios em campanhas de smishing direcionadas a usuรกrios do WhatsApp para terem acesso a dados financeiros e roubarem credenciais.
O Insikt Group identificou o LummaC2 como o ladrรฃo de informaรงรตes (infostealer) mais prolรญfico, afetando organizaรงรตes na Amรฉrica Latina e Caribe no primeiro semestre de 2025; e o Vidar no segundo semestre, apรณs a desarticulaรงรฃo das atividades do LummaC2 pelas autoridades policiais.
Insikt Group identified five distinct clusters leveraging the ClickFix social engineering technique to facilitate initial access to host systems. Observed since at least May 2024, these clusters include those impersonating financial application Intuit QuickBooks and the travel agency Booking.com. Insikt Group leveraged the Recorded Futureยฎ HTML Content Analysis dataset, which enables systematic monitoring of embedded web artifacts to identify and track new malicious domains and infrastructure.
The clusters demonstrate significant operational variance in lure themes and infrastructure patterns, and highlight the technique's evolution, moving past simple verification by visually fooling victims with various fake challenges and demonstrating technical sophistication through operating system detection to tailor execution chains. Despite these structural differences, its operation is largely the same, showing that ClickFixโs core techniques work across platforms and only the social engineering lure needs to be adapted to the victim. Threat actors manipulate victims into executing malicious, obfuscated commands directly within native system tools like the Windows Run dialog box or macOS Terminal.
This living-off-the-land (LotL) approach allows malicious scripts to execute in-memory, effectively bypassing traditional browser security and endpoint controls. Parallel clusters targeting sectors as diverse as accounting, real estate, and legal services indicates that ClickFix has transitioned into a standardized, high-ROI template for both cybercriminal and potentially advanced persistent threat (APT) groups.
To protect against these threats, security defenders should move beyond simple indicator blocking and prioritize aggressive behavioral hardening. Key recommendations include disabling the Windows Run dialog box via Group Policy Objects (GPO), implementing PowerShell Constrained Language Mode (CLM), and operationalizing Digital Risk Prevention tools such as Recorded Future's Malicious Websites to identify and mitigate threats to your digital assets.
Based on increasing use since 2024, Insikt Group assesses that the ClickFix methodology will very likely remain a primary initial access vector throughout 2026 as threat actors continue to social engineer victims to enable exploitation. Looking ahead, Insikt Group anticipates ClickFix lures will become increasingly technically adaptive, incorporating more selective browser fingerprinting, while continuing to use infrastructure that can be built and dismantled quickly. In addition to technical refinements, Insikt Group predicts that the social engineering component will continue to evolve, leveraging new techniques to lure victims into executing malicious commands.
Key Findings
Insikt Group identified and tracked five distinct ClickFix activity clusters exhibiting significant operational variance in lure themes and infrastructure patterns despite a shared reliance on fraudulent human-verification lures. This indicates that the ClickFix methodology has transitioned into a standardized, high-ROI template adopted across a fragmented ecosystem of threat actors.
While visually diverse, all analyzed clusters use a consistent execution framework that bypasses traditional browser security controls by shifting the point of exploitation to user-assisted manual commands. These campaigns target a wide variety of sectors, including accounting (QuickBooks), travel (Booking.com), and system optimization (macOS).
ClickFix technical execution follows a standardized four-stage pattern: input of highly encoded or fragmented strings, native execution via legitimate system shells living-off-the-land binaries (LOLBins), remote ingress from threat actor-controlled infrastructure, and immediate in-memory execution. This methodology allows threat actors to stage and run remote code with limited and short-lived forensic artifacts on the host system.
Background
First documented in late 2023, ClickFix has transitioned from a niche social engineering tactic to a cornerstone of the global cybercriminal ecosystem. ClickFix is a social engineering methodology that lures victims into manually executing malicious commands by masquerading as a necessary technical resolution for fabricated system errors or human-verification prompts. This technique represents an evolutionary shift from the FakeUpdates (SocGholish) model, prioritizing manual user intervention to evade the increasingly robust security features of modern web browsers and automated endpoint detection systems. In this context, the methodology embodies a "think smart, not hard" approach. The simplicity of relying on a manual user action makes it a potent defensive evasion tactic: bypassing typical browser-based security makes it difficult to detect, while the high number of threat actors using it makes it difficult to track across a fragmented threat landscape.
The technical core of the methodology relies primarily on pastejacking, where background JavaScript populates a victim's clipboard with an obfuscated command while they are distracted by visual lures such as fraudulent reCAPTCHA or Cloudflare Turnstile overlays. In some instances, malicious commands are not automatically pasted into the victimโs clipboard, but rather, victims are manipulated into copying and running the command manually. By leveraging a living-off-the-land (LotL) approach, threat actors manipulate users into executing these commands directly within trusted system tools like the Windows Run dialog box, PowerShell, or the macOS Terminal. This user-assisted execution allows malicious scripts to execute silently and bypass traditional browser and endpoint security perimeters.
ClickFix has been weaponized by a diverse spectrum of threat actors, ranging from high-volume initial access brokers (IABs) to sophisticated state-sponsored groups such as BlueDelta (aka APT28) and the North Korean group PurpleBravo. The methodology enables a repeatable and scalable delivery framework capable of deploying a wide variety of secondary payloads, including infostealers like Lumma Stealer and Vidar, or remote access trojans (RATs) such as NetSupport RAT and Odyssey Stealer. These operations are frequently supported by highly adaptive, disposable infrastructure designed to maintain operational continuity even as individual domains are identified and blocked.
Technical Analysis
Insikt Group identified and tracked five emerging ClickFix clusters by leveraging the Recorded Future HTML Content Analysis dataset, which enables the systematic monitoring of embedded web artifacts. By pivoting on unique technical identifiers, including specific Document Object Model (DOM) hashes, hard-coded image source tags, and unique page titles, Insikt Group mapped ClickFixโs infrastructure and identified new malicious domains and infrastructure, facilitating the discovery of active domains and near real-time monitoring of cluster evolution.
Across the analyzed clusters, Insikt Group detailed the ClickFix commands victims were manipulated into executing on their systems. These commands relied heavily on LOLBins to achieve operational goals. By using LOLBins, threat actors leveraged native, legitimately signed executables to download malicious payloads to a victim's machine. Depending on the security implementation of personal machines or corporate endpoints, this methodology can effectively evade standard detections and foundational security principles.
ClickFix Clusters
Insikt Group identified five clusters (see Figure 1) that exhibited significant operational variance despite a shared reliance on the ClickFix social engineering technique. These clusters were defined by their infrastructure patterns and targeting approaches, ranging from logistics-themed lures to dual-platform selection logic. This indicates that the ClickFix methodology is being deployed across a fragmented ecosystem of threat actors, each tailoring the technique to suit their own delivery requirements and victim profiles.
These clusters were grouped based on observable patterns in infrastructure reuse, lure formatting, platform targeting, and operational adjustments over time. While core technical elements and delivery mechanisms overlap, each cluster maintained a distinct footprint within the broader landscape. Insikt Group categorized the activity into the following five clusters:
Intuit QuickBooks: Targeted impersonation of accounting software, often leveraging aged domains to bypass security filters
Booking.com: Used fraudulent domains to present fake verification portals
Birdeye: A large-scale cluster that lures users of the AI marketing company Birdeye by spoofing domains and manipulating victims to use a malicious command to deliver NetSupport RAT.
Dual-Platform Selection: Used operating system detection to deliver platform-tailored lures and malware
macOS Storage Cleaning: Used counterfeit prompts mimicking macOS system optimization to trick users into executing encoded terminal commands
Figure 1: Overview of ClickFix and associated clusters (Source: Recorded Future)
Cluster 1: Intuit QuickBooks
Cluster 1 was observed operating from January 2026 to the time of writing, primarily targeting organizations through social engineering lures impersonating the accounting software Intuit QuickBooks. QuickBooks is widely used for tax preparation in the United States; given the campaign's active window coincides with the US tax season (typically January through April 15), Insikt Group assesses with moderate confidence that the timing was a calculated effort to target entities engaged in financial reporting. Although this cluster recently pivoted to targeting users of the US real estate marketplace Zillow, QuickBooks-related artifacts and brand-specific imagery remain deeply embedded throughout the Document Object Model (DOM) of the malicious landing pages.
Cluster 1 Profile
Figure 2: Overview of ClickFix Cluster 1 โ Intuit QuickBooks (Source: Recorded Future)
Table 1:PowerShell commands observed across Cluster 1
Cluster 1 Infection Chain
The infection chain begins when a victim lands on a ClickFix landing page. The page presents a fraudulent human-verification interface (see Figure 3) that instructs the victim to complete specific "verification" steps.
Figure 3: Intuit QuickBooks-themed ClickFix page (Source: Recorded Future Web Scans)
By interacting with the page, the victim unknowingly copies a malicious command to their system clipboard. The technique often results in execution through native system utilities, such as Windows Run dialog and PowerShell, leveraging LOLBins to evade traditional browser and endpoint-based security controls.
Upon pasting the command, an obfuscated PowerShell script (Figure 4) executes in a hidden window. This stager uses self-referential function names to dynamically construct and invoke Invoke-RestMethod to the domain nobovcs[.]com.
Figure 4: Obfuscated PowerShell command executed in a hidden window, dynamically reconstructing and invoking code via iex (Source: Recorded Future)
This request triggers the retrieval of a short PowerShell stager (see Figure 5) that downloads a second-stage payload, bibi.php, saving it to the %TEMP% directory as script.ps1. This stager is the initial execution step that kicks off the NetSupport RAT installation.
Figure 5: Stager script to download second-stage script, bibi.php (Source: Recorded Future)
The bibi.php script is essential for the final deployment phase and for obfuscating on-disk artifacts. It contains a function called Get-RomanticName, which selects and combines strings from a thematic wordlist, including terms such as "Heart", "Soul", and "Desire", to generate a randomized folder name under %LOCALAPPDATA%, where the staging files are placed.
The script retrieves four primary files from nobovcs[.]com, detailed in Table 2.
Table 2:Filenames and SHA256 hashes of the files downloaded from nobovcs[.]com (Source: Recorded Future)
The script uses 7z.exe to extract at.7z (protected by the password โppppโ), which contains the NetSupport RAT binary, neservice.exe. Persistence is established by hijacking Startup shortcuts; if no existing shortcut is detected, the script extracts lnk.7z to the Startup folder to ensure the payload launches automatically upon system reboot.
Following successful execution, the binary neservice.exe performs an HTTP GET request to gologpoint[.]com to initiate command-and-control (C2) communications. gologpoint[.]com resolves to the IP address 62[.]164[.]177[.]230.
Cluster 2: Booking.com
Cluster 2 was observed operating from February 2026 to the time of writing, impersonating the travel agency Booking.com. Insikt Group tracked the cluster by pivoting on a unique DOM hash made possible by the threat actorโs repeated use of a unique HTML title and consistent image files. Indicators of compromise (IoCs) tagged in this cluster can be seen in the Recorded Future HTML Content Analysis. The landing pages for this cluster use a counterfeit reCAPTCHA v2 challenge, requiring victims to select all photos containing a "bucket" (Figure 6). Insikt Group observed that the same challenge photos are presented in the same order across all analyzed pages.
Cluster 2 Profile
Figure 7: Overview of ClickFix Cluster 2 โ Booking.com (Source: Recorded Future)
Table 3:PowerShell commands observed across Cluster 2
Cluster 2 Infection Chain
The process begins when a victim interacts with the fake challenge. Upon completing the challenge, the victim is redirected to a verification page where a malicious PowerShell command (see Figure 8) is copied to the system clipboard. Instructions on the verification page manipulate the victim into opening the Windows Run dialog box and entering the command. Executing this malicious command starts the infection chain for NetSupport RAT.
Figure 8:Command from the booking campaign that reaches out to the payload server (Source: Recorded Future)
The PowerShell command provided in script.ps1 (see Figure 9) executes with the -NoProfile and -ExecutionPolicy Bypass flags to evade standard logging and security restrictions. Following execution, the system pulls four staging files to a directory named DesireSpark Serenade. This directory naming convention is functionally identical to the "romantic" naming methodology observed in Cluster 1.
Figure 9: DOM file from checkpulse[.]com that details the command to be run on the victim machine, suppressing the protections normally in place to pull down the PowerShell command and execute it (Source: Recorded Future)
The primary staging mechanism relies on script.ps1 to pull secondary payloads from the staging server. In one analyzed instance, scripts originating from thestayreserve[.]com reached out to checkpulses[.]com to retrieve the files detailed in Table 4.
Table 4:Filenames and SHA256 hashes of the files downloaded from checkpulses[.]com (Source: Recorded Future)
The 7z.exe utility is used to extract at.7z, which contains the NetSupport RAT binary neservice.exe. Persistence is established by adding a link to the system Startup folder.
The domains observed across this cluster use a similar PowerShell command pattern. However, once the command is executed, the infection chain varies slightly with the staging infrastructure being called. In the cases of sign-in-op-token[.]com and the thestayreserve[.]com domains, the malicious command is identical in terms of pattern and organization, but the hard-coded dropper domain is bkng-updt[.]com and checkpulses[.]com, respectively.
While staging domains vary, the final payloads across this cluster converge on the same NetSupport RAT C2 infrastructure (Table 5).
Click Fix Domain
IP Address
Dropper
NetSupport RAT C2
sign-in-op-token[.]com
91[.]202[.]233[.]206
bkng-updt[.]com
77[.]91[.]65[.]144
hotelupdatesys[.]com
152[.]89[.]244[.]70
thestayreserve[.]com
91[.]202[.]233[.]206
checkpulses[.]com
77[.]91[.]65[.]31
chrm-srv[.]com
ms-scedg[.]com
152[.]89[.]244[.]70
Table 5:IoCs observed in the Booking.com infection chain (Source: Recorded Future)
Following installation, the malware from thestayreserve[.]com initiates communication (Figure 10) with chrm-srv[.]com and ms-scedg[.]com, both of which resolve to 152[.]89[.]244[.]70. The domain hotelupdatesys[.]com , resolves to the same IP address as the NetSupport RAT C2 for sign-in-op-token[.]com.
Figure 10:POST Request from sign-in-op-token[.]com showing NetSupport interaction (Source: Recorded Future)
Cluster 3: Birdeye
Cluster 3 was observed operating from May 2024 until the time of writing. Previously reported on by Insikt Group, this cluster uses infrastructure centered on domains incorporating the keyword "bird" to deliver its ClickFix lure pages, trackable in Recorded Futureโs HTML Content Analysis. These lures spoof Birdeye, an AI marketing company, to manipulate victims into executing malicious commands.
Cluster 3 Profile
Figure 11: Overview of ClickFix Cluster 3 โ Birdeye (Source: Recorded Future)
Table 6:PowerShell command observed across Cluster 3
Cluster 3 Infection Chain
The infection chain begins when a victim visits a compromised site and is presented with a Cloudflare-style CAPTCHA challenge. Upon interacting with the page, the victim is prompted to run a command in the Windows Run dialog box. Insikt Group identified this cluster by pivoting on unique technical identifiers within the HTML artifacts, including a consistent and unique page title and a static image used across the infrastructure.
The command the victim is manipulated into running causes the victimโs device to reach out to alababababa[.]cloud to download a payload from hxxps[://]alababababa[.]cloud/cVGvQio6[.]txt. To further reduce suspicion, once the malicious command is executed, the victim is redirected to the legitimate birdeye.com website (see Figure 12).
Figure 12:The redirect to the legitimate Birdeye website (Source: Recorded Future)
Analysis of the JavaScript within the DOM for this cluster, provided in Appendix F, revealed insights into the threat actor's methods. A notable portion of the script uses seven obfuscated lines that are concatenated into a single string to be attached to the victim's clipboard. The developer left comments within the code that detail the deobfuscated purpose of each line. For example, one comment explicitly identifies the portion of the command calling PowerShell with specific flags (Figure 13).
Figure 13:Portion of JavaScript containing threat actor comments (Source: Recorded Future)
Furthermore, a comment written in Cyrillic at the beginning of the script translates to, "This should help bypass Cloudflare static analysis". This internal documentation suggests the threat actor is purposefully detailing their actions to refine bypass techniques against security scanners.
Historically, alababababa[.]cloud has been associated with the delivery of multiple malware strains, including Lumma Stealer and RedLine Stealer. The large volume of domains identified in this cluster, exceeding 40 unique entries, highlights the scale of the "run and repeat" model used to sustain this activity.
Cluster 4: Dual-Platform Selection
Cluster 4 was observed operating from March 2025 to the time of writing. This cluster is unique for its use of operating system detection to deliver tailored ClickFix lures for both Windows and macOS users. Unlike standard ClickFix behavior that typically pushes commands to the clipboard automatically, this variant provides detailed manual instructions, requiring the victim to open native system tools and manually copy and paste the provided staging payload. One of the ClickFix pages used to analyze this behavior was macosapp-apple[.]com, hosted at IP address 45[.]144[.]233[.]192.
Cluster 4 Profile
Figure 14: Overview of ClickFix Cluster 4 โ Dual-Platform Selection (Source: Recorded Future)
Table 7:Encoded commands observed across Cluster 4
Cluster 4 Infection Chain
The infection chain begins when a victim lands on a ClickFix page that instructs them to verify they are human (Figure 15).
Figure 15: ClickFix page identified in Cluster 4 (Source: Recorded Future Web Scans)
Figure 23: Landing page for mac-os-helper[.]com (Source: Recorded Future)
Once the Terminal is open, the victim is prompted to execute a multi-stage command that purportedly "finds and removes temporary system files".
In reality, these commands (see Table 9) use different encoding layers to hide their true intent; the first example decodes a hexadecimal string to reveal a Base64-encoded client URL (curl) instruction, while the second directly decodes a Base64 string to run an executable command. Both methods ultimately bypass simple pattern matching by obfuscating the malicious payload until execution.
Table 9: Encoded and obfuscated ClickFix commands for macOS (Source: Recorded Future)
As shown in Table 10, the revealed curl instruction uses a compound set of arguments, in this cluster, -kfsSL, to facilitate silent delivery. These flags ensure that Transport Layer Security (TLS) certificate checks are bypassed, server-side errors are suppressed, and the process remains hidden from the user's view while following redirections to reach the final payload domain.
Table 10:Decoded and deobfuscated ClickFix commands for macOS (Source: Recorded Future)
Based on historic evidence (1, 2) and forensic patterns, Insikt Group assesses with high confidence that the information stealer MacSync was the primary payload used to infect victims in this cluster. The malicious commands on these pages caused the infected systems to reach out to a specific set of staging and C2 infrastructure, detailed in Table 11. Notably, while the domains varied, they were frequently observed behind Cloudflare to complicate network-level blocking.
Indicator
IP Address
ASN
First Seen
Last Seen
octopox[.]com
Cloudflare
Cloudflare
2026-02-06
2026-03-05
joeyapple[.]com
Cloudflare
Cloudflare
2026-02-04
2026-03-05
Table 11: C2 servers identified for the macOS cleaner campaign (Source: Recorded Future)
Copy Command Analysis
Insikt Group analyzed commands across the five clusters identified in this research. While the visual lures and impersonated brands vary between groups like Cluster 1 (Intuit QuickBooks) and Cluster 5 (macOS Storage Cleaning), the underlying execution logic remains consistent. This "run and repeat" methodology relies on a narrow set of trusted LOLBins and lightweight obfuscation to stage remote code with minimal forensic artifacts.
The technical implementation of ClickFix follows a standardized four-stage pattern across all target operating systems, as summarized in Table 12.
Stage
Action
Technical Intent
Obfuscated Input
Input of highly encoded or fragmented strings
Bypass static analysis and signature-based detection
Native Execution
Leveraging trusted system shells (zsh, bash, or powershell.exe)
Execute the initial stager using legitimate system binaries
Remote Ingress
Initiation of external requests to threat actor-controlled IPs or domains
Download secondary scripts or payloads from the staging infrastructure
In-Memory Execution
Piping downloaded content directly into an interpreter
Ensure no malicious files are initially saved to disk to evade endpoint security
Table 12: Standardized four-stage ClickFix execution pattern (Source: Recorded Future)
Insikt Group identified two primary command styles used in macOS-centric campaigns, such as Cluster 4 and Cluster 5, which are detailed in Table 13.
Technique
Observed Pattern
Defender Insight
Multi-Stage Encoding
Hex -> Base64 -> ZSH
The use of xxd -r -p in a user-initiated command is a significant indicator of malicious intent, as it is rarely used in legitimate troubleshooting.
Persistence and Backgrounding
Use of nohup and the & operator
This ensures the malicious process continues to run in the background even after the user closes the terminal, providing persistence during staging.
Table 13: Observed tactics, techniques, and procedures (TTPs) for macOS and Linux (zshandbash) commands (Source: Recorded Future)
Windows-based commands, particularly those observed in Cluster 1 and Cluster 2, exhibit a higher degree of sophistication through "Command Swizzling" and case randomization, as shown in Table 14.
Technique
Observed Pattern
Defender Insight
Parameter Obfuscation
Randomized casing and shortened aliases (for example, -wINDoW MiNI, -wi mi, or -w h)
Threat actors use these to evade security tools looking for literal strings like "Hidden" or "Minimized".
The "Golden" Pattern
Combining Invoke-RestMethod (irm) with Invoke-Expression (iex)
This allows for the seamless retrieval and execution of remote code entirely in memory. This combination is a high-fidelity hunt for ClickFix activity.
String Manipulation Deception
Using .Substring() or .Replace() to "build" commands
Clusters like Cluster 1 avoid explicitly typing iex to bypass static signature detections.
Table 14: Observed TTPs for Windows (PowerShell) commands (Source: Recorded Future)
Mitigations
To mitigate the threats posed by ClickFix social engineering and related living-off-the-land (LotL) techniques, Insikt Group recommends a defense-in-depth approach that combines proactive intelligence monitoring with aggressive hardening of native system utilities.
Operationalize HTML Content Analysis: Recorded Future customers should use the HTML Content Analysis source to monitor for impersonations of their brand, which are leveraged to deliver ClickFix. Leverage the Recorded Future Intelligence Operations Platform to monitor for unique web artifacts, such as specific Document Object Model (DOM) hashes and page titles, to identify new ClickFix domains in real time.
Use Recorded Future Threat Intelligence: Recorded Future customers can proactively mitigate this threat by operationalizing Recorded Future Intelligence Operations Platform data, specifically by leveraging continuously updated Risk Lists and by blocklisting IP addresses and domains associated with ClickFix to block communication with malicious infrastructure.
Monitor Malicious Infrastructure Risk Lists: Continuously update security information and event management (SIEM) and endpoint detection and response (EDR) tools with Recorded Future Risk Lists to block traffic to identified staging and command-and-control (C2) domains.
Use Malware Intelligence: Leverage the Recorded Future Intelligence Operations Platform to hunt for indicators of compromise (IoCs) associated with payloads identified in this report, such as NetSupport RAT, Odyssey Stealer, and Lumma Stealer.
Leverage Network Intelligence: Use Recorded Future Network Intelligence to detect exfiltration events early (such as those linked to NetSupport RAT), which can help prevent intrusions before they escalate. This approach relies on comprehensive, proactive infrastructure discovery provided by Insikt Group and the analysis of vast amounts of network traffic.
Use Identity Module: Recorded Future customers should leverage the Identity Module to monitor for credentials and passwords being sold on the dark web that have been stolen by information stealers.
Disable Windows Run Dialog via Group Policy Objects (GPOs): For corporate environments, disable the Win+R keyboard shortcut and the Run command in the Start menu via Group Policy Objects (GPOs). This significantly hinders the ClickFix execution chain, as victims are typically instructed to paste malicious commands directly into this dialog box.
Restrict Terminal and PowerShell Execution: Implement PowerShell Constrained Language Mode (CLM) and use AppLocker or Windows Defender Application Control (WDAC) to prevent the execution of unassigned scripts and the misuse of living-off-the-land binaries (LOLBins). On macOS, restrict Terminal and other shell interpreters (for example, zsh and bash) using application control policies enforced via mobile device management (MDM), and leverage System Integrity Protection (SIP) and endpoint security controls to limit unauthorized script execution and abuse of native command-line utilities.
User Awareness and Training: Conduct targeted social engineering simulations that specifically educate users on the dangers of "manual verification" prompts that require copying and pasting commands into system utilities.
Outlook
The identification of five parallel operational clusters targeting diverse sectors, including accounting, travel, real estate, and legal services, indicates that the ClickFix methodology has transitioned from a niche technique to a standardized template within the cybercriminal ecosystem. This standardized "run and repeat" model is facilitating broader adoption by both lower-tier "traffers" and sophisticated advanced persistent threat (APT) groups. Threat actors are able to maintain operational continuity even when individual domains are blocked due to the availability of disposable infrastructure and shared technical templates.
Insikt Group assesses with high confidence that the ClickFix methodology will very likely remain a heavily used initial access vector throughout 2026. The continued success of ClickFix is driven by its ability to bypass advanced browser-based security controls by shifting the point of exploitation to user-assisted manual actions. As long as native system utilities such as PowerShell and Terminal remain accessible to end-users, ClickFix will continue to offer threat actors a high-return, low-complexity alternative to traditional exploit kits.
Looking ahead, ClickFix lures will likely become increasingly technically adaptive. Future iterations are expected to incorporate more granular browser fingerprinting to conditionally serve payloads based on a victim's hardware, geographic location, or organizational profile. Furthermore, since threat actors are already purposefully documenting bypass techniques for static analysis engines within their code, Insikt Group anticipates a long-term trend toward more resilient and obfuscated staging environments. This convergence of sophisticated social engineering and LotL techniques necessitates a shift in defensive strategy, moving away from simple indicator blocking toward aggressive behavioral hardening of the system utilities that ClickFix relies upon.
In 2025, Insikt Group significantly expanded its tracking of malicious infrastructure, broadening coverage across additional malware families and threat categories spanning cybercriminal and APT activity. This expansion included deeper analysis of infrastructure types, enhanced integration of data sources such as Recorded Future Network Intelligenceยฎ, improved threat detection methodologies,more granular higher-tier infrastructure insights, expanded victimology analysis, and a new focus on so-called threat activity enablers (TAEs). While many patterns identified in 2024 persisted, including Cobalt Strikeโs dominance among offensive security tools (OSTs), AsyncRAT and QuasarRAT leading the remote access trojan (RAT) landscape, the widespread use of open-source or cracked malware variants, and the continued prevalence of Android malware within the mobile threat ecosystem, Insikt Group observed several notable shifts and emerging trends throughout 2025.
For example, although Cobalt Strike remained the most prominent OST, its relative share of detected command-and-control (C2) servers declined as detection coverage expanded and competing tools gained traction. Tools such as RedGuard, Ligolo, and Supershell saw significant growth in use throughout 2025. Following law enforcement disruption efforts targeting LummaC2, Vidar and other infostealers partially filled the gap, reflecting continued volatility in the infostealer ecosystem. Similar fluctuations were observed in the loader and dropper landscape, where new malware families consistently emerged, including CastleLoader, attributed to GrayBravo. Additionally, Insikt Group observed sustained and widespread use of traffic distribution systems (TDS), including activity by TAG-124, GrayCharlie, and other threat actors.
Defenders should leverage the insights from this report to strengthen security controls by prioritizing the detection and mitigation of the most prevalent malware families and infrastructure techniques. This includes enhancing network monitoring capabilities and deploying relevant detection mechanisms such as YARA, Sigma, and Snort rules. Organizations should also invest in tracking evolving malicious infrastructure dynamics, conducting threat simulations to validate their defensive posture, and maintaining continuous monitoring of the broader threat landscape. With respect to legitimate infrastructure services (LIS), defenders must carefully balance blocking, flagging, or allowing high-risk services based on assessed criticality and organizational risk tolerance.
As malicious infrastructure continues to evolve alongside improving detection capabilities, Insikt Group anticipates that many current trends will persist into 2026. Rather than dramatic shifts, change is likely to be driven by incremental innovation, adaptation to defensive measures, and reactions to public reporting and law enforcement actions. Threat actors are expected to continue leveraging legitimate tools, services, and content delivery networks (CDNs) such as Cloudflare, a pattern also heavily observed among multiple APT groups, to blend malicious activity with legitimate traffic. While not yet widely observed at the infrastructure layer, Insikt Group assesses that artificial intelligence may increasingly be leveraged to support evasion and operational resilience. The โas-a-serviceโ ecosystem is likely to continue expanding across malware categories, enabling scalability and lowering barriers to entry for threat actors. Although public reporting and sanctions targeting certain TAEs have triggered increased scrutiny, the ecosystemโs underlying economic and operational logic is expected to remain
intact, allowing established actors to continue operating. At the same time, Insikt Group anticipates increasingly assertive international law enforcement actions targeting malicious infrastructure, including coordinated takedowns and other disruption efforts.
Key Findings
Infostealers remained the primary infection vector in 2025, with malware-as-a-service (MaaS)offerings dominating. Vidar outperformed competitors, Lumma proved resilient despite law enforcement and doxxing pressure, and the wider ecosystem remained highly volatile.
Cobalt Strike retained clear dominance in OST detections (~50%) despite declining share, while Metasploit and Mythic held their positions. RedGuard, Ligolo, and Supershell expanded notably, and jQuery again led as the most prevalent malleable C2 profile by detections and geographic reach.
The malware ecosystem remained anchored in MaaS and open-source tooling across desktop and mobile, with AsyncRAT and Quasar RAT leading the RAT landscape, DcRAT and REMCOS RAT gaining share, and families such as XWorm, SectopRAT, and GOSAR entering the top tier, while Android dominated mobile activity (nine of the top ten families) amid rising use of mercenary spyware.
Droppers, loaders, and TDS remained dynamic but resilient in 2025, with high loader turnover following Operation Endgame 2024, driven by Latrodectus expansion and the rise of MintsLoader and GrayBravoโs CastleLoader, alongside sustained and widespread TDS activity linked to TAG-124, GrayCharlie, and other threat actors.
Lastly, in 2025, Insikt Group pivoted to identifying TAEs via the Threat Density List, highlighting high-risk networks such as Virtualine Technologies, often transiting via aurologic GmbH, that sustained operations through Regional Internet Registry (RIR) resource abuse and rapid rebranding despite sanctions and law enforcement pressure.
Background
Insikt Group proactively identifies and monitors infrastructure linked to hundreds of malware families,threat actors, and related artifacts, including phishing kits, scanners, and relay networks. Through daily,automated validation using proprietary methods, Insikt Group delivers accurate risk representation,enabling Recorded Future customers to strengthen their detection and defense capabilities.
Building on Insikt Groupโs annual malicious infrastructure reports from 2022, 2023, and 2024, this yearโs report delivers a concise, data-driven overview of malicious infrastructure observed throughout 2025. While the percentages presented throughout the report are intended to provide insight into trends and the state of malicious infrastructure in 2025, it is important to note that Insikt Group continuously adds new detections for both existing and emerging families, which makes year-over-year comparisons imperfect.
This year, the focus continues to be on the synergy between passive infrastructure detection, higher-tier infrastructure insights powered by Recorded Future Network Intelligence, and victim identification. It also expands to examine trends across the ecosystem of TAEs that underpin cyber threats, including how sanctions against selected entities have reshaped that landscape. Overall, this report is intended for anyone interested in malicious infrastructure, providing a high-level overview of its current state along with summaries of key findings to support informed decision-making and offer a broad perspective on this rapidly evolving landscape.
Recognizing the challenge of categorizing malware types in a mutually exclusive manner due to their overlapping functionalities, this report establishes a set of malware categories to facilitate analysis, as detailed in Appendix A, with brief definitions for each. Notably, certain malware categories, such as crypters, have been intentionally excluded because they typically lack network artifacts.
Beyond examining malicious infrastructure through the lens of malware categories, Insikt Group also monitors it by type, assigning each a distinct risk score within the Recorded Future Intelligence Operations Platformยฎ. This differentiation reflects varying levels of severity. For instance, network traffic to or from a C2 server in a corporate network may indicate a higher risk compared to the presence of a management panel, as the former typically implies active malicious activity. The infrastructure types defined by Insikt Group are detailed in Appendix B.