Reading view

Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

Blogs

Blog

Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities

In Flashpoint’s recent webinar, we examine the defining shifts shaping the 2026 threat landscape, from AI-driven attack automation to the growing role of identity in initial access. We analyze how infostealers, vulnerabilities, and ransomware activity are evolving, and where security teams should focus now.

SHARE THIS:
Default Author Image
May 8, 2026

In 2026, the threat landscape operates as a single, connected system. Identity, malware, and infrastructure are now part of the same attack chain, executed at a speed that compresses the time between access and impact.

What once required multiple stages and specialized tooling is now streamlined and automated.

Flashpoint recently hosted an on-demand webinar, “Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities,” where our intelligence team broke down the trends driving this shift. Drawing from primary source intelligence across forums, marketplaces, and closed communities, the session examined how modern attack chains are forming and evolving, as well as where defenders still have opportunities to intervene.

Here are the key takeaways you need to know to prioritize threats and protect your organization.

AI Is Being Operationalized Across the Attack Lifecycle

Artificial intelligence is now embedded across multiple stages of attacker workflows.

Flashpoint tracked more than 1.5 billion mentions of AI in illicit communities in 2025, with activity accelerating sharply toward the end of the year. These discussions center on how AI can be applied to real operations, including phishing, malware development, and fraud.

As Ian Gray, Vice President of Intelligence at Flashpoint, noted during the session, “Adversaries are extremely adept, and they’re constantly looking at how they can use the newest state-of-the-art tools—whether that’s commercial models or their own implementations—and how they can jailbreak them or adapt them to their workflows.”

One of the most notable developments is the use of agentic AI systems to automate tasks that were previously manual. These systems are being used to:

  • Test stolen credentials across VPNs, SaaS platforms, and cloud environments
  • Rotate infrastructure during active operations
  • Generate and refine attack inputs based on previous outcomes

Alongside this, threat actors are actively exploring ways to bypass safeguards in commercial AI tools, including:

  • Jailbreaking model restrictions
  • Embedding hidden instructions through prompt injection
  • Manipulating AI-powered features within enterprise applications

This activity reflects a sustained effort to integrate AI directly into attack execution rather than treating it as a standalone capability.

Identity Is Driving Initial Access

The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

As Gray explained, “Threat actors are finding a variety of ways to get into enterprise networks, and typically it’s through the human element. While humans can be trained or educated, it’s not something that can be patched in the traditional sense.”

This dynamic is already visible at scale.

Flashpoint observed 11.1 million infected devices and 3.3 billion stolen credentials in 2025. These credentials are extracted through infostealers and circulated across marketplaces, enabling direct access into enterprise environments.

In many cases, attackers are using:

  • Session cookies and tokens to bypass authentication flows
  • Browser fingerprints and system metadata to replicate legitimate user behavior
  • Valid credentials to access SaaS platforms, VPNs, and internal systems

Once access is established, activity often blends into normal user behavior, making detection more difficult. Compromised identities are also reused across multiple services, expanding the scope of potential exposure.

This pattern continues to appear in intrusion activity tied to SaaS platforms and third-party integrations, where access to one system can provide visibility into multiple environments.

Infostealers Are Enabling Scalable Access

Infostealers remain a primary driver of credential exposure.

Logs containing credentials, cookies, and system data are continuously harvested and made available through criminal marketplaces and subscription-based services. These logs are used directly or integrated into automated workflows that test and validate access at scale.

Gray pointed to how this plays out in practice: “Infostealers have really commoditized access. They harvest credentials, identify which ones are useful, and then test them at scale across VPNs, SaaS platforms, and cloud environments.”

The ecosystem continues to shift as law enforcement activity disrupts established players and new variants gain traction. Families such as Vidar, Lumma, and others maintain a strong presence due to accessibility and ongoing development.

In parallel, credential harvesting is feeding downstream activity, including:

  • Account takeover
  • Fraud operations
  • Data exfiltration and extortion

This linkage between initial access and follow-on activity is consistent across multiple reporting streams.

Vulnerability Exploitation Is Moving Faster

Vulnerability volume continues to increase alongside exploitation speed.

Flashpoint recorded more than 44,000 disclosed vulnerabilities in 2025, with over 14,000 tied to publicly available exploits. In several cases, exploitation activity followed disclosure within a day.

As Gray put it, “With vulnerabilities, it can feel like you’re trying to boil the ocean. There’s such a high volume of disclosures, but in reality, there’s a smaller set—those that are remotely exploitable, have proof-of-concept code, and are being actively used—that you need to focus on.”

Attacker focus is concentrated in areas that provide broad access or downstream impact, including:

  • Software supply chains and CI/CD environments
  • Open-source dependencies
  • Widely used enterprise platforms

Given the volume of disclosures, prioritization remains critical. Vulnerabilities that are remotely exploitable and paired with public exploit code present immediate risk, particularly when active discussion or exploitation is observed.

Ransomware Activity Continues to Shift

Ransomware activity increased by 53%, with continued changes in how operations are carried out.

Gray framed the shift this way: “Why even bother to develop ransomware? That takes time, resources, and overhead—when you can gain access through a compromised account or third-party platform and immediately move to extortion.”

In addition to traditional ransomware deployment, there is sustained activity centered on:

  • Data exfiltration followed by extortion
  • Use of compromised credentials for direct access
  • Targeting of third-party providers and SaaS platforms

Intrusions tied to help desks, identity workflows, and federated applications continue to appear in reporting, often involving social engineering or unauthorized access provisioning.

There is also ongoing activity related to insider recruitment, with threat actors seeking individuals who can provide direct access or privileged information.

Industries with higher operational dependencies, including manufacturing, technology, and healthcare, continue to be targeted due to the potential impact of disruption.

Translating Intelligence Into Action

The trends shaping 2026 are grounded in how attackers are currently operating across multiple domains.

As Gray emphasized, “You have to take into account vulnerabilities, exposures, infostealers, and identity compromise all at the same time. These aren’t separate problems anymore—they’re all part of the same attack chain.”

Security teams should focus on:

  • Identifying exposures with a high likelihood of exploitation
  • Monitoring for compromised credentials tied to organizational domains
  • Reviewing identity access and third-party integrations
  • Prioritizing vulnerabilities with active exploit availability
  • Tracking attacker activity across forums, marketplaces, and communication channels

These actions align with observed attacker behavior and provide a clearer path to prioritization.

Watch the Full Webinar and Explore the Data

The trends shaping 2026 are grounded in how attackers are already operating.

Flashpoint’s full webinar provides a deeper look at the data, along with practical guidance on how to translate intelligence into action.

Watch the on-demand session to see the full breakdown of these trends, or download the 2026 Global Threat Intelligence Report to explore the underlying data and analysis in more detail.

Request a demo today.

The post Inside the 2026 Cyber Threat Landscape: Data-Driven Security Priorities appeared first on Flashpoint.

  •  

Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows

Blogs

Blog

Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows

In this post, we outline how cyber threat intelligence is evolving to support agentic AI-driven security operations, why MCP is emerging as a foundational standard, and how Flashpoint is operationalizing data for this new model.

SHARE THIS:
Default Author Image
May 7, 2026

Security teams are under more pressure than ever to move faster, see more, and act with confidence.

At the same time, the way cybersecurity investigations happen is evolving. The “human-in-the-loop” model is expanding: analysts increasingly direct AI agents that gather context, correlate signals across sources, and handle repetitive triage.

While AI is rapidly becoming a staple of modern security operations, a significant gap remains: most intelligence sources were originally designed for human consumption, not AI agents. Historically, threat intelligence platforms were built for analysts to log in and piece together disparate insights. While that model remains the gold standard for deep research, it can become a bottleneck in a high-velocity, agent-led workflow where AI assistants and automation pipelines are the primary investigators.

At Flashpoint, our Ignite threat intelligence platform was built to support deep investigative workflows, enabling analysts to search and connect intelligence across primary-source datasets and build a complete picture of emerging threats. That foundation remains critical.

But as workflows evolve, customers are increasingly looking to extend that same intelligence beyond the platform—into AI assistants, automation pipelines, and other environments where work is actively happening.

That raises an important question: How do you make high-value intelligence as usable for an AI agent as it is for a human analyst?

Today, we are outlining our approach to building the Flashpoint Model Context Protocol (MCP) Server, a strategic initiative that makes Flashpoint’s best-in-class intelligence accessible not only via our award-winning platform but also natively “AI-callable” within the agentic workflows of today and tomorrow.

What Is an MCP Server and Why Does It Matter in Cyber Threat Intelligence?

Model Context Protocol (MCP) is the standard for connecting AI systems to external data sources and tools. 

In practical terms, an MCP server provides a structured way for AI systems, like agents, assistants, copilots, and automation frameworks, to access and interact with data in real time.

For cyber threat intelligence, this represents a fundamental shift in how teams operate:

  • Faster investigations: AI agents can query and correlate data across disparate datasets in seconds.
  • Comprehensive coverage: By searching across all primary sources in parallel, teams eliminate the risk of missing critical intelligence. 
  • More seamless workflows: Analysts can stay within their agentic workflow without constant context switching.
  • Reduced integration overhead: Less need for custom engineering to connect intelligence into new environments.

Flashpoint MCP Server: A Foundation for AI-Native Threat Intelligence

Flashpoint has always differentiated itself on the quality and depth of our data, sourced directly from where threats emerge. Our goal is to ensure this intelligence is available wherever your analysts are working.

Currently, teams experimenting with AI assistants face significant friction: copying and pasting, relying on third-party bridges, or maintaining custom integrations.

We are building the Flashpoint MCP Server as a foundational access layer, the architectural connector that will power both external integrations and future AI experiences within the Flashpoint platform.

With this new layer, teams can:

  • Query intelligence in one workflow: Access intelligence reports, ransomware, vulnerabilities, communities, and Deep Dark Web, and technical indicators in a single research task rather than hopping tool-to-tool.
  • Ground AI agents in truth: Provide a direct, authenticated bridge to real-time, verified Flashpoint intelligence, ensuring AI responses are based on evidence rather than static training data or hallucinations.
  • Scale expert analysis: Use guided prompts and workflow templates to teach the AI exactly how to use our tools to conduct expert-level investigations across our datasets.

The threat intelligence industry is adopting MCP as the standard for how AI systems connect to data.

We’re building the Flashpoint MCP Server to ensure our intelligence is a foundational component of that ecosystem and usable wherever AI-driven workflows occur.

What to Expect from Flashpoint MCP Server

The initial release of the Flashpoint MCP Server in Spring 2026 is intentionally read-only and query-focused. This creates the production-grade foundation required to bring intelligence into the workflows customers are already building. It aligns with customer guidance about using agentic AI to solve the most pressing challenges they face today.

What Comes Next

Later this year, we will move from information retrieval to Action-Oriented Intelligence. This expansion will allow users not only to access data but also to act on it directly within their AI-driven workflows. As this ecosystem evolves, we plan to deliver:

  • Natural Language Orchestration: We are empowering analysts to interact with our data more intuitively. Through the MCP server, complex actions such as updating an investigation or identifying new threat sources are handled via natural-language orchestration. This ensures that the speed of an investigation is limited only by an analyst’s questions, not their mastery of a specific query syntax.
  • Flashpoint-Native Agents and Skills: We are developing specialized Flashpoint Agents and “skills” built on top of this server. These will be purpose-built to address specific workflows, such as ransomware monitoring or vulnerability triage, allowing teams to deploy out-of-the-box expertise without building their own agentic logic
  • Fusion of External and Internal Data: A critical advantage of the MCP framework is the ability to combine Flashpoint’s external threat intelligence with a customer’s internal environment data (SIEM, Cloud, IAM, Endpoint, etc.). This allows an agent to correlate global threat signals with your specific footprint to provide instant, individualized risk context. 
  • Embedded AI within Flashpoint Ignite: This same MCP infrastructure will serve as the shared engine for new, embedded AI experiences within Flashpoint Ignite. This ensures that the same natural-language power and automated data correlation fueling external agents are also natively available within our platform UI, creating a seamless investigative experience regardless of where an analyst chooses to work.

Built and Validated in Real Workflows

We believe in the power of this new architecture because we are already using it. The MCP Server is currently embedded in our own Flashpoint Intelligence Team’s workflow, helping our analysts research and respond to complex client RFIs. 

By applying this capability to our own high-stakes research first, we ensure that what we bring to market is grounded in real investigative needs, not just technical potential. 

Operationalizing the Best Data

The future of security operations won’t be defined solely by who has access to the most data or even the most AI agents; it will be defined by who can operationalize the best data directly within the workflows where decisions are made.

The Flashpoint MCP Server is our strategic commitment to that future—making the world’s best intelligence natively accessible, usable, and aligned with the way modern security teams work.

The Flashpoint MCP Server is currently in active development, with customer availability planned for late Spring 2026. 

Subscribe to the Flashpoint blog for more updates on Flashpoint MCP Server and the latest insights from the front lines of threat intelligence.  

Frequently Asked Questions

What is the Flashpoint MCP Server? 

The Flashpoint MCP Server enables Flashpoint’s threat intelligence to be directly callable by AI agents. It implements the Model Context Protocol (MCP), an open standard for connecting AI systems to external data, so any MCP-compatible agent, including Claude, Gemini, and Cursor, can query our datasets without bespoke API integration work.

Who is the MCP Server designed for?

The MCP Server is designed for technical, forward-leaning security teams and AI-native organizations. This includes SOC analysts, CTI practitioners, and security engineers who are already building or experimenting with AI agent workflows using tools like Gemini, Claude Code, or custom LLM-based assistants.

Which Flashpoint datasets are accessible via MCP?

The initial rollout (Spring 2026) provides access to Flashpoint’s core intelligence collections, including:

  • Intelligence Reports
  • Communities (Online forums, messaging platforms, closed digital communities)
  • Technical Indicators (IOCs)
  • Vulnerability Intelligence (CVEs)
  • Ransomware
  • Compromised Credentials and Infected Hosts
  • Strategic Entity Data

How does this differ from Flashpoint’s standard APIs?

While our standard APIs are designed for direct programmatic consumption, the MCP Server is optimized specifically for AI agents. It exposes intelligence as composable tools and guided prompts that AI agents can understand and use to perform complex, multi-step research tasks. 

How does this differ from the Flashpoint Ignite platform?

The Flashpoint MCP Server is not a replacement for Flashpoint’s award-winning Ignite platform; rather, it is a complementary access layer designed for a different type of user and workflow. While Ignite is a destination for deep research, the MCP server provides the infrastructure that enables that same intelligence to live in AI-native environments.

To learn more about Flashpoint’s MCP Server, schedule a demo today.

See Flashpoint in Action

The post Flashpoint MCP Server: Operationalizing Cyber Threat Data for Agentic AI Security Workflows appeared first on Flashpoint.

  •  

2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders

Blogs

Blog

2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders

SHARE THIS:
Default Author Image
May 6, 2026

We are proud to share that Flashpoint has been named a Challenger in the inaugural 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence Technologies. 

“We see this recognition as a testament to Flashpoint’s ability to execute at the highest levels for the world’s most discerning threat intelligence customers, with our unique combination of primary source collection and human analysis at the core,” — Josh Lefkowitz, CEO at Flashpoint.

The Gartner Magic Quadrant provides organizations with a wide-angle view of vendors in the cyber threat intelligence market. By applying a graphical treatment and a uniform set of evaluation criteria, the Magic Quadrant helps organizations assess how well technology providers are executing their stated visions and performing against Gartner’s market view. Vendors are evaluated based on their Ability to Execute and Completeness of Vision:

  • Ability to Execute reflects the Gartner assessment of the vendor’s product and/or service, overall viability, sales execution and pricing, market responsiveness and record, marketing execution, customer experience, as well as operations.
  • Completeness of Vision comprises the Gartner view of the vendor’s overall market understanding, marketing strategy, sales strategy, offering (product) strategy, business model, vertical/industry strategy, innovation, and geographic strategy.

“We believe, and our customers consistently validate, that the future of threat intelligence lies at the critical intersection of intelligence depth and application,” says Lefkowitz. “That’s why Flashpoint pairs unmatched access to primary-source environments with the ability to operationalize that intelligence across security workflows, enabling organizations to make faster, more informed decisions.”

A complimentary copy of the Gartner® Magic Quadrant™ for Cyber Threat Intelligence Technologies is available to download here.

Market Dynamics and Growth of the Threat Intelligence Market

The threat intelligence market has expanded in both scope and strategic importance as organizations contend with a broader and more complex threat environment. What was once a supporting function within security operations is now expected to inform decisions across vulnerability management, fraud prevention, and enterprise risk. This shift has raised the bar for how intelligence is collected, analyzed, and applied.

Gartner describes this evolution as a move toward unified cyber risk intelligence (UCRI) — an approach that brings together diverse internal and external data sources with advanced analytical capabilities to improve decision-making. As noted in The Evolution of Threat Intelligence Is Unified Cyber Risk Intelligence, “the future of threat intelligence is unified cyber risk intelligence (UCRI)… defined by the convergence of multisignal collection and advanced analytical capabilities.” In our opinion, this model reflects the reality that no single source provides sufficient visibility, and that intelligence must be corroborated across environments to be actionable. 

At the same time, the scale of available data continues to increase, introducing new challenges around prioritization and context. Gartner notes that organizations “receive vast amounts of threat data, and filtering out false positives, redundant information and irrelevant alerts to extract actionable intelligence remains a significant challenge. This “noise” can overwhelm security teams and lead to important threats being missed.” This is where AI plays a growing role. Techniques such as machine learning and natural language processing are increasingly used to correlate signals, identify patterns, and surface relevant risks faster. As intelligence becomes more integrated across the enterprise, the ability to combine multisource collection with AI-driven analysis is shaping how organizations evaluate platforms and build modern threat intelligence programs.

How Security Teams Are Evaluating Threat Intelligence

From Flashpoint’s experience working with the most discerning security and intelligence teams, the value of a threat intelligence platform is measured in how it performs in practice — how quickly it surfaces relevant activity, how much context it provides, and how easily it supports decision-making across workflows.

We see three areas consistently shape how intelligence is evaluated, supported by a combination of human expertise and AI-driven analysis:

  • Access to high-signal environments: Intelligence is most useful when it reflects activity at its source. Access to closed forums, encrypted messaging platforms, and illicit marketplaces provides the context needed to understand how threats develop and move.
  • Context that supports prioritization: Vulnerability and threat data require context to be actionable. Understanding how activity is discussed and operationalized in real environments allows teams to focus on what requires attention.
  • Integration into operational workflows: Intelligence must fit into the systems and processes teams already rely on. Integration across SIEM, SOAR, and internal workflows allows intelligence to be applied consistently at scale.

These areas are closely tied to how Flashpoint has built its platform and how it supports organizations operating in complex threat environments.

Where Intelligence Comes From Matters

A large part of how intelligence performs in practice comes back to the source of the data itself.

We believe, and our customers continue to validate, that Flashpoint’s approach is centered on primary-source collection. That means accessing environments where threat activity is actively discussed, coordinated, and developed, including closed forums, encrypted messaging platforms, and illicit marketplaces. These environments require sustained access and ongoing validation, but they provide a level of visibility that is difficult to achieve through surface-level collection alone.

From our experience, working from these sources changes how intelligence is used. Activity can be observed earlier and understood with more context, with discussions, relationships, and intent preserved.

In practice, this allows teams to:

  • Identify emerging activity before it becomes widely visible
  • Maintain context across conversations, actors, and environments
  • Reduce time spent investigating low-value or unverified signals

Intelligence Has to Fit Into How Teams Actually Operate

Collection alone doesn’t determine whether intelligence is useful. We believe it also has to be delivered in a way that aligns with how teams work.

In our experience, most security teams already have established workflows tied to SIEMs, SOAR platforms, and internal processes. Intelligence that integrates into those workflows can be applied consistently across investigation and response.

In practice, we see this support:

  • Delivery of intelligence directly into existing systems
  • Consistent application across automated and analyst-driven workflows
  • Reduced friction between intelligence, investigation, and response

Over time, this consistency allows teams to build repeatable processes around intelligence rather than treating it as a separate function.

Context Drives Prioritization

The same dynamics apply to vulnerability intelligence.

From our experience, understanding which vulnerabilities exist is only one part of the problem. Determining which ones require attention in a given environment depends on context — how those vulnerabilities are being discussed, shared, or used in active threat activity.

We have seen first-hand that when vulnerability data is connected to real-world activity, teams can:

  • Prioritize remediation based on active threat relevance
  • Align vulnerability management with observed adversary behavior
  • Reduce reliance on static scoring as the sole decision driver

Applying This in Practice

For organizations evaluating providers, challenge intelligence sources, challenge collection agility, challenge exploit prioritization and above all ask yourself is this a partner with a long-term track record of navigating the world’s most complex threat environments?

To see how Flashpoint, the world’s largest private provider of threat intelligence can help you make better decisions, faster and with confidence, schedule a demo.

Gartner Disclaimer

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose. 

This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Flashpoint.

Gartner, Magic Quadrant for Cyber Threat Intelligence Technologies, Jonathan Nunez, Carlos De Sola Caraballo, Jaime Anderson, May 4, 2026.

Gartner, The Evolution of Threat Intelligence Is Unified Cyber Risk Intelligence, By Jonathan Nunez, 15 September 2025.

Gartner and Magic Quadrant are trademarks of Gartner, Inc., and/or its affiliates.

Begin your free trial today.

The post 2026 Gartner® Magic Quadrant™ for Cyber Threat Intelligence: Key Takeaways for Security Leaders appeared first on Flashpoint.

  •  

How to Build and Operationalize Priority Intelligence Requirements

Blogs

Blog

How to Build and Operationalize Priority Intelligence Requirements

In this post, we break down how to define, structure, and operationalize Priority Intelligence Requirements (PIRs) to improve focus, reduce noise, and drive more effective intelligence outcomes, with a companion starter kit to help apply these concepts in practice.

SHARE THIS:
Default Author Image
April 30, 2026

Security teams are inundated with data. Alerts, feeds, reports, and signals continue to grow in volume, but without clear direction, much of that information fails to translate into meaningful action.

Flashpoint recently hosted a webinar, “How to Build and Operationalize Priority Intelligence Requirements,” where our intelligence team walked through how organizations can bring structure to their intelligence programs. The session focused on how to define Priority Intelligence Requirements (PIRs), align them to business needs, and operationalize them across workflows. If you missed it, you can catch the on-demand recording here.

In this blog, we’ll recap the key takeaways from the webinar that you need to know to build, structure, and operationalize Priority Intelligence Requirements within your organization.

Priority Intelligence Requirements Create Focus

Priority Intelligence Requirements (PIRs) define what matters most to an organization’s intelligence function.

They serve as a framework for identifying the threats, risks, and questions that intelligence teams are responsible for answering. Without that structure, teams often default to reactive workflows—chasing alerts and producing reporting without clear alignment to business priorities.

PIRs establish that alignment by grounding intelligence work in specific, decision-driven questions.

These questions are typically tied to areas such as:

  • Threat actor activity targeting the organization or its sector
  • Exposure of sensitive data, credentials, or infrastructure
  • Risks tied to third-party vendors or supply chain dependencies
  • Emerging trends that may impact operations or security posture

When defined correctly, PIRs act as a filter that helps teams determine what to collect, analyze, and escalate.

Effective PIRs Start With the Business

One of the most common challenges highlighted in the webinar is that PIRs are often defined in isolation.

When intelligence requirements are not tied to business priorities, they tend to drift toward generic threat monitoring. This leads to reporting that is technically accurate, but operationally disconnected.

Effective PIR development starts with first understanding:

  • What decisions need to be made
  • Who is responsible for making them
  • What information is required to support those decisions

This requires direct engagement with stakeholders across security, risk, and business teams. In practice, that often includes leadership, legal, fraud, and operational teams.

The goal is to translate business concerns into intelligence questions that can be consistently answered over time.

Structuring PIRs for Actionability

Clear structure is essential to making PIRs usable.

Well-defined PIRs are specific enough to guide collection and analysis, but flexible enough to evolve as threats change. They are typically framed as direct questions that intelligence teams can answer with available data.

Examples of structured PIRs include:

  • Are threat actors actively targeting our organization or industry?
  • Has our data appeared in criminal marketplaces or forums?
  • Are our third-party vendors experiencing security incidents that could impact us?

This approach ensures that intelligence outputs remain focused on answering defined questions rather than producing general reporting.

It also enables consistency across teams, making it easier to track trends and measure changes over time.

Operationalizing PIRs Across Workflows

Defining PIRs is only the starting point. Their value comes from how they are integrated into day-to-day operations.

In the webinar, Flashpoint emphasized the importance of embedding PIRs across the intelligence lifecycle, including:

  • Collection: Prioritizing sources and datasets that align with defined requirements
  • Analysis: Structuring outputs around PIR-driven questions
  • Dissemination: Delivering intelligence to the stakeholders tied to each requirement
  • Feedback: Continuously refining PIRs based on evolving needs

This integration ensures that intelligence efforts remain consistent and aligned, even as threat conditions change.

It also reduces duplication of effort and helps teams avoid producing intelligence that does not support decision-making.

Measuring the Impact of Intelligence

PIRs provide a foundation for evaluating whether intelligence efforts are effective.

Without defined requirements, it is difficult to determine whether outputs are relevant or useful. PIRs create a benchmark against which teams can assess:

  • Whether key questions are being answered
  • Whether intelligence is reaching the right stakeholders
  • Whether outputs are informing real decisions

This shifts intelligence from a reporting function to a decision-support capability.

Over time, this approach helps organizations refine both their requirements and their workflows, improving efficiency and impact.

Dive Deeper | Watch the Full Webinar

Building and operationalizing Priority Intelligence Requirements is a foundational step toward a more focused and effective intelligence program.

Flashpoint’s on-demand webinar walks through this process in detail, including practical examples and guidance for implementation.

For teams looking to move from theory to implementation, the Priority Intelligence Requirements (PIR) Starter Kit provides a practical extension of this approach. The resource includes a structured framework for defining requirements, a catalog of adaptable PIR examples across key intelligence drivers, and a template to support documentation and governance.

Watch the full session and download the starter kit to begin building requirements that directly support decision-making and risk reduction.

Begin your free trial today.

The post How to Build and Operationalize Priority Intelligence Requirements appeared first on Flashpoint.

  •  

National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges

Blogs

Blog

National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges

In this post, we examine what NVD’s shift to selective enrichment means for vulnerability workflows and how security teams can maintain visibility and prioritization at scale.

SHARE THIS:
Default Author Image
April 17, 2026

The National Vulnerability Database (NVD) is changing how it processes and enriches vulnerability data in response to sustained growth in CVE submissions.

Under a new model announced by the National Institute of Standards and Technology, NVD will no longer enrich every CVE. Instead, enrichment efforts will focus on a defined subset, including vulnerabilities in the CISA KEV catalog, software used by the federal government, and software designated as critical.

All other CVEs will remain in the database without additional context unless specifically requested.

Rising disclosure volumes are placing pressure on public vulnerability infrastructure, and it has direct implications for how security teams consume and act on vulnerability data.

What Changed in NVD’s Operating Model

For years, NVD aimed to provide consistent enrichment across all CVEs, including severity scoring, affected product data, and supporting context for prioritization.

That approach has not been sustainable since late 2023.

In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, 14,593 of which had publicly available exploits (and 1,944 more with proof-of-concepts). 

CVE submissions increased by 263% between 2020 and 2025, with 2026 already tracking higher year-over-year. Even with increased throughput, NVD has not been able to keep pace.

Under the updated model:

  • CVEs meeting prioritization criteria will be enriched on an accelerated timeline
  • CVEs outside those criteria will be labeled and left without enrichment
  • Re-analysis of modified CVEs will occur selectively
  • Separate NVD severity scoring will no longer be applied by default

This introduces a significant structural change in how vulnerability data is published and maintained.

The Impact on Vulnerability Workflows

Many security programs rely on NVD enrichment to operationalize CVE data. That enrichment provides the context needed to evaluate risk and determine remediation priorities.

With enrichment applied selectively, teams will encounter a growing number of CVEs that include:

  • Limited or no severity scoring
  • Incomplete product and version data
  • Minimal context on exploitability or impact
  • No CPE strings that allow for programmatic consumption of data

At the same time, disclosure volume continues to rise, and exploitation timelines remain compressed. This creates a gap between what is disclosed and what can be acted on efficiently.

Security teams will need to account for:

  • Larger backlogs of CVEs without actionable context
  • Increased manual effort to evaluate relevance and risk
  • Greater variability in data quality across sources

These changes affect vulnerability management, threat intelligence, and security operations workflows simultaneously.

Prioritization Criteria Will Not Capture the Full Risk Landscape

NVD’s updated model focuses enrichment on a defined set of criteria, including known exploited vulnerabilities and software relevant to federal systems.

These categories represent important segments of risk, but they do not encompass the full set of vulnerabilities that organizations encounter in practice.

Modern environments include:

  • Open-source dependencies
  • SaaS platforms and APIs
  • Cloud infrastructure and services
  • Third-party and partner integrations

Many vulnerabilities affecting these environments fall outside formal prioritization frameworks or lack immediate classification within public datasets. As a result, security teams will continue to face exposure from vulnerabilities that are:

  • Actively exploited but not yet included in prioritized lists
  • Missing complete metadata or enrichment
  • Relevant to their environment but not captured by federal-centric criteria

Vulnerability Intelligence Requires Broader Coverage and Deeper Context

As public enrichment becomes more selective, organizations will rely more heavily on alternative sources to maintain visibility and context.

Effective vulnerability intelligence requires:

  • Coverage across CVE and non-CVE vulnerabilities
  • Continuous tracking of exploitation activity and adversary usage
  • Context on exploit maturity, and remediation
  • Consistent enrichment that can be integrated into operational workflows

This level of detail supports faster and more accurate decision-making in environments where both volume and speed are increasing.

Flashpoint’s vulnerability intelligence model is built to address these requirements, with a dataset that includes over 7,000 known exploited vulnerabilities and ongoing analyst-driven enrichment across global sources.

What Security Teams Should Do Next

This shift in NVD operations does not change the need to track CVEs. It changes how that data can be used. Security teams should evaluate how their current workflows depend on:

  • NVD enrichment for prioritization
  • CVSS scoring as a primary decision input
  • Completeness of public vulnerability data

From there, teams can take steps to strengthen resilience:

  • Incorporate sources of vulnerability intelligence that cover CVE and more
  • Align prioritization to exploitation activity and environmental relevance
  • Validate coverage across software, cloud, and third-party dependencies
  • Ensure that enrichment gaps do not delay remediation decisions

A Structural Shift in Vulnerability Data

For many teams, NVD has been a default source of vulnerability context. This change makes clear that its role is narrowing at a time when disclosure volume and prioritization demands are increasing.

At the same time, the role of vulnerability intelligence is expanding.

Security teams need access to data that supports prioritization, not just identification. They need consistent enrichment, faster turnaround, broader coverage, and context tied to real-world activity. As disclosure volumes continue to grow, those requirements become more central to how organizations manage risk.

Flashpoint’s Vulnerability Intelligence provides this level of coverage and context, with analyst-driven enrichment, global visibility across CVE and non-CVE vulnerabilities, and a dataset that includes over 7,000 known exploited vulnerabilities.

Request a demo to see how Flashpoint helps security teams prioritize and act on vulnerability risk with greater precision and confidence.

Begin your free trial today.

The post National Vulnerability Database (NVD) Shifts to Selective Enrichment as CVE Volume Surges appeared first on Flashpoint.

  •  

Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates

Blogs

Blog

Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates

In this post we explore Flashpoint’s latest milestone of surpassing cataloging 7,000 known exploited vulnerabilities and what this means for security teams.

SHARE THIS:
Default Author Image
April 15, 2026

Flashpoint Vulnerability Intelligence has surpassed cataloging 7,000 known exploited vulnerabilities, surpassing another major milestone as vulnerability disclosures accelerate across the global attack surface.

In 2025, Flashpoint tracked 44,509 disclosed vulnerabilities, a pace that continues to accelerate into 2026. Of those, 14,593 had publicly available exploits (1,944 more with proof-of-concepts), giving threat actors immediate pathways to weaponization.

This pace is shaping how exploitation unfolds, with high-impact vulnerabilities being operationalized within hours or days, particularly when they affect widely deployed technologies or core infrastructure.

Security teams are operating within this compressed environment every day. They are reviewing more findings across open-source software, commercial applications, cloud environments, and third-party dependencies, while working within tighter timelines to assess impact and take action.

Flashpoint’s latest milestone of surpassing 7,000 known exploited vulnerabilities (KEVs) cataloged reflects that reality. It highlights how vulnerability management programs are evolving toward prioritization as a core capability, with a focus on vulnerabilities tied to active exploitation and real-world risk.

What The 7,000+ KEV Milestone Means for You

Security teams are operating in a high-volume environment. Vulnerabilities are disclosed continuously across open-source software, commercial applications, cloud environments, and third-party dependencies. At the same time, advancements in automation and code analysis are increasing the rate at which new findings are surfaced.

Each of these findings enters an already crowded workflow. Teams are expected to determine relevance, urgency, and impact quickly, often with limited context. This is where risk-based decision making becomes essential.

Flashpoint tracks hundreds of thousands of vulnerabilities across thousands of sources. Within that dataset, a much smaller percentage shows confirmed exploitation activity. That concentration of risk informs how effective programs allocate time and resources.

Crossing the 7,000+ KEV milestone goes beyond scale to provide greater precision, deeper context, and stronger confidence in how teams prioritize and act on the most critical vulnerabilities.

  • Validated threats: Each KEV entry reflects observed exploitation in the wild by threat actors, including APT groups, cybercriminal operations, ransomware presence, and automated botnets.
  • Exploit-aware prioritization: In reality, only a small percentage of tracked vulnerabilities drive real-world incidents. FP KEV provides visibility into that subset so teams can focus remediation efforts where they have immediate impact.
  • Human-curated intelligence: Every entry is reviewed, validated, and enriched by analysts, with context on exploit maturity, adversary usage, and remediation pathways when available.

This level of clarity allows teams to move faster without sacrificing accuracy. It supports vulnerability management programs that are built around real-world attacker behavior and aligned to current risk.

How Public Vulnerability Data Fits Into the Picture

Public vulnerability catalogs remain useful reference points for tracking disclosures and confirmed exploitation. The CISA Known Exploited Vulnerabilities catalog, for example, gives security teams a curated view into a limited set of vulnerabilities that have been exploited in the wild that impact U.S. government stakeholders.

For many organizations, though, that level of visibility is not enough.

Public catalogs capture only part of the picture. They tend to reflect a narrower slice of exploitation activity, with less detail on how vulnerabilities are being used, which actors are leveraging them, and what defenders should do next. They also rely heavily on CVE-based tracking, leaving gaps around non-CVE exposures and other vulnerabilities that still carry operational risk.

Flashpoint’s FP KEV and Vulnerability Intelligence provide a broader and more actionable view. The advantage is visible in both scale and depth. Of the 7,000 known exploited vulnerabilities in FP KEV, over 800 are missing from CVE. That expanded coverage is paired with the context security teams need to prioritize effectively, including exploit maturity, adversary mapping, affected product detail, and remediation guidance.

DimensionPublic KEV CatalogsFlashpoint FP KEV
ScopeVaries by provider, with coverage dependent on available sources and methodologyGlobal, cross-industry coverage
CoverageCVE-based trackingCVE and non-CVE vulnerabilities
ContextLimited enrichmentExploit maturity, adversary mapping, remediation
Update ModelPeriodic updatesContinuously updated with analyst input

This is what separates a reference list from an operational dataset. Teams need vulnerability intelligence that supports triage, remediation, reporting, and broader risk reduction efforts. Wider visibility and deeper context make that possible.

The Critical Role of Human-Curated Intelligence

Vulnerability data originates from a wide range of sources with varying levels of completeness and accuracy.

Flashpoint’s intelligence model includes analyst validation to ensure consistency and depth across the dataset.

This process includes:

  • Reviewing disclosures across public and private sources
  • Validating exploit availability and usage
  • Enriching entries with technical and operational context

Analyst input supports:

  • Accurate classification of vulnerabilities
  • Clear understanding of exploitation pathways
  • Timely updates as activity evolves

Supporting Decision-Making Across Teams

Vulnerability intelligence feeds multiple functions across an organization. Teams use this data to align technical actions with current threat activity.

Common use cases include:

  • Vulnerability management: Align patching priorities with active exploitation trends.
  • Threat intelligence: Map vulnerabilities to threat actor campaigns and observed behaviors.
  • Security operations: Tune detection based on known exploit techniques.
  • Executive reporting: Communicate risk posture using data tied to real-world activity.

Each of these functions relies on consistent, enriched intelligence to maintain alignment.

Proactively Address Vulnerability Risk

Vulnerability discovery continues to expand across software ecosystems, infrastructure, and identity layers.

Security teams require a clear understanding of which issues are relevant to their environment at any given time.

Flashpoint provides primary source intelligence that supports this need through:

  • Continuous monitoring of vulnerability disclosures and exploitation
  • Analyst-driven validation and enrichment
  • Integration-ready data for operational workflows

This approach enables teams to maintain focus, allocate resources effectively, and respond to risk based on current threat activity. Request a demo and learn more today.

Begin your free trial today.

The post Flashpoint Surpasses Cataloging 7,000 Known Exploited Vulnerabilities as Disclosure Volume Accelerates appeared first on Flashpoint.

  •  

Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework

Blogs

Blog

Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework

In this post, we examine why intelligence requirements often fail to drive decisions and how to operationalize Priority Intelligence Requirements to align collection, analysis, and action.

SHARE THIS:
Default Author Image
April 13, 2026

In modern security operations, the “more is better” approach to threat intelligence has failed. Teams are drowning in alerts, not because the tools aren’t working, but because they lack a defined “North Star” to tell them which signals actually matter. 

To move from reactive monitoring to proactive defense, you need Priority Intelligence Requirements (PIRs). 

What is a Priority Intelligence Requirement (PIR)?
Definition: A Priority Intelligence Requirement is a decision-support question that identifies a critical knowledge gap. It defines what an organization needs to know, why it matters, and which specific business decision the information will support.

What Are the Biggest Challenges in Implementing PIRs?

Most teams buy intelligence tools, connect their sources, and immediately hit a wall: What should we actually be looking for?

Without a requirements-driven intelligence model, programs typically suffer from three critical points of friction that teams face every day: 

  1. Alert Parity: A low-level credential leak on a forum is treated with the same urgency as a targeted ransomware threat.
  2. The “So What?” Gap: Analysts produce reports that leadership finds “interesting” but not “actionable”.
  3. Analyst Burnout: Teams spend the majority of their time chasing “exploratory” data rather than defending the business. 

Requirements-driven intelligence changes the starting point. It moves the focus from “What data can we get?” to “What decisions do we need to make?”

The 3-Tier Intelligence Requirements Model: GIR, PIR, and SIR

To operationalize intelligence, you must understand its hierarchy. A PIR is the bridge between executive strategy and technical execution. We recommend structuring requirements across these three tiers:

  1. General Intelligence Requirements (GIRs): The “Why”)

These are the big-picture risks that keep your CISO or Board up at night. They focus on trends and long-term posture.

Example: “How is the ransomware landscape evolving for the healthcare sector in 2026?”

Outcome: Informs budgeting and annual security priorities.

  1. Priority Intelligence Requirements (PIRs): The “What”

This is the operational heart of your program. PIRs turn strategic concerns into specific, high-impact scenarios.

Example: “Which ransomware groups are actively targeting our specific supply chain partners?”

Outcome: Defines daily monitoring and escalation triggers.

  1. Specific Intelligence Requirements (SIRs): The “How”

SIRs are the tactical “boots on the ground” that power your PIRs with granular data.

Example: “Monitor for [Specific Malware Family] indicators or [Specific Actor] infrastructure associated with Group X.”Outcome: Drives threat hunting and automated detection logic.

Why Should You Focus on Building at the PIR Level?

While you need the full hierarchy, your primary effort should live at the PIR layer.

General IRs are often too high-level to automate, and SIRs (technical indicators) change too quickly to manage manually. PIRs are the “Stable Middle.” They are broad enough to capture business risk but specific enough to map to a workflow. By building your program around a library of PIRs, you create a system that is:

  • Machine-Readable: Easy to translate into platform automation.
  • Stakeholder-Aligned: Written in language that leadership understands.

Action-Oriented: Designed to trigger a specific response every time they are “answered.”

How To Audit Your PIRs (The Stress Test)

Before you commit resources to monitoring, run each requirement through this three-point filter:

  1. Is it tied to a decision? If we learn the answer today, what specifically changes in our defense?
  2. Does it have an owner? Which specific stakeholder is accountable for acting on this information?
  3. Is it time-bound? Is this requirement evergreen, or active during a defined risk window?

For a more comprehensive view of your full threat intelligence picture, take the Threat Intelligence Capability Assessment.

Frequently Asked Questions About Priority Intelligence Requirements

What is the difference between PIRs and general monitoring goals?
PIRs are decision-driven requirements tied to specific risks. Monitoring goals (like “watch the dark web”) describe activities without defining a clear outcome.

How often should PIRs be updated?
PIRs should be revisited when decisions are made, risks shift, incidents occur, or strategic priorities change.

Can small security teams implement PIR frameworks?
Yes. In fact, smaller teams often benefit most because requirements help prioritize limited resources.

How do you measure PIR effectiveness?
Indicators include reduced alert noise, clearer reporting alignment, faster investigations, and improved stakeholder satisfaction.

Join the Webinar: How to Build and Operationalize Priority Intelligence Requirements

Register to learn how to define actionable PIRs that stakeholders actually care about and align intelligence to real business decisions.

Register now for the webinar.

Note: Attendees will receive our exclusive “Priority Intelligence Requirements Starter Kit,” which features a practical workbook and a PIR library.

Begin your free trial today.

The post Why Intelligence Requirements Fall Flat and How to Fix Them with a Practical Priority Intelligence Requirements Framework appeared first on Flashpoint.

  •  

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

Blogs

Blog

The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks

In this post, we examine how phishing-as-a-service (PhaaS) has evolved into a structured cybercrime ecosystem, how threat actors collaborate across infrastructure, delivery, and monetization layers, and why this model continues to drive large-scale financial fraud targeting global organizations.

SHARE THIS:
Default Author Image
April 10, 2026

Phishing is no longer a standalone tactic. It has matured into a service-based ecosystem where specialized actors provide each component of an attack lifecycle, from infrastructure and delivery to credential harvesting and cash-out.

Flashpoint analysts, working with partner financial institutions, have observed a growing number of PhaaS operations operating with a level of coordination and specialization more commonly associated with legitimate software platforms. These ecosystems bring together phishing kit developers, infrastructure providers, spam delivery services, and financially motivated actors into a single, scalable pipeline for fraud.

This shift has significantly lowered the barrier to entry for cybercriminals while increasing the scale, efficiency, and success rate of phishing campaigns.

From Phishing Kits to a Service-Based Fraud Economy

PhaaS emerged from early phishing kits into a full cybercrime-as-a-service model built on commercialization, modular tooling, and operational scalability.

Early phishing activity relied on standalone kits — basic login pages and scripts that allowed attackers to collect credentials. Over time, operators began centralizing these capabilities into subscription-based platforms offering hosting, domain management, campaign tooling, and ongoing support.

Modern PhaaS platforms now operate similarly to legitimate SaaS providers:

  • Subscription-based pricing models
  • Prebuilt templates for major brands and services
  • Integrated delivery mechanisms (email, SMS, QR phishing)
  • Real-time dashboards for campaign tracking and credential harvesting

This model has made sophisticated phishing accessible to low-skill actors. Kits can cost as little as US$10, while full platforms enable large-scale campaigns for relatively modest monthly fees.

MFA Bypass and AI Are Reshaping Phishing Capabilities

As organizations adopted multifactor authentication (MFA), PhaaS operators adapted.

Modern platforms increasingly rely on adversary-in-the-middle (AiTM) techniques, using reverse proxy infrastructure to intercept login sessions in real time. This allows attackers to capture not only credentials, but also MFA tokens and session cookies, effectively bypassing traditional authentication controls.

At the same time, AI is accelerating the scale and effectiveness of phishing campaigns.

Threat actors are using AI to:

  • Generate convincing, localized phishing lures
  • Clone brand interfaces with high fidelity
  • Optimize campaigns through automated testing and iteration

This combination of MFA bypass and AI-driven automation has transformed phishing from a volume-based tactic into a precision-driven access vector.

The PhaaS Pipeline: How the Ecosystem Operates

What distinguishes modern phishing operations is not just tooling, but coordination.

A typical PhaaS campaign follows a structured lifecycle:

This pipeline is supported by a network of specialized providers, each responsible for a different stage of the attack lifecycle.

Infrastructure, Delivery, and Exfiltration Are Increasingly Specialized

Flashpoint analysis highlights how different actors focus on distinct parts of the ecosystem.

Infrastructure and Kit Development

Phishing kit developers provide increasingly sophisticated tooling, including:

  • Reverse proxy (AiTM) capabilities for MFA bypass
  • Anti-bot protections to evade researchers
  • “Live panels” enabling real-time interaction with victims

Platforms such as GhostFrame, Rapid Pages, and MUH Pro Admin illustrate how these tools are being productized and distributed at scale.

SMS Delivery and Spoofing

Smishing has become a critical delivery vector.

Threat actors operate dedicated SMS gateway services capable of sending large volumes of messages via APIs or bulk uploads. Others actively seek advanced spoofing capabilities to bypass authentication controls such as SPF, DKIM, and DMARC, enabling phishing messages to appear legitimate at the protocol level.

Credential Exfiltration and Telegram Integration

Credential collection is increasingly automated and centralized.

Many campaigns exfiltrate stolen credentials directly to Telegram bots or channels, enabling real-time access to victim data. This infrastructure also allows for rapid scaling and coordination across actors participating in the same campaign or ecosystem.

From Credential Theft to Financial Monetization

The ultimate goal of PhaaS operations is monetization.

Stolen credentials are used to enable account takeover (ATO), which allows attackers to:

  • Access financial accounts
  • Lock out legitimate users
  • Initiate fraudulent transactions
  • Launch follow-on scams

Flashpoint analysis of actors such as “JUN JUN,” associated with the Squirtle group, illustrates how these operations extend into structured financial fraud and laundering.

Observed activity shows a progression from acquiring phishing logs (“fish material”) to targeting high-value accounts and ultimately laundering funds through complex mechanisms, including tax fraud and credit card repayment schemes designed to recycle illicit funds.

This highlights how phishing is only the entry point into a broader fraud pipeline.

A Distributed Ecosystem of Threat Actors

The PhaaS landscape is not controlled by a single group, but by a network of loosely connected actors and clusters.

Examples include:

  • Fluffy Spider: Focused on large-scale infrastructure deployment and domain generation
  • IVAN: A more exclusive, high-tier operation leveraging SEO poisoning and advanced evasion techniques
  • Smishing Triad: A highly coordinated group conducting global SMS phishing campaigns
  • System Bot: A modular phishing toolkit with credential harvesting and OTP bypass capabilities

These actors operate across different regions and languages but demonstrate comparable levels of technical capability and operational maturity.

Many of these groups function with enterprise-like structures, including support teams, affiliate models, and performance-based operations, further reinforcing the industrialization of phishing-driven fraud.

Law Enforcement Pressure Is Increasing, but the Model Persists

Recent takedowns, including operations targeting platforms such as Tycoon 2FA, demonstrate growing coordination between public and private sector defenders.

These efforts have:

  • Disrupted infrastructure
  • Increased operational costs for threat actors
  • Accelerated collaboration between intelligence providers and law enforcement

However, the underlying PhaaS model remains resilient.

Even as major platforms are dismantled, operators frequently rebrand, migrate infrastructure, or fragment into smaller services. The demand for scalable, low-cost phishing capabilities continues to sustain the ecosystem.

What This Means for Security Teams

Phishing-as-a-service has evolved from a tactic to an ecosystem that industrializes fraud.

Flashpoint assesses that the increasing coordination between phishing kit developers, infrastructure providers, and financial fraud actors will continue to drive large-scale credential harvesting and account takeover activity targeting global organizations.

For defenders, this means that effective mitigation requires more than user awareness and traditional controls. Organizations must account for:

  • MFA bypass techniques such as AiTM
  • Rapid infrastructure rotation and evasion
  • The integration of phishing into broader fraud and access broker pipelines

Protecting Your Organization from the PhaaS Ecosystem

Understanding how phishing ecosystems operate — from infrastructure and delivery to monetization — is critical for disrupting attacks before they result in fraud.

Flashpoint provides intelligence that helps organizations track phishing campaigns, identify emerging threat actors, and detect compromised credentials in real time. By correlating activity across the full attack lifecycle, security teams can better anticipate threats and respond before they escalate.

To learn how Flashpoint can support your team with actionable intelligence on phishing and fraud ecosystems, schedule a demo.

Begin your free trial today.

The post The Phishing-as-a-Service Pipeline: How a Scalable Fraud Ecosystem Is Driving Global Attacks appeared first on Flashpoint.

  •  

Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels

Blogs

Blog

Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels

In this post, we examine how threat actors are executing tax refund fraud schemes, from sourcing identity data to bypassing verification and cashing out fraudulent returns, and what these patterns reveal about evolving fraud ecosystems.

SHARE THIS:
Default Author Image
April 9, 2026

Tax refund fraud remains a persistent and evolving threat within cybercrime and fraud communities. Threat actors actively advertise and refine schemes designed to file fraudulent returns and intercept refund payments from legitimate taxpayers.

Across illicit forums, Telegram channels, and marketplaces, discussions point to a structured ecosystem built around identity data, social engineering, verification bypass, and increasingly sophisticated cash-out methods.

For intelligence teams, these conversations provide insight into how fraud operations are scaling and where defenses are being tested and adapted.

The Structure of Modern Tax Refund Fraud Schemes

At a high level, most tax refund fraud schemes follow a consistent model: obtain identity data, file a fraudulent return, bypass verification, and extract funds.

Flashpoint analysis shows that threat actors focus on several key stages:

  • Sourcing victims or identity “fullz” (complete PII packages)
  • Obtaining or bypassing identity and return verification
  • Leveraging social engineering to support fraud workflows
  • Using tutorials and shared methods to maximize refund amounts
  • Converting refunds into cash or cryptocurrency

These stages are not isolated. They are supported by overlapping communities that specialize in identity theft, financial fraud, and account access.

Identity Data as the Foundation of Fraud

The success of tax refund fraud depends heavily on access to high-quality identity data.

Threat actors typically rely on “fullz,” which include a victim’s name, date of birth, address, and Social Security number. In some cases, fraudsters also recruit “clients” or “tax heads” — individuals who knowingly or unknowingly provide accurate tax documents and assist in bypassing verification steps.

This distinction is important. While fullz can be purchased or harvested at scale, clients often provide more reliable and current information, increasing the likelihood that a fraudulent return will be accepted.

A threat actor shares a screenshot of a text exchange with a client in which they obtain access to their TurboTax account and tax forms accessible through the account. (Source: Telegram, Flashpoint Collections).

Threat actors also seek additional data points to legitimize filings, including:

  • Identity Protection (IP) PINs
  • Adjusted Gross Income (AGI) from previous tax years
  • Access to tax preparation accounts or IRS records

These elements are frequently obtained through compromised accounts, social engineering, or access to verified identity platforms.

Verification Bypass as a Critical Enabler

Filing a fraudulent return is only part of the process. Successfully passing identity and return verification is often the deciding factor.

Threat actors place significant emphasis on accessing or creating verified accounts tied to identity systems used by government agencies. These accounts allow fraudsters to:

  • Retrieve tax transcripts and historical data
  • Respond to IRS verification requests
  • Validate identity during filing and follow-up processes

In many cases, fraudsters rely on social engineering to obtain this access. Common approaches include:

  • Creating fake job postings or tax preparation services to collect documents
  • Running romance or employment scams to gather personal information
  • Coercing victims into creating or sharing verified accounts

Threat actors also prepare for additional verification steps, such as responding to IRS letters or completing phone and in-person identity checks. These workflows often involve scripts, impersonation tactics, and coordination with cooperating “clients.”

Fraud Tactics Are Increasingly Systematic

Beyond basic filing, threat actors share detailed tutorials and playbooks designed to maximize refunds and improve success rates.

These often include:

  • Using real or falsified income data to inflate returns
  • Targeting specific tax credits, such as the Child Tax Credit (CTC), Earned Income Tax Credit (EITC), or Employer Retention Credit (ERC)
  • Claiming dependents or benefits that increase refund amounts
  • Adapting methods based on state-specific programs or eligibility requirements

A notable development is the use of fraudulent income submission schemes, where threat actors pre-populate tax records with inflated income and withholding data before filing a return.

This process typically involves:

  1. Submitting false wage data to the IRS or Social Security Administration using employer identifiers
  2. Waiting for the data to appear on official tax transcripts
  3. Filing a return that matches the fabricated figures

By aligning submitted data with filed returns, fraudsters increase the likelihood that filings will appear legitimate during verification.

Social Engineering Extends Beyond Victims

Social engineering plays a central role throughout the fraud lifecycle—and not just at the initial data collection stage.

Threat actors also target:

  • IRS representatives, attempting to verify fraudulent returns over the phone
  • Clients, persuading them to attend verification appointments or share official correspondence
  • Government offices, including outreach to congressional staff to resolve refund holds

In some cases, fraudsters use AI-generated communications to scale these efforts, including drafting messages designed to appear legitimate and urgent.

These tactics highlight how fraud operations extend into real-world processes and human interactions, not just digital systems.

Cash-Out Methods Continue to Evolve

Once a fraudulent refund is secured, the focus shifts to converting funds into usable, untraceable assets.

Common cash-out methods include:

  • Direct deposits into accounts controlled by the fraudster
  • Accounts opened by “clients” on behalf of the operation
  • Digital banking platforms and payment apps
  • Prepaid cards and alternative financial instruments

Increasingly, threat actors are moving funds into cryptocurrency to reduce traceability. This often involves:

  • Using verified exchange accounts to pass KYC requirements
  • Converting refunds into Bitcoin or other assets
  • Transferring funds to wallets controlled by the fraudster

In some workflows, the entire process — from filing to conversion — can occur within a single mobile or digital ecosystem.

Fraud Communities Enable Scale and Adaptation

Tax refund fraud does not operate in isolation. It is embedded within broader fraud ecosystems where identity data, tools, and tutorials are continuously shared.

Telegram remains a central hub for this activity, with large channels distributing:

  • Screenshots of successful refunds
  • Tutorials and “sauce” (paid or free methods)
  • Listings for identity data and services

Dark web forums also host discussions, though typically with lower volume and higher signal.

The structure of these communities allows fraud techniques to spread quickly, adapt to changing controls, and persist across multiple platforms.

What This Means for Threat Intelligence Teams

Tax refund fraud reflects a broader shift toward operationally mature, community-driven fraud ecosystems.

Flashpoint analysts assess that these schemes are becoming more structured, with clearly defined workflows for identity acquisition, verification bypass, and monetization.

For security and intelligence teams, this has several implications:

  • Identity data remains a critical point of exposure across multiple fraud types
  • Verification systems are actively targeted and tested by threat actors
  • Social engineering continues to bridge technical and human vulnerabilities
  • Fraud techniques are rapidly shared, refined, and scaled across communities

Understanding how these components connect is essential for identifying emerging fraud patterns and anticipating how threat actors will adapt.

Supporting Security Teams with Threat Intelligence During Tax Season and Beyond

Understanding how tax fraud schemes are executed from identity sourcing to verification bypass and cash-out provides critical context for detecting and disrupting fraudulent activity.

Flashpoint delivers leading intelligence that helps organizations monitor fraud communities, track evolving tactics, and identify emerging schemes before they scale. By combining primary source collection with contextual analysis, security teams can move from reactive detection to proactive defense.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Frequently Asked Questions About Tax Refund Fraud

What is tax refund fraud?

Tax refund fraud is a form of identity-based financial crime in which threat actors file fraudulent tax returns using stolen or manipulated personal information to obtain refund payments before the legitimate taxpayer files.

How do threat actors obtain the information needed to commit tax fraud?

Threat actors typically rely on stolen identity data, often referred to as “fullz,” which includes a victim’s name, date of birth, address, and Social Security number. This information is sourced from infostealer malware logs, phishing campaigns, data breaches, social engineering, and illicit marketplaces.

In some cases, fraudsters also recruit “clients” who provide real tax documents or assist in verification processes.

How do fraudsters bypass identity verification for tax returns?

Fraudsters use a combination of tactics to bypass identity and return verification, including:

  • Accessing or creating verified identity accounts used for tax authentication
  • Obtaining prior-year tax data such as adjusted gross income (AGI)
  • Using stolen or socially engineered identity protection (IP) PINs
  • Responding to IRS verification requests using scripts, impersonation, or cooperating individuals

These methods allow fraudulent returns to appear legitimate during processing.

What are common tax fraud tactics used by threat actors?

Common tactics include:

  • Filing returns using stolen personal information
  • Inflating income or tax withholding amounts to increase refunds
  • Claiming fraudulent dependents or tax credits
  • Submitting false wage data to government systems before filing
  • Using real tax forms combined with manipulated data

These approaches are often shared and refined within fraud communities.

What is a “fullz” in tax fraud?

A “fullz” refers to a complete set of personally identifiable information (PII) about an individual, typically including name, date of birth, address, and Social Security number. Fullz are used by fraudsters to file tax returns, open accounts, and conduct other identity-based financial crimes.

How do fraudsters cash out fraudulent tax refunds?

After a fraudulent return is accepted, threat actors typically attempt to convert the refund into usable funds through:

  • Direct deposits into controlled or intermediary accounts
  • Accounts opened by recruited participants
  • Digital banking platforms or prepaid cards
  • Cryptocurrency conversion using verified exchange accounts

The goal is to move funds quickly and reduce traceability.

Why is tax refund fraud difficult to detect?

Tax refund fraud can be difficult to detect because it leverages legitimate systems and processes, including real identity data, authentic tax preparation services, and verified accounts. Fraudsters also adapt quickly by sharing new techniques and bypass methods across online communities.

How do fraud communities support tax refund fraud schemes?

Fraud communities, particularly on platforms like Telegram and dark web forums, enable threat actors to share tutorials, tools, and identity data. These communities accelerate the spread of techniques, allowing fraud schemes to scale and evolve rapidly.

What should security and fraud teams monitor to detect tax fraud activity?

Teams should monitor for:

  • Unusual access to identity data or tax-related accounts
  • Indicators of compromised credentials or identity verification systems
  • Discussions of tax fraud methods, tutorials, or cash-out techniques in illicit communities
  • Patterns in fraudulent filings or refund activity

Incorporating intelligence from fraud communities can provide early visibility into emerging tactics.

How does Flashpoint help organizations detect and prevent tax refund fraud?

Flashpoint helps organizations detect and respond to tax fraud by providing intelligence on how threat actors source identity data, bypass verification systems, and cash out fraudulent returns.

Through primary source collection across platforms like Telegram and dark web forums, Flashpoint enables teams to monitor fraud communities, identify emerging tactics, and understand how schemes are evolving. This intelligence helps organizations move from reactive detection to more proactive identification of fraud risk.

Begin your free trial today.

The post Tax Refund Fraud in 2026: How Threat Actors Exploit Identity, Verification, and Cash-Out Channels appeared first on Flashpoint.

  •  

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

Blogs

Blog

The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online

In this post, we examine how threat actors use emojis across illicit communities, how these symbols function as a form of coded language, and why understanding this form of communication is increasingly critical for threat intelligence teams.

SHARE THIS:
Default Author Image
April 6, 2026

As threat actor activity continues to shift toward informal, fast-moving communication platforms such as Telegram and Discord, the way adversaries communicate is evolving. Emojis, often dismissed as casual or nontechnical, have become a meaningful part of that evolution.

Across illicit forums, messaging apps, and closed communities, emojis are used not just for expression, but for signaling intent, categorizing activity, and, in some cases, obscuring meaning from outsiders. For analysts, this introduces an additional layer of context that can influence how communications are interpreted, prioritized, and actioned.

Emojis as a Functional Layer of Communication

Within threat actor communities, emoji usage is often structured and repeatable.

Rather than replacing language entirely, emojis act as a functional overlay — reinforcing key concepts, highlighting important information, and accelerating communication in high-volume environments.

This is especially common in:

  • Telegram fraud channels
  • Phishing and carding communities
  • Service marketplaces and access broker groups

In these environments, speed and clarity matter. Emojis allow actors to quickly scan messages, identify relevant content, and engage without parsing long text-based posts.

Common Emoji Categories and What They Signal

Flashpoint analysis of illicit communities shows that emoji usage tends to cluster around a set of recurring categories. While meanings can vary slightly by group, several patterns appear consistently.

Financial Activity and Monetization

Emojis related to money are among the most frequently used.

Common examples include:

  • 💰 / 💸 — Profit, successful fraud, or payouts
  • 💳 — Credit cards, carding activity, or stolen payment data
  • 🏦 — Banks or financial institutions
  • 🪙 — Cryptocurrency-related activity

These symbols often appear in sales posts, fraud logs, or success claims, helping actors quickly identify opportunities tied to financial gain.

Access, Credentials, and Compromise

Another cluster of emoji usage centers on access and account compromise, where symbols are used to signal the availability of credentials, successful intrusions, or control over compromised systems.

Examples include:

  • 🔑 — Credentials or account access
  • 🔓 — Successful breach or unlocked account
  • 📥 / 📤 — Data exfiltration or transfer
  • 🗂 — Databases or collections of stolen data

In many cases, these emojis are used in combination with minimal text, allowing actors to advertise access or share results without detailed descriptions.

Tools, Automation, and Services

Emojis are also used to signal tooling and service offerings.

Examples include:

  • 🤖 — Bots, automation tools, or malware
  • ⚙ — Configuration, setup, or infrastructure
  • 🧰 — Toolkits or bundled services
  • 📡 — Infrastructure, communication channels, or delivery mechanisms

These are commonly seen in phishing-as-a-service, SMS gateway services, and malware distribution communities.

Targets and Geography

Threat actors frequently use emojis to represent targets or regions.

Examples include:

  • 🏢 — Corporate or enterprise targets
  • 🎯 — Targeting or “hits”
  • 📍 — Specific targets, drop locations, or points of interest
  • 🌐 — Global campaigns
  • Country flags — Specific geographic targeting

This allows actors to signal targeting scope quickly, particularly in multilingual or international groups.

Urgency, Success, and Status

Some emojis are used to communicate momentum or importance.

Examples include:

  • 🔥 — High-value or trending activity
  • ✅ — Verified success or working method
  • 🚨 — Urgent update or active campaign
  • 📈 — Growth or increased results

These signals are particularly important in fast-moving channels where actors compete for attention.

Emojis as a Tool for Obfuscation

Beyond signaling, emojis are also used to evade detection.

Threat actors may substitute emojis for keywords associated with:

  • Fraud techniques
  • Financial activity
  • Specific platforms or services

For example, replacing “credit card” with 💳 or “bank” with 🏦 can help bypass basic keyword filters or reduce visibility in automated moderation systems.

When combined with slang, abbreviations, and multilingual phrasing, this creates a layered form of obfuscation that complicates large-scale monitoring efforts.

Building Identity and Reputation Through Emoji Patterns

Emoji usage is not just functional. It can also be behavioral.

Over time, actors often develop recognizable patterns in how they use emojis:

  • Consistent combinations in sales posts
  • Repeated formatting styles
  • Unique ways of structuring messages

These patterns can serve as lightweight identifiers, helping analysts:

  • Track the same actor across different channels
  • Identify reposted or syndicated content
  • Link activity between platforms

In ecosystems where aliases frequently change, these subtle patterns can provide additional attribution signals.

Cross-Language Communication in Global Threat Ecosystems

Illicit communities are inherently global, spanning multiple languages and regions.

Emojis provide a shared visual layer that allows actors to communicate core concepts without relying entirely on text. This is particularly valuable in:

  • Large Telegram channels with international membership
  • Cross-border fraud operations
  • Decentralized marketplaces

For example, a combination of 💳 + 💰 + 🌍 can communicate “global carding opportunity” without requiring a shared language.

This ability to compress meaning into visual shorthand helps scale operations and coordination across diverse actor networks.

Context Still Determines Meaning

Despite these patterns, emoji usage is not universal or fixed.

The same emoji can carry different meanings depending on:

  • The platform (Telegram vs. Discord vs. forums)
  • The specific community
  • The surrounding text and context

For example, 🔥 may indicate “high value” in one group, but simply “active discussion” in another.

For analysts, this reinforces the need to treat emojis as contextual signals, not standalone indicators. Accurate interpretation depends on understanding the broader communication environment.

What This Means for Threat Intelligence Teams

Emoji usage reflects a broader shift in how threat actors communicate toward faster, more visual, and more adaptive forms of interaction.

Flashpoint assesses that incorporating emoji analysis into intelligence workflows can enhance:

  • Detection of emerging campaigns
  • Identification of high-value activity
  • Attribution and actor tracking
  • Interpretation of intent and sentiment

While emojis alone are not decisive indicators, they provide an additional layer of signal that can strengthen overall analysis.

Supporting Security Teams with Threat Intelligence

Understanding how threat actors communicate down to the symbols they use provides critical context for identifying and interpreting emerging threats.

Flashpoint delivers intelligence that helps organizations monitor illicit communities, track evolving communication patterns, and translate raw data into actionable insights. Within the Flashpoint platform, analysts can search across environments like Flashpoint Ignite and Echosec using emojis alongside keywords—enabling more precise discovery of relevant conversations, signals, and emerging activity that might otherwise be missed.

This approach allows teams to capture nuance in how threat actors communicate, improving detection, attribution, and overall situational awareness.

To learn how Flashpoint can support your team with real-time intelligence and analysis, request a demo.

Begin your free trial today.

The post The Language of Emojis in Threat Intelligence: How Adversaries Signal, Obfuscate, and Coordinate Online appeared first on Flashpoint.

  •  

Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders

Blogs

Blog

Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders

Key insights from Forrester’s External Threat Intelligence Service Providers Landscape, Q1 2026 and what they mean for security teams.

SHARE THIS:
Default Author Image
March 30, 2026

Forrester recently published The External Threat Intelligence Service Providers Landscape, Q1 2026, an overview of 34 vendors in the external threat intelligence market — defining market maturity and outlining key dynamics and use cases.

For security and risk leaders, the report offers a clear picture of how the market is evolving and where organizations should focus as they evaluate and operationalize threat intelligence.

The Market Has Moved Beyond Undifferentiated Data Collection

One of the clearest takeaways from the report is how significantly the market has matured.

Threat intelligence is no longer simply about collecting indicators or monitoring feeds. The expectation is now:

  • Contextualized analysis
  • Relevance to specific business risks
  • Direct applicability to detection, response, and decision-making

In our experience, turning data into action is among the most pressing challenges for security leaders. At RSA Conference 2026, Flashpoint introduced new capabilities designed to address this gap by connecting adversary activity directly to business priorities, assets, and investigations.

Intelligence Is Only Valuable When It’s Operationalized

The report also calls out a central challenge: gaps in operationalizing intelligence and aligning it to business context.

Forrester notes, “Gaps in operationalizing intelligence and aligning it to business context are the primary challenge in this market. As the industry shifts from static IOCs to TTPs, scaling operational use becomes difficult when intelligence is not tightly integrated into existing detection, response, and investigation workflows.”

This reflects what we consistently see across teams:

  • Intelligence exists, but sits outside workflows
  • Insights don’t map cleanly to assets, users, or priorities
  • Teams spend time interpreting instead of acting

This alignment of collection and operationalization is defining the next phase of the market.

AI Is Accelerating, But Not Replacing, Intelligence Workflows

Another key theme is the role of AI.

The Forrester report points out, “The main trend in this market is agentic AI being embedded into threat intelligence workflows to improve effectiveness and efficiency… While AI is reshaping the threat intelligence industry, human expertise remains essential to interpret intelligence, apply it to an organization’s unique risk profile, and design, validate, govern, and maintain even highly automated systems over time.”

This balance is critical.

AI is improving how teams operate day to day. Our customers largely credit AI for optimizing:

  • Correlation across disparate signals
  • Speed of triage and enrichment
  • Detection engineering and threat hunting

At the same time, customers do not believe that it can replace:

  • Contextual understanding of adversaries
  • Business-specific risk interpretation
  • Decision-making under uncertainty

Security teams that treat AI as a force multiplier tend to see the most impact. We explore this further in our recent work on AI and threat intelligence.

Where Flashpoint Fits Into The Threat Intelligence Landscape

In The External Threat Intelligence Service Providers Landscape, Q1 2026, Flashpoint self-reported the extended use cases of fraud, financial abuse, counterfeiting, and piracy, threats targeting physical assets, and vulnerability and exposure prioritization as the top three use cases for which clients select them.

From our perspective, the direction outlined in the report closely aligns with how we see the market evolving. Flashpoint is designed to operationalize the capabilities described in the report by linking adversary activity to business context, assets, and decision-making workflows.

From our experience as the largest private provider of threat intelligence, effective threat intelligence today requires:

  • Primary source collection at scale: Direct access to adversary communications, illicit marketplaces, and closed communities — not just aggregated feeds
  • Contextualized, finished intelligence: Analysis that connects activity to real-world impact across assets, people, and operations
  • Operational integration: Intelligence that maps directly into workflows and investigations
  • Cross-domain visibility: Coverage that spans cyber, physical, and geopolitical risk — not treating them as separate problems

What Security Leaders Should Take Away

Based on our experience working with security teams, we see a few consistent priorities for those evaluating threat intelligence providers:

  1. Prioritize outcomes over inputs: The volume of data matters less than its relevance and usability
  2. Look for operational alignment: Intelligence should integrate into detection, response, and investigation workflows
  3. Evaluate context, not just coverage: Breadth of collection matters — but depth of analysis is what drives decisions
  4. Plan for convergence: Cyber, physical, and brand risks are increasingly interconnected
  5. Treat AI as an accelerator, not a replacement: Automation improves scale, but expertise drives impact

Final Thoughts

We believe Forrester’s overview reflects a market that is maturing quickly, but highlights the continued need for security teams to focus on turning intelligence into action.

For organizations evaluating providers, the question is not solely “Who has the most data?”

Organizations must also consider “Where does that data come from, and who can help us make better decisions, faster and with confidence?”

To see how Flashpoint supports this in practice, schedule a demo.

Required Disclaimer

Forrester does not endorse any company, product, brand, or service included in its research publications and does not advise any person to select the products or services of any company or brand based on the ratings included in such publications. Information is based on the best available resources. Opinions reflect judgment at the time and are subject to change. For more information, read about Forrester’s objectivity here.

Begin your free trial today.

The post Forrester Threat Intelligence Landscape: Key Takeaways for Security Leaders appeared first on Flashpoint.

  •  

Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026

Blogs

Blog

Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026

At RSA Conference 2026, Flashpoint introduces new capabilities that enable security teams to move from visibility to defensible action by connecting adversary activity to business priorities, assets, and investigations.

SHARE THIS:
Default Author Image
March 23, 2026

Most organizations are not lacking visibility, but they are drowning in large volumes of information that are difficult to prioritize and even harder to tie back to clear action. In practice, this creates a familiar problem.

They can see what vulnerabilities exist.
They can track threat activity.
They can monitor alerts across their environment.

But the questions they struggle to answer are more important:

Which of these exposures actually matter?
What do we fix first — and why?
How does this activity translate to risk for the business?

As a result, teams fall back on patching cycles, compliance requirements, or best-effort prioritization and are left making decisions based on incomplete context.

This gap between data and decision-making has become one of the most persistent challenges in modern security operations.

At RSA Conference 2026, Flashpoint is sharing how we are addressing this gap directly — connecting adversary activity to assets, investigations, and defined business priorities so teams can make more consistent, defensible decisions.

“The industry has reached a tipping point where security teams are drowning in data that fails to align with their most important business requirements and decisions. Visibility alone is no longer a victory; it’s a baseline. By connecting underground adversary activity to an organization’s specific attack surface and strategic requirements, Flashpoint is raising the bar beyond passive observation. We are enabling defenders to stop asking ‘what do we own’ and start answering ‘what do we fix first, and why,’ turning raw data into an engine for risk reduction at speed.”

Josh Lefkowitz

What Flashpoint is Showcasing at RSA Conference 2026

Flashpoint is introducing a set of capabilities designed to connect threat intelligence directly to business risk, assets, and investigations:

  • Threat-informed External Attack Surface Management (EASM)
  • Business-Aligned Priority Intelligence Requirements (PIRs)
  • Managed Attribution browser for anonymous investigations

Together, these capabilities enable organizations to move beyond passive monitoring and toward intelligence-driven action.

What Is Threat-Informed External Attack Surface Management (EASM)

Most organizations maintain an inventory of their external assets, but prioritizing them is a persistent challenge. Traditional EASM tools identify what you own but often fail to answer the critical “so what?”. Without contextual risk, prioritization is often driven by static severity scores, patch cycles, or compliance requirements rather than real-world attacker behavior. As a result, teams are left managing stale data through manual CSV uploads and struggling to determine which exposures actually matter.

Flashpoint’s EASM module transforms this stream of exposure data into a prioritized action plan. It continuously discovers a customer’s external attack surface, including domains, subdomains, and IP addresses, and automatically maps this live inventory directly to Flashpoint’s industry-leading vulnerability intelligence.

This allows security teams to:

  • Maintain a Dynamic Inventory: Eliminate manual uploads and stale CMDB exports with an always-current map of internet-facing assets.
  • Contextualize Risk Immediately: Go beyond simple asset discovery by mapping the specific software running on each asset to known vulnerabilities, including pre-NVD findings.
  • Prioritize with Precision: Connect the asset to the actual risk, showing teams not just their external exposure, but where they are truly vulnerable and what needs to be fixed first.

By layering deep vulnerability intelligence onto live asset discovery, Flashpoint enables defenders to move from reactive analysis to proactive, intelligence-driven risk reduction.

Why Priority Intelligence Requirements (PIRs) Are Foundational

Many intelligence teams operate without a formal structure that defines what their work is intended to support.

In day-to-day operations, this results in:

  • Reactive investigation of incoming alerts
  • Reporting driven by the availability of information rather than the need
  • Difficulty demonstrating how intelligence outputs influence decisions

Priority Intelligence Requirements (PIRs) are designed to address this, but in many organizations, they are not integrated into operational workflows.

In May, Flashpoint is introducing in-platform Intelligence Requirements to formalize this structure and embed it directly into the way teams work.

Alerts, investigations, and reporting can be tied to defined requirements, allowing teams to:

  • Focus on activities that directly align with defined business risk priorities
  • Maintain consistency in what is tracked and reported
  • Provide a clearer justification for the intelligence work being done

This creates a more structured intelligence program. Instead of producing outputs based on what is observed, teams can align their work to defined objectives and decision-making needs.

Enabling Safe, Scalable Investigations with Managed Attribution

Accessing adversary-controlled environments such as forums, marketplaces, and encrypted platforms is a core part of many intelligence workflows.

However, doing so safely requires careful setup. Analysts typically need to:

  • Use isolated infrastructure
  • Manage attribution and identity exposure
  • Avoid introducing risk to internal systems

This creates operational overhead and can slow down or limit investigation.

The new anonymous browser capability within Flashpoint Managed Attribution is designed to address this by providing a non-persistent, isolated environment for research and immediate triage. This removes setup friction and allows analysts to move immediately from detection, to investigation, to deeper analysis in the same environment.

Analysts can:

  • Access underground communities
  • Open suspicious links or files
  • Engage with threat actors

Without exposing their identity or internal infrastructure.

By removing the need for manual setup, this allows analysts to move directly into investigation while maintaining operational security. 

See it at RSA Conference 2026

Security teams are being asked to do more than identify threats. They are expected to prioritize, act decisively, and justify those decisions.

That becomes difficult when the inputs — vulnerabilities, alerts, threat reporting — are not clearly connected to each other or to the business.

​​Intelligence needs to be tied to assets, aligned to defined priorities, and usable in day-to-day workflows. That’s the focus of Flashpoint’s updates this year.

At RSA Conference 2026, we’ll be walking through how this works in practice—how teams are connecting adversary activity to what they own, what matters, and what they do next. Flashpoint will be sharing more on these new innovations, including threat-informed EASM, in-platform Intelligence Requirements, and the Managed Attribution browser.If you’re attending, stop by Booth S-3341 to see how teams are moving from visibility to action. For a personalized demo, schedule a meeting with us.

Frequently Asked Questions

What is Flashpoint showcasing at RSA 2026? 

Flashpoint is showcasing how its primary-source threat data connects directly to business assets and priorities. At the booth, attendees can get a sneak peek of the upcoming in-platform Priority Intelligence Requirements (PIRs), which formalize how security teams tie investigations to business risk. Flashpoint will also be discussing the upcoming general availability of threat-informed EASM for asset discovery and risk prioritization, alongside the Flashpoint Managed Attribution browser, designed for secure underground research.

What is Flashpoint Threat-Informed EASM? 

Flashpoint External Attack Surface Management (EASM) goes beyond simple asset discovery by automatically mapping your external footprint to our industry-leading vulnerability intelligence. This allows teams to prioritize remediation by identifying which software versions are actually running on key assets, flagging critical risks often missed by public databases.

How do Flashpoint Priority Intelligence Requirements (PIRs) help security teams? 

Flashpoint PIRs provide a formal in-platform structure that ties security alerts and investigations to specific business risks. This helps teams move away from reactive “activity-based” work and toward “decision-based” intelligence that is defensible to executive stakeholders.

What are the benefits of the Flashpoint Managed Attribution browser? 

The Flashpoint Managed Attribution browser allows threat analysts to safely research the web using a disposable, anonymous environment. This prevents the analyst’s identity from being exposed and protects the corporate network from malware while conducting underground research.

How does Flashpoint’s new offering support a Continuous Threat Exposure Management (CTEM) framework?

Flashpoint facilitates the CTEM lifecycle by providing the primary source data necessary to move beyond traditional point-in-time scanning. EASM enables organizations to start focusing on the specific vulnerable software and high-risk exposures that threat actors are actively targeting.

Begin your free trial today.

The post Connecting Threat Intelligence to Decision-Making: How Flashpoint Is Operationalizing Intelligence in 2026 appeared first on Flashpoint.

  •  

Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict

Blogs

Blog

Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict

In this post, we examine how Iran-aligned militias and foreign terrorist organizations (FTOs) responded to the current US–Israel–Iran conflict, what their statements suggest about operational intent, and why this points to a wider risk environment for US and Israeli interests across the region.

SHARE THIS:
Default Author Image
March 19, 2026

The current phase of the US–Israel–Iran conflict is generating more than rhetorical support from militant actors aligned with Tehran. Public messaging from groups across Iraq, Lebanon, Yemen, and Gaza indicates a coordinated effort to frame the conflict as a regional, long-term confrontation rather than a contained exchange.

For threat intelligence teams, these statements matter not only because of what they say, but because of what they signal. Across multiple theaters, Iran-aligned groups are using similar language, emphasizing shared objectives, and in some cases pointing to an expanded target set that reaches beyond their traditional operating areas. Taken together, this messaging suggests continued alignment across militant networks and a heightened likelihood of retaliatory or opportunistic activity targeting US and Israeli interests.

Leadership Losses Are Being Used to Reinforce Mobilization

Several militant statements referenced the reported deaths of senior Iranian officials in strikes in Tehran, including Supreme Leader Ali Khamenei, Defense Minister Aziz Nasirzadeh, and IRGC Commander Mohammad Bagheri. These losses were framed not simply as blows against Iran, but as attacks on the broader resistance movement.

That framing is important. By portraying the strikes as an assault on a shared regional project rather than a national leadership event confined to Iran, these groups are reinforcing the rationale for broader mobilization. Statements from actors such as Akram al-Kaabi of Harakat al-Nujaba and Abdul-Malik al-Houthi of Ansarallah reflect that posture, emphasizing retaliation, readiness, and continued support for Iran.

This kind of messaging is consistent with efforts to maintain cohesion across the so-called resistance network during periods of escalation. It also helps set the informational conditions for follow-on activity by justifying future attacks as part of a collective response.

Messaging Points to a Longer Conflict Horizon

Some of the clearest signals in the reporting come from groups that described the conflict as a prolonged struggle rather than a short-lived escalation.

Kata’ib Hizballah called on fighters to prepare for a “long-term war of attrition,” while Kata’ib Sayyid al-Shuhada similarly urged readiness for a “long battle.” These statements go beyond symbolic solidarity. They suggest that at least some actors within Iran’s aligned militant ecosystem are preparing their audiences and personnel for sustained operations over time.

That distinction matters for defenders. A messaging environment centered on endurance, attrition, and regional confrontation raises the likelihood that groups will seek to maintain operational tempo across multiple fronts rather than respond with a single retaliatory action.

Militant Activity May Extend Beyond Traditional Operating Areas

Another notable feature of the reporting is the implied expansion of targeting scope.

Claims and statements referenced possible or actual activity in locations including Jordan, the Red Sea, and Israeli military sites near Haifa. This suggests that militant responses linked to the conflict may not remain confined to the actors’ most established operating environments in Iraq and Syria.

The claim by Rijal al-Bas al-Shadid of a drone strike on Muwaffaq Salti Air Base in Jordan is one example. Hezbollah’s claim of a strike south of Haifa is another. Together, these claims reinforce the broader picture presented in the messaging: a conflict environment in which Iran-aligned groups are attempting to demonstrate reach across multiple geographies and domains.

Even where operational claims remain difficult to verify independently, the messaging itself is still analytically significant. It helps illustrate how these groups want the conflict to be understood — as regional, coordinated, and capable of generating pressure well beyond a single front.

Responses Across the Network Reflect Coordinated Alignment

The organizational responses themselves show a high degree of consistency in tone and framing.

Hezbollah, Hamas, and the Houthis

Hezbollah claimed a strike on the Mishmar HaCarmel missile defense site south of Haifa using missiles and drone swarms, presenting the operation as a legitimate response within the broader confrontation. Although Hezbollah is actively engaged in countering the Israeli ground offensive into Southern Lebanon, the group could still pose a regional threat. Al-Qassam Brigades issued a eulogy for Iranian leadership figures and indicated that their deaths would intensify resistance rather than weaken it. Ansarallah declared full readiness for further military developments and signaled preparedness to target US bases and Israeli interests across the region.

Iraqi Militias and FTOs

Harakat al-Nujaba condemned the strikes and called for military retribution. Kata’ib Hizballah emphasized long-term attritional conflict. Saraya Awliya al-Dam declared maximum readiness and stated that it was prepared to target US military sites inside and outside Iraq. Kata’ib Sayyid al-Shuhada warned that US presence in the Middle East would lose any safe foothold as the conflict develops.

Specialized and Emerging Actors

Rijal al-Bas al-Shadid claimed a retaliatory drone attack in Jordan. Shabab al-Wa’ad al-Sadiq Forces announced its formation as a new entity aligned with Iran and the resistance axis. Ajnad Beit al-Maqdis used its first official statements to announce allegiance to al-Qaeda, tying that move to the current conflict and broader anti-US and anti-Israel narratives.

Taken together, these responses highlight not just ideological alignment, but messaging discipline. Similar themes appear across multiple organizations: retaliation for leadership losses, preparation for sustained conflict, and a shared portrayal of the United States and Israel as part of a unified adversarial front.

What This Means for Threat Intelligence Teams

From an intelligence perspective, the most important takeaway is not any single statement or claim. It is the degree of coordination visible across the messaging environment.

Flashpoint analysts assess that the current US–Israel–Iran conflict is generating aligned signaling among multiple militant organizations across the Middle East. This messaging indicates continued support for potential operations targeting US and Israeli interests and will likely contribute to increased militant activity across Iraq, Lebanon, Gaza, Yemen, and surrounding areas.

For security and intelligence teams, that means monitoring should extend beyond traditional flashpoints and beyond one-for-one retaliation models. The current environment suggests a broader risk picture shaped by networked militant cooperation, narrative synchronization, and the possibility of operations emerging across several theaters at once.

Supporting Security Teams with Threat Intelligence

Understanding how Iran-aligned militant networks communicate, coordinate, and signal intent is critical for anticipating how conflict dynamics may translate into real-world activity.

Flashpoint provides primary source intelligence that helps security teams track emerging threats, identify shifts in adversary behavior, and contextualize risk across regions and domains. From monitoring militant group messaging to analyzing operational indicators, our intelligence enables organizations to move from reactive response to informed, proactive defense.To learn how Flashpoint can support your team with real-time intelligence and analysis, schedule a demo.

Begin your free trial today.

The post Iran-Aligned Militias Signal Expanded Regional Risk Amid US–Israel–Iran Conflict appeared first on Flashpoint.

  •  

Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks

Blogs

Blog

Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks

In this post, we examine the disruptive cyber activity targeting Stryker, potential links to the Handala persona, and what the incident signals about evolving threats to healthcare supply chains.

SHARE THIS:
Default Author Image
March 12, 2026

Over the past several years, destructive cyber operations have increasingly expanded beyond traditional critical infrastructure targets. State-linked actors have demonstrated a growing willingness to disrupt organizations that sit at key logistical and supply chain nodes, where a single intrusion can generate cascading operational impacts across entire sectors.

Healthcare supply chains are particularly exposed to this dynamic. Large medical technology providers, pharmaceutical distributors, and logistics partners often support hundreds or thousands of downstream healthcare providers, making them attractive targets for adversaries seeking to create disruption without directly attacking hospitals themselves.

On March 11th, medical technology company Stryker disclosed that a cyberattack had disrupted portions of its global network infrastructure, affecting Microsoft systems used across the organization. In public statements and regulatory filings, the company indicated that the incident impacted internal operations and that the full scope of the disruption and timeline for restoration remain under investigation. At the time of writing, the company stated it had not identified evidence of ransomware or conventional malware, suggesting the activity may involve alternative attack methods or infrastructure abuse.

Separately, reporting has noted that the Handala persona — a hacking group widely assessed to be linked to Iranian state actors — appeared on some company login pages during the incident, further raising questions about possible attribution.

Yesterday’s cyberattack against Stryker reflects several dynamics that Flashpoint analysts have been tracking across disruptive cyber operations. Flashpoint analysts are monitoring technical indicators and reporting associated with destructive activity targeting the organization and assessing potential links to threat actors previously associated with disruptive campaigns targeting Western organizations.

While the full scope of the incident remains unclear, the activity highlights several trends that threat intelligence teams are tracking closely.

Observed Activity Linked to the Handala Persona

Flashpoint analysts are monitoring indicators associated with the Handala threat persona in relation to the incident.

Handala has maintained an online presence that presents itself as a politically motivated hacktivist movement. However, based on targeting patterns, messaging, and operational behavior observed over the past year, Flashpoint assesses that the persona is likely linked to Iranian state actors rather than an independent hacktivist collective. In public Telegram posts and website manifestos monitored by Flashpoint analysts, Handala framed the Stryker attack as retaliation for recent kinetic strikes in the Middle East. By operating behind a persona styled as a grassroots, pro-Palestinian resistance movement, Iranian state-nexus actors are able to conduct destructive cyber operations against Western organizations while maintaining a degree of plausible deniability.

“From our perspective tracking Handala over the past year, the group has done an effective job presenting itself as a grassroots resistance movement. However, the tactics and targeting we observe are far more consistent with activity linked to Iranian state actors than with independent hacktivism. What makes the Stryker incident particularly concerning is the apparent use of enterprise management infrastructure — potentially weaponizing Microsoft Intune — to carry out destructive activity at scale.”

Kathryn Raines, Cyber Threat Intelligence Team Lead for Flashpoint National Security Solutions

Flashpoint analysts have previously documented how Iranian state-linked actors are increasingly integrating cyber operations into broader geopolitical and military campaigns. For additional context on this trend, see our recent analysis of how cyber activity is evolving alongside the current regional conflict.

Unlike financially motivated cybercriminal groups, Handala-associated activity has historically emphasized disruption, psychological impact, and geopolitical signaling. Operations attributed to the persona frequently align with periods of heightened geopolitical tension and often target organizations with symbolic or strategic value.

While attribution for the Stryker incident has not been definitively established, the activity is consistent with patterns previously associated with the persona.

Potential Abuse of Enterprise Management Infrastructure

Flashpoint analysts are reviewing indications that attackers may have leveraged enterprise device management infrastructure, including Microsoft Intune, to trigger wiping actions across managed devices. This method explains Stryker’s initial public statements indicating that “no evidence of malware or ransomware.” Because Intune is a trusted, native Microsoft administrative tool, an attacker weaponizing it to issue mass remote wipe commands would not trigger traditional endpoint detection and response (EDR) or antivirus alerts. To the victim’s security sensors, no malicious files are being dropped; therefore, the activity would appear to be a highly privileged IT administrator executing a standard, albeit catastrophic, compliance policy. This living off the land (LotL) approach represents a massive blind spot for traditional security architectures

If confirmed, this technique represents an evolution in destructive cyber operations.

Rather than relying exclusively on custom malware designed specifically for wiping systems, attackers may increasingly attempt to abuse legitimate administrative tools already embedded in enterprise environments. Compromise of a centralized management console could allow an adversary to execute commands across large numbers of endpoints simultaneously.

This approach can significantly expand the potential impact of a compromise while reducing the need for specialized destructive malware.

Targeting Supply Chain Nodes in Critical Sectors

As a major provider of equipment used in surgical suites and emergency rooms, Stryker occupies an important position within the healthcare ecosystem. Disruption affecting organizations in this category can create second-order operational impacts across healthcare providers that depend on their products and services.

“The attack on Stryker highlights a troubling shift we’re increasingly seeing in destructive cyber operations. Rather than targeting hospitals or frontline healthcare providers directly, adversaries may focus on critical suppliers and logistics providers where disruption can cascade across the entire healthcare ecosystem. A single intrusion at a key node in the supply chain has the potential to create widespread operational impact far beyond the initial target.”

Josh Lefkowitz, CEO, Flashpoint

Flashpoint analysts have increasingly observed state-linked cyber activity targeting logistical nodes and supply chain providers, rather than only frontline institutions such as hospitals. From an operational perspective, this strategy allows adversaries to generate broader disruption while potentially avoiding the immediate scrutiny associated with direct attacks on healthcare facilities.

Ongoing Monitoring

Flashpoint analysts continue to monitor developments related to this incident and are evaluating additional indicators as they emerge.

Several factors will shape the broader assessment of the activity in the coming days:

  • Confirmation of the mechanism used to carry out destructive actions
  • The scale of affected systems or devices
  • Additional evidence linking the activity to known threat actors or state-linked groups
  • Whether the activity represents a single incident or part of a broader campaign

Incidents involving destructive cyber activity targeting critical supply chain organizations underscore the increasing intersection between geopolitical tensions, cyber operations, and operational resilience.

Flashpoint will continue to track this activity and provide updates as more information becomes available.

Supporting Security Teams with Threat Intelligence

Understanding how adversaries operate — including the tradecraft used to weaponize enterprise infrastructure and target supply chain dependencies — is essential for defending critical organizations.

Flashpoint delivers actionable intelligence that helps security teams detect emerging threats, contextualize adversary activity, and respond faster to disruptive campaigns targeting critical sectors. Schedule a demo to learn more.

Begin your free trial today.

The post Destructive Activity Targeting Stryker Highlights Emerging Supply Chain Risks appeared first on Flashpoint.

  •  

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

Blogs

Blog

Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains

This post tracks the convergence of kinetic warfare, psychological operations, and cyber activity as the conflict expands across the Middle East and beyond.

SHARE THIS:

On February 28, the United States and Israel launched coordinated strikes across Iran under Operation Epic Fury (also referenced in reporting as Operation Lion’s Roar). The opening phase focused on decapitating senior Iranian leadership while degrading missile infrastructure, launch systems, and air defenses. In the hours that followed, Iran initiated large-scale retaliation — expanding the conflict beyond Iranian territory and into a region-wide exchange that touched multiple Gulf states and allied military assets.

Since those initial strikes, the conflict has rapidly widened and accelerated. What began as a concentrated campaign against leadership and missile capabilities has developed into a sustained regional war with an expanding set of targets, including economic and logistical infrastructure. Simultaneously, cyber operations and psychological messaging have been used alongside kinetic action, creating a hybrid operating environment in which disruption is shaped as much by information control and infrastructure compromise as it is by missiles and airstrikes.

Flashpoint analysts are tracking the conflict across physical, cyber, and geopolitical domains. The timeline and sections below summarize key developments and risk indicators observed from February 28 through May 4.

Latest Update: Escalation Across Maritime, Cyber, and Economic Domains (Last 24–48 Hours)

The conflict has entered a phase of direct maritime and economic confrontation, with both kinetic and cyber activity intensifying in parallel.

Following the collapse of diplomatic efforts, the United States has formally initiated a naval blockade of Iranian ports, while Iran has responded by deploying midget submarines and reportedly mining key transit routes in the Strait of Hormuz. These developments signal a shift from pressure on infrastructure to direct control over regional shipping and energy flows.

At the same time, cyber operations have escalated beyond disruption into claims of large-scale destructive activity targeting industrial and government systems across the Gulf. While some of these claims remain unverified, the volume and nature of activity indicate a sustained effort to degrade both public-sector and commercial infrastructure.

Timeline of Key Developments

May 4
~06:00 UTC
CENTCOM announces the commencement of “Project Freedom” to secure maritime transit through the Strait of Hormuz.
~08:30 UTC
The IRGC Navy declares a new operational control sector in the Strait, warning that vessels failing to coordinate transit will be “stopped with force”.
10:15 UTC
Iran launches a barrage of four cruise missiles toward the UAE; three are intercepted by UAE air defenses while one falls into the sea.
11:00 UTC
A drone strike targets an ADNOC oil tanker in the Gulf.
13:45 UTC
The South Korean Ministry of Foreign Affairs confirms a South Korean vessel was struck in its engine room while transiting the Strait.
15:30 UTC
Handala Hack announces “Operation Premature Death,” releasing the names and ranks of 400 US Navy officers.
17:00 UTC
IRGC releases footage purportedly showing strikes on US vessels; CENTCOM dismisses these claims as false.

What This Means

This phase of the conflict reflects a shift toward combined economic and operational pressure:

  • Maritime control is now central: The blockade and countermeasures in the Strait of Hormuz introduce sustained risk to global shipping, energy transport, and supply chains.
  • Cyber operations are aligning with physical objectives: Activity targeting industrial systems and government infrastructure suggests an intent to create downstream operational disruption, not just visibility or signaling.
  • Private-sector exposure continues to expand: Western-linked infrastructure—particularly in energy, logistics, and cloud environments—remains within scope of both kinetic and cyber targeting.

Immediate Outlook (Next 48–72 Hours)

Further escalation is highly likely.

Iranian retaliatory activity may target US or Israeli assets in the near term, while continued pressure on maritime routes is expected to sustain volatility in global energy markets. At the same time, divergence among Western partners may create additional operational uncertainty, particularly for organizations relying on regional stability for logistics, infrastructure, or personnel movement.

How the Conflict Evolved

Since the opening strikes on February 28, the conflict has progressed through a series of rapid shifts—each expanding both the scope of targeting and the systems under pressure. What began as a tightly scoped military operation has developed into a sustained, multi-domain conflict affecting regional infrastructure, global markets, and private-sector operations.

This evolution is best understood not as a linear escalation, but as a sequence of overlapping phases that introduced new targets, new tactics, and new forms of risk.

Phase 1: Decapitation and Immediate Regional Spillover

(February 28)

The conflict began with a coordinated US–Israeli campaign targeting senior Iranian leadership and missile infrastructure. The objective was clear: degrade Iran’s ability to project force through its ballistic and air defense systems.

That containment window was brief.

Within hours, Iran launched retaliatory strikes across the Gulf, targeting US and allied military installations in Kuwait, Qatar, and Bahrain. Civilian and commercial systems were immediately affected, including flight disruptions in Dubai and early instability in maritime routes near the Strait of Hormuz.

From the outset, the conflict was regional—not bilateral—and it unfolded across military, commercial, and civilian environments simultaneously.

Phase 2: Regional Expansion and Civilian Exposure

(March 1–3)

Within the first 72 hours, the battlespace widened significantly.

Air operations extended directly over Tehran, signaling degradation of Iranian defensive capabilities. At the same time, new fronts emerged, including Hezbollah activity along Israel’s northern border. Targeting patterns began to shift, with incidents affecting civilian-adjacent infrastructure such as hotels, diplomatic sites, and transit hubs.

This period also marked the early alignment of cyber and information activity with kinetic operations. While still limited in impact, these efforts reflected a broader strategy: shaping disruption beyond the battlefield.

Phase 3: Infrastructure and System-Level Targeting

(March 5–10)

By early March, the conflict moved beyond military objectives and into the systems that sustain state and economic activity.

Energy infrastructure, power grids, logistics hubs, and financial systems became consistent points of pressure. Strikes on refineries and industrial complexes—combined with increasing instability in the Strait of Hormuz—introduced immediate consequences for global energy markets and supply chains.

This phase marked a structural shift. The conflict was no longer defined by territorial or military outcomes alone. It began to affect availability, access, and continuity across critical systems.

Phase 4: Commercial and Private-Sector Targeting

(March 11–13)

The targeting set expanded again—this time explicitly incorporating the private sector.

Iranian-aligned channels began publicly identifying Western technology, cloud, and financial firms as operational targets. In parallel, cyber activity moved deeper into enterprise environments, with disruptions affecting global companies and financial institutions.

At the same time, physical operations reinforced this shift:

  • Commercial shipping was targeted near the Strait of Hormuz
  • Banking operations were disrupted or preemptively shut down
  • Industrial facilities and refineries were forced offline

At this stage, economic pressure was no longer a byproduct of conflict—it had become a deliberate objective.

Phase 5: Hybrid Operations and Distributed Pressure

(Mid–Late March)

As kinetic operations continued, the conflict took on a more distributed and persistent character.

Cyber operations evolved in both scale and intent, expanding from disruption into data destruction, extortion, and psychological operations. Activity linked to groups such as Handala and broader proxy ecosystems demonstrated increasing coordination and willingness to target both regional and international entities.

At the same time, physical targeting patterns shifted toward long-term degradation:

  • Industrial production sites were struck
  • Ports and logistics corridors faced sustained pressure
  • Aviation hubs and transit infrastructure became recurring targets

This phase blurred traditional boundaries. Military, cyber, economic, and information operations were no longer distinct lines of effort—they were operating in parallel against overlapping targets.

A Conflict Without a Single Center of Gravity

By the end of March, the conflict had stabilized into a sustained, multi-domain environment defined by persistence rather than decisive escalation.

Military exchanges continue across multiple fronts, but the broader impact is shaped by pressure on:

  • Energy production and transport
  • Maritime and aviation corridors
  • Financial systems and commercial operations
  • Digital infrastructure and enterprise environments

Rather than converging toward resolution, the conflict has distributed risk across systems that extend well beyond the immediate region.

Phase 6: Economic Warfare Formalized and Maritime Escalation

(Late March – Early April)

By late March and into early April, economic pressure became formalized as a central objective of the conflict.

Maritime activity in and around the Strait of Hormuz shifted from disruption to active enforcement. Threats to commercial shipping intensified, while both state and proxy actors signaled a willingness to restrict or halt transit entirely. At the same time, targeting patterns expanded further into energy infrastructure, including gas production and refining capacity across the Gulf.

These developments introduced a new level of systemic risk. With a significant portion of global seaborne crude tied to the region, even partial disruption began to influence global pricing, supply planning, and downstream operations far beyond the Middle East.

Phase 7: Ceasefire Fracture and Persistent Hybrid Operations

(Early–Mid April)

Attempts at de-escalation introduced a new layer of complexity rather than stability.

While diplomatic efforts produced temporary pauses in kinetic activity, underlying objectives remained unresolved. In some cases, these pauses created space for continued operations in other domains. Cyber activity, in particular, showed no meaningful reduction, with Iranian-aligned groups continuing campaigns targeting infrastructure, government systems, and private-sector entities.

At the same time, friction points, especially in Lebanon, remained active. The exclusion of key actors from ceasefire terms contributed to continued localized escalation, reinforcing the decentralized nature of the conflict.

This period demonstrated that pauses in military activity do not equate to reduced risk across the broader threat landscape.

Phase 8: Direct Economic Targeting and Globalization of Risk

(Mid April and Beyond)

Following the breakdown of ceasefire dynamics, the conflict moved into a phase defined by direct economic targeting and broader international involvement.

US and allied actions began to focus more explicitly on constraining Iran’s financial and energy systems, while Iranian responses expanded to include threats against Western-affiliated commercial entities, academic institutions, and infrastructure beyond the immediate region.

At the same time, indicators of internationalization became more pronounced:

  • External actors providing military and technical support across sides
  • Cyber operations extending into Western and allied networks
  • Increased risk to global supply chains, energy markets, and financial systems

By this stage, the conflict was no longer confined to regional dynamics. It had evolved into a sustained pressure campaign with global economic and operational implications.

The Escalating Cyber and Information Front

From the earliest hours of the conflict, cyber operations have moved in parallel with kinetic activity—sometimes reinforcing it, and at other times extending its reach beyond the physical battlespace.

What has changed over time is not just the volume of activity, but the role cyber operations play within the broader campaign.

Early Phase: Disruption and Narrative Control

In the opening days, cyber activity focused primarily on disruption and influence.

Coordinated campaigns linked to pro-IRGC and pro-Russian-aligned groups targeted government websites, defense contractors, and public-facing services with distributed denial-of-service (DDoS) attacks and defacements. At the same time, information operations began to take shape, including the manipulation of widely used platforms such as the BadeSaba prayer app, where push notifications were leveraged to deliver messaging at scale.

These efforts were designed to create confusion, shape perception, and amplify the impact of concurrent military operations rather than cause lasting operational damage.

Expansion: Coordinated Campaigns and Infrastructure Access

As the conflict expanded regionally, cyber operations became more coordinated and more ambitious in scope.

Campaigns operating under banners such as #OpIsrael brought together loosely affiliated actors targeting infrastructure across Israel, the Gulf, and allied states. Claims during this period included access to industrial control systems, water infrastructure, and surveillance networks. While not all claims were independently verified, the consistency of targeting pointed to a broader intent: probing critical systems while signaling capability.

At the same time, verified activity—particularly from groups such as MuddyWater—demonstrated continued intrusion into aerospace, defense, and financial networks, reinforcing that espionage objectives remained active alongside disruption efforts.

Escalation: Enterprise Targeting and Data Destruction

By mid-March, cyber activity shifted again—this time toward enterprise environments and private-sector targets.

Incidents linked to groups such as Handala reflected a move beyond disruption into destructive operations. Reported activity included large-scale data wiping, exfiltration, and coordinated doxxing campaigns targeting individuals and organizations tied to Israeli or Western interests.

Equally significant was the reported use of “living-off-the-land” techniques, where attackers leveraged legitimate administrative tools within cloud environments to execute destructive actions. This approach reduces reliance on traditional malware and complicates detection, particularly for organizations dependent on signature-based defenses.

At this stage, cyber operations were no longer operating at the edges of the conflict. They were directly targeting the systems organizations rely on to operate.

Persistence Through Ceasefire: Cyber as a Continuous Pressure Mechanism

Subsequent developments demonstrated that cyber activity is not tied to the tempo of kinetic operations.

During periods of diplomatic pause, Iranian-aligned groups continued to operate with little observable reduction in activity. Public statements from groups such as Handala explicitly reinforced this posture, framing cyber operations as independent from military timelines.

At the same time, targeting patterns shifted rather than paused. Activity expanded to include:

  • Western and allied government systems
  • Critical infrastructure, including water and energy sectors
  • Commercial platforms and authentication systems

This reflects a broader strategic advantage: cyber operations allow actors to maintain pressure, test defenses, and shape outcomes without requiring direct military engagement.

Current State: Distributed, Adaptive, and Blended Operations

At present, cyber activity reflects a blend of objectives:

  • Espionage, particularly against defense and government networks
  • Disruption, including DDoS and service degradation
  • Destruction, through data wiping and system compromise
  • Psychological operations, leveraging public platforms and data exposure

These activities are carried out by a mix of state-linked groups, proxy actors, and loosely affiliated hacktivist networks, often operating with overlapping targets and messaging.

The result is a distributed and adaptive threat environment in which attribution is complex, timelines are compressed, and the boundary between state and non-state activity is increasingly blurred.

What This Signals

Cyber operations in this conflict are not a supporting element—they are a persistent layer of pressure that operates alongside and, at times, independently from physical conflict.

For organizations, this introduces a different type of risk:

  • Activity may continue even when kinetic conditions stabilize
  • Targeting may shift quickly across sectors and geographies
  • Detection becomes more difficult as attackers rely on legitimate tools and blended tradecraft

While cyber operations extend the reach of the conflict, the most immediate systemic pressure is emerging through physical and economic chokepoints—particularly in energy production and maritime transit.

Strategic Chokepoints and Systemic Risk

As the conflict expanded, physical targeting patterns converged around a small number of systems that carry disproportionate global impact: energy production, maritime transit, and regional mobility infrastructure.

Energy Infrastructure as a Primary Lever

Energy systems have emerged as one of the most consistently targeted elements of the conflict.

Strikes on refineries, gas facilities, and industrial complexes—combined with explicit threats against major Gulf energy assets—reflect a deliberate effort to constrain production and introduce volatility into global markets. Incidents affecting facilities in Saudi Arabia and the UAE, along with threats tied to Iran’s own production infrastructure, indicate that both sides view energy disruption as a means of exerting strategic pressure.

The scale of exposure is significant. A substantial portion of global seaborne crude transits through the region, and even partial disruption has immediate downstream effects on pricing, supply planning, and industrial operations.

This dynamic introduces a level of sensitivity that extends well beyond the region. Energy is a transmission mechanism for global economic impact.

Maritime Transit and the Strait of Hormuz

The Strait of Hormuz has remained the central chokepoint throughout the conflict.

From the earliest days, threats to shipping were used to signal escalation. Over time, those threats evolved into direct action, including strikes on commercial vessels, increased naval activity, and the positioning of maritime assets capable of restricting transit.

In later stages, this pressure became more formalized, with both state and proxy actors signaling a willingness to enforce constraints on shipping aligned with opposing interests. The result has been sustained disruption to maritime traffic, increased insurance and routing costs, and reduced throughput across one of the world’s most critical energy corridors.

For organizations dependent on global supply chains, the implications are immediate:

  • Longer transit times
  • Higher costs
  • Reduced predictability in delivery schedules

Even without a complete shutdown, sustained pressure on the Strait introduces ongoing friction into global trade flows.

Aviation and Regional Mobility

Airspace and aviation infrastructure have also been repeatedly affected.

Early in the conflict, flight suspensions and airport disruptions were driven by proximity to kinetic activity. As the conflict progressed, aviation hubs themselves became targets. Incidents near major transit centers—particularly in the Gulf—demonstrate both the vulnerability and strategic importance of these nodes.

Aviation serves as a critical connector for personnel movement, logistics, and high-value cargo. Disruption at major hubs does not remain localized; it cascades across international routes, affecting scheduling, capacity, and access.

In combination with maritime constraints, this creates a compounding effect: fewer viable routes, increased congestion elsewhere, and limited flexibility for organizations attempting to move people or goods.

Expansion to Commercial and Financial Systems

Over time, economic pressure extended beyond physical infrastructure into commercial and financial environments.

Public warnings and targeting signals began to include:

  • Banking institutions and financial districts
  • Commercial office locations tied to Western firms
  • Technology and cloud infrastructure hubs

In parallel, operational impacts became visible. Banking services were disrupted or preemptively suspended in parts of the Gulf, while threats against commercial centers introduced new considerations for business continuity and personnel safety.

This expansion reflects a shift in how the conflict defines “infrastructure.” It is no longer limited to energy or transport, as it also includes the systems that enable economic activity itself.

Business and Security Implications

As the conflict has expanded into energy systems, maritime corridors, aviation hubs, and commercial infrastructure, enterprise exposure is no longer limited to organizations with a direct regional footprint.

The targeting patterns observed throughout this conflict indicate that the systems underpinning global operations—logistics, cloud infrastructure, financial services, and workforce mobility—are all within scope.

For organizations, this introduces sustained operational friction rather than isolated disruption. Planning assumptions should shift accordingly.

Personnel and Physical Security

Exposure to physical risk has expanded beyond military installations into commercial environments.

Incidents affecting transit hubs, diplomatic facilities, and Western-linked commercial districts, combined with public warning lists identifying specific office locations in Jordan and the UAE, indicate that personnel operating in previously low-profile environments may now fall within the threat envelope.

This shift requires a more dynamic approach to workforce security.

Organizations should:

  • Reassess travel posture across the UAE, Qatar, Bahrain, Kuwait, and Saudi Arabia
  • Elevate security protocols at offices, hotels, and logistics sites
  • Reinforce operational security practices, including routine variation and reduced visibility of affiliation
  • Monitor diplomatic advisories and local threat reporting in near real time
  • Reevaluate occupancy and travel policies for personnel in named commercial and financial districts

Supply Chain, Energy, and Commercial Operations

Disruption is not limited to physical logistics. It now extends into the broader commercial operating environment.

Pressure on maritime transit through the Strait of Hormuz, combined with strikes on energy infrastructure and disruptions to financial services, creates a layered risk model: goods may not move, payments may not process, and operations may not continue as planned.

Organizations should plan for sustained instability rather than short-term interruption.

Priorities should include:

  • Modeling extended disruption to Gulf shipping routes
  • Identifying alternative logistics pathways, including overland options
  • Stress-testing supplier dependencies tied to energy inputs and regional ports
  • Preparing for price volatility and delivery delays
  • Assessing exposure to regional banking, payment processing, and financial services continuity

Cloud and Technology Infrastructure

The conflict has demonstrated that commercial technology infrastructure is not insulated from physical or cyber spillover.

The reported impact to cloud environments in the Gulf, combined with targeting signals directed at major technology providers, indicates that infrastructure supporting global applications may be exposed to localized disruption.

At the same time, strikes on regional communication and defense systems introduce additional risk to connectivity and resilience.

Organizations should:

  • Validate geographic redundancy for critical workloads
  • Confirm recovery timelines for regionally hosted environments
  • Review third-party dependencies tied to Gulf-based infrastructure
  • Ensure leadership understands cascading risks from localized outages
  • Evaluate exposure tied to physical proximity of offices, data centers, and regional tech hubs

ICS / OT Environments

Operational technology environments face elevated risk due to the convergence of cyber and physical targeting.

Claims involving industrial control systems—paired with demonstrated attacks on energy and logistics infrastructure—suggest that disruption may extend beyond IT systems into physical operations.

Organizations operating ICS/SCADA environments should prioritize resilience over detection alone.

Key actions include:

  • Auditing and restricting remote access pathways
  • Enforcing phishing-resistant MFA for privileged users
  • Segmenting industrial networks from corporate IT environments
  • Validating response plans for destructive or manipulative scenarios
  • Conducting exercises that assume loss of visibility or control

Ongoing Updates

Flashpoint will continue monitoring developments across physical, cyber, and geopolitical domains. Bookmark this page for updates as the situation evolves.

For organizations seeking deeper visibility into emerging threats, proxy activity, infrastructure targeting, and cross-domain escalation indicators, schedule a demo to see Flashpoint’s intelligence platform deliver timely, decision-ready intelligence.

See Flashpoint in Action

The post Escalation in the Middle East: Tracking “Operation Epic Fury” Across Military and Cyber Domains appeared first on Flashpoint.

  •  

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

Blogs

Blog

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.

SHARE THIS:
Default Author Image
March 11, 2026

The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.

Flashpoint’s 2026 Global Threat Intelligence Report

Flashpoint’s 2026 Global Threat Intelligence Report (GTIR) was developed to anchor security leaders — from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office — with the data required to navigate this year’s greatest threats, rife with infostealers, vulnerabilities, ransomware, and malicious insiders.

Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:

  • AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
  • 3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
  • From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
  • Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.

These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:

  1. A Clear Understanding of the New Convergence Between Identity and AI
    Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
  2. Intelligence on the “Franchise Model” of Global Extortion
    Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
  3. A Blueprint for Proactive Defense and Risk Mitigation
    Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.

As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”

Josh Lefkowitz, CEO & Co-Founder at Flashpoint

The Top Threats at a Glance

Our latest report identifies four driving themes shaping the 2026 threat landscape:

2026 Is the Era of Agentic-Based Cyberattacks

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.

2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.

Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint

Identity Is the New Exploit

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

The Patching Window Is Rapidly Closing

Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.

Ransomware Is Hacking the Person, Not the Code

As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.

Build Resilience in a Converged Landscape

The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.

Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.

Get Your Copy

The post Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report appeared first on Flashpoint.

  •  

What to Know About the Notepad++ Supply-Chain Attack

Blogs

Blog

What to Know About the Notepad++ Supply-Chain Attack

In this post we examine the mechanics of the CVE-2025-15556 supply-chain attack and provide actionable steps to secure your environment.

SHARE THIS:
Default Author Image
February 26, 2026

The cybersecurity community is still grappling with a sobering realization: one of the most ubiquitous tools in the developer’s toolkit, Notepad++, was hiding a critical vulnerability for over six months. Being so deeply embedded in daily workflows, many organizations did not realize they were vulnerable until a recent security update pulled back the curtain on a sophisticated Chinese state-sponsored campaign, dubbed “Lotus Blossom.”

Investigations have confirmed that the issue wasn’t just a coding error, it was a compromise at the hosting provider level. This means that for much of 2025, even organizations that followed best practices were still potentially open to backdoors from Chinese advanced persistent threat (APT) groups. Here is what you need to know to secure your environment.

Understanding the Notepad++ Vulnerability (CVE-2025-15556)

The vulnerability, tracked as CVE-2025-15556 (VulnDB ID: 430205), exploits a critical flaw in the Notepad++ updater component, WinGUP. In versions prior to the February 2026 patch, the updater failed to verify the file integrity signatures of downloaded installers.

By exploiting this lack of verification, threat actors are able to:

  • Intercept legitimate update requests originating from WinGUp servers
  • Redirect traffic to malicious servers via Man-in-the-Middle (MitM) attacks or DNS cache poisoning
  • Deliver trojanized executables (disguised as update.exe) that appeared to be legitimate software patches

Leveraging this vulnerability, attackers have gained a persistent presence in high-value sectors. According to reports from Kaspersky, the impact has spanned government and telecommunications, critical infrastructure, and financial services.

How CVE-2025-15556 Works

The state-sponsored Lotus Blossom campaign was executed in three attack chains, between July and October 2025. Each phase evolved to evade detection by changing file sizes, IP addresses, and delivery methods.

PhaseTimeline (2025)Execution MethodPayload
Chain #1July – August1MB NSIS installer (update.exe)Multi-stage attack launching a Cobalt Strike beacon via ProShow.exe.
Chain #2September140KB NSIS installer (update.exe)Rotated C2 URLs to maintain stealth while dropping a Cobalt Strike beacon.
Chain #3OctoberBackdoor DeploymentDropped BluetoothService.exe, log.DLL, and shellcode to establish the Chrysalis backdoor.

Mapping CVE-2025-15556 to MITRE ATT&CK

Flashpoint has mapped Lotus Blossom TTPs (tactics, tools, and procedures) to the MITRE ATT&CK framework. Flashpoint analysts have identified the following techniques:

Execution

Technique TitleIDRecommendations
User Execution: Malicious FileT1204.002M1040: Behavior Prevention on Endpoint
M1038: Execution Prevention
M1017: User Training
Native APIT1106M1040: Behavior Prevention on Endpoint
M1038: Execution Prevention
Command and Scripting Interpreter: Windows Command ShellT1059.003M1038: Execution Prevention

Persistence

Technique TitleIDRecommendations
Hijack Execution Flow: DLLT1574.002M1013: Application Developer Guidance
M1047: Audit
M1038: Execution Prevention
M1044: Restrict Library Loading
M1051: Update Software
Boot or Logon Autostart Execution: Registry Run Keys / Startup FolderT1547.001*MITRE currently does not list any mitigation guidance to combat this attack technique.
Create or Modify System Process: Windows ServiceT1543.003M1047: Audit
M1040: Behavior Prevention on Endpoint
M1045: Code Signing
M1028: Operating System Configuration
M1018: User Account Management

Defense Evasion

Technique TitleIDRecommendations
MasqueradingT1036M1049: Antivirus/Antimalware
M1047: Audit
M1040: Behavior Prevention on Endpoint
M1045: Code Signing
M1038: Execution Prevention
M1022: Restrict File and Directory Permissions
M1018: User Account Management
M1017: User Training
Obfuscated Files or InformationT1027M1049: Antivirus/Antimalware
M1047: Audit
M1040: Behavior Prevention on Endpoint
M1017: User Training
Obfuscated Files or Information: Dynamic API ResolutionT1027.007*MITRE currently does not list any mitigation guidance to combat this attack technique.
Deobfuscate/Decode Files or InformationT1140*MITRE currently does not list any mitigation guidance to combat this attack technique.
Process InjectionT1055M1040: Behavior Prevention on Endpoint
M1026: Privileged Account Management
Reflective Code LoadingT1620*MITRE currently does not list any mitigation guidance to combat this attack technique.
Execution Guardrails: Mutual ExclusionT1480.002M1055: Do Not Mitigate
Indicator Removal: File DeletionT1070.004*MITRE currently does not list any mitigation guidance to combat this attack technique.

Discovery

Technique TitleIDRecommendations
File and Directory DiscoveryT1083*MITRE currently does not list any mitigation guidance to combat this attack technique.
Ingress Tool TransferT1105M1031: Network Intrusion Prevention

Collection

Technique TitleIDRecommendations
Data from Local SystemT1005M1057: Data Loss Prevention

Command and Control

Technique TitleIDRecommendations
Application Layer Protocol: Web ProtocolsT1071.001M1031: Network Intrusion Prevention
Encrypted ChannelT1573M1031: Network Intrusion Prevention
M1020: SSL/TLS Inspection

Exfiltration

Technique TitleIDRecommendations
Exfiltration Over C2 ChannelT1041M1057: Data Loss Prevention
M1031: Network Intrusion Prevention

Protecting Against CVE-2025-15556

Proactive defense requires not only reactive patching of CVE-2025-15556, but also active threat hunting using the TTPs identified by Flashpoint analysts. Flashpoint recommends the following actions:

  1. Immediate Update: Ensure all instances of Notepad ++ are updated to v8.9.1 or higher immediately. This version enforces the signature verification that was missing in previous releases.
  2. Audit System Paths: Scan for malicious file paths used for persistence.
  3. Network Defense: Monitor and block traffic to malicious domains.
  4. Endpoint Hardening: Implement Behavior Prevention on Endpoints (M1040) and Audit (M1047) to detect unauthorized registry run keys or new system services.

Outpace Threat Actors Using Flashpoint

Software trust is only as strong as the infrastructure behind it. As organizations respond to these recent updates, having best-in-class vulnerability intelligence and direct visibility into threat actor TTPs is the best defense.

Leveraging Flashpoint vulnerability intelligence, organizations can move beyond CVE and NVD, by gaining deeper technical analysis and MITRE ATT&CK mapping to defend against sophisticated threat actors. Request a demo to learn more.

Begin your free trial today.

The post What to Know About the Notepad++ Supply-Chain Attack appeared first on Flashpoint.

  •  

Understanding the DarkCloud Infostealer

Blogs

Blog

Understanding the DarkCloud Infostealer

In this post, we analyze DarkCloud, a commercially available infostealer written in Visual Basic 6.0, examine its encryption and evasion techniques, and assess how this low-cost malware can provide threat actors with enterprise-wide access through harvested credentials.

SHARE THIS:
Default Author Image
February 25, 2026

Infostealers continue to dominate the initial access landscape in 2026, lowering the barrier to breach through scalable credential theft. DarkCloud illustrates how low-cost, commercialized malware is reshaping the initial access landscape.

First observed in 2022 and attributed to a developer known as “Darkcloud Coder” (formerly “BluCoder” on Telegram), DarkCloud is openly sold through Telegram and a clearnet storefront with subscription tiers starting at just US$30. Despite being marketed as “surveillance software,” its technical focus is unmistakable: high-volume credential harvesting and structured data exfiltration across browsers, email clients, financial data, and contact networks.

A screenshot from DarkCloud’s clearnet site calling itself “surveillance software.” (Source: DarkCloud clearnet site)

At the technical level, DarkCloud is written in Visual Basic 6.0 and compiled into a native C/C++ application. This legacy language choice is unusual in modern malware development — and likely deliberate. By leveraging outdated but still supported runtime components, DarkCloud appears to benefit from lower detection rates while maintaining full credential theft functionality.

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated. Flashpoint assesses it as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

The Commercialization of DarkCloud

DarkCloud describes itself as a keylogger despite the original advertisement on XSS describing it as an infostealer. (Source: DarkCloud)

DarkCloud represents a mature example of commodity malware-as-a-service.

It is openly sold through Telegram and a clearnet website, where it is misleadingly labeled as a keylogger. While it does include keylogging capabilities, this is only a minor component of a much broader infostealing toolkit.

Its real value proposition is credential harvesting across browsers, email clients, file transfer applications, VPN software, and more.

This dual positioning — public-facing “surveillance software” and underground stealer — provides plausible deniability while enabling large-scale credential operations.

Why Visual Basic 6.0 Matters

One of the most notable aspects of DarkCloud is its use of Visual Basic 6.0.

The payload is written in VB6 and compiled into a native C/C++ application. Microsoft no longer supports VB6 in its modern development environment, and VB6 applications rely on legacy components such as MSVBVM60.DLL for execution.

Flashpoint assesses this legacy language choice is deliberate, both for its simplicity and its potential to evade modern detection models.

In testing, Flashpoint analysts generated equivalent payloads in C/C++ and VB6. The VB6 variant produced significantly fewer detections in VirusTotal scans.

The implication is clear: older languages are not necessarily obsolete in adversary tradecraft. In some cases, they may be strategically advantageous.

Encryption and String Obfuscation

DarkCloud employs a layered string encryption scheme that complicates static and dynamic analysis.

Most internal strings are encrypted and decrypted at runtime using Visual Basic’s Rnd() pseudo-random number generator, combined with a custom seed-generation algorithm.

The process involves:

  • Hex-encoded encrypted strings
  • Base64-encoded keys
  • Seed calculation through a custom algorithm
  • Resetting the VB pseudo-random number generator to a known state
  • Iterative Rnd() calls to reconstruct plaintext strings

By resetting the PRNG with a known value before applying the calculated seed, the malware ensures deterministic output during decryption.

This approach does not rely on novel cryptography, but rather on abusing legacy language behavior to frustrate reverse engineering.

Credential Theft at Scale

DarkCloud’s primary objective is credential collection.

It targets:

Email clients:

  • Outlook
  • eM Client
  • FoxMail
  • Thunderbird
  • 163Mail
  • MailMaster

File transfer applications:

  • FileZilla
  • WinSCP
  • CoreFTP

Browsers:

  • Google Chrome
  • Microsoft Edge
  • Mozilla Firefox
  • Brave
  • Opera
  • Yandex
  • Vivaldi
  • (and many additional Chromium- and Firefox-based browsers)

Other applications:

  • Pidgin
  • NordVPN

When extracting browser data, DarkCloud steals:

  • Login credentials
  • Cookies
  • Credit card information

Email applications are additionally scraped for contact lists. This is likely intended to seed future phishing campaigns.

DarkCloud stores collected data locally in two directories under %APPDATA%\Microsoft\Windows\Templates. One directory (“DBS”) stores copied database files, while another (“_”) stores parsed data in unencrypted text format.

This local staging enables continuous exfiltration while maintaining structured log output.

Exfiltration Methods: Flexibility for Threat Actors

DarkCloud supports four exfiltration methods:

  • SMTP
  • FTP
  • Telegram
  • HTTP

SMTP and FTP require hardcoded credentials within each binary. Email subjects include the victim machine’s hostname and username, and stolen data is transmitted as attachments.

HTTP exfiltration appears less frequently used, though the capability is present.

This flexibility allows operators to tailor deployments depending on infrastructure preferences and operational security requirements.

From BluStealer to DarkCloud

Flashpoint analysts identified notable similarities between DarkCloud’s regular expressions for credit card parsing and those found in a publicly documented project known as “A310LoggerStealer,” also referred to as BluStealer.

The regex patterns appear in identical order and format.

Combined with the developer’s prior alias “BluCoder,” Flashpoint assesses that A310LoggerStealer likely represents an earlier iteration of what became DarkCloud.

This evolution reflects a common pattern in commodity malware development: incremental refinement rather than radical innovation.

A Potent Entry-Level Threat

Despite its relatively low cost, DarkCloud should not be dismissed as unsophisticated.

Its marketing as surveillance software attempts to normalize its presence while providing plausible deniability for buyers. Technically, however, its focus is clear: large-scale credential harvesting across browsers, email clients, financial data, and contact networks.

Flashpoint assesses DarkCloud as a potent entry-level threat that can provide adversaries with the keys to an entire corporate network through harvested credentials.

In a landscape where identity is the new perimeter, even a US$30 subscription can be operationally devastating.

Defending Against Commodity Infostealers

Commodity infostealers like DarkCloud may be commercially accessible, but defending against them requires enterprise-grade vigilance.

Organizations should:

  • Treat phishing-delivered ZIP/RAR attachments as high-risk initial access vectors
  • Monitor for abnormal data exfiltration over SMTP, FTP, and Telegram
  • Audit credential reuse across browser and email applications
  • Prioritize credential rotation and incident response playbooks following suspected compromise

Infostealers like DarkCloud are not breakthrough malware families. They do not rely on zero-days or advanced exploits.

Instead, they exploit scale, accessibility, and identity exposure.

To understand how credential harvesting campaigns are evolving and to embed real-time intelligence into your detection workflows, request a demo today and see how Flashpoint intelligence strengthens your defense posture.

Begin your free trial today.

The post Understanding the DarkCloud Infostealer appeared first on Flashpoint.

  •  

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

Blogs

Blog

The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs

In this post, we explore how the psychological traps of operational security can unmask even the most sophisticated actors.

SHARE THIS:
Default Author Image
February 13, 2026
Table Of Contents

The threat intelligence landscape is often dominated with talks of sophisticated TTPs (tactics, tools, and procedures), zero-day vulnerabilities, and ransomware. While these technical threats are formidable, they are still managed by human beings, and it is the human element that often provides the most critical breakthroughs in attributing these attacks and de-anonymizing the threat actors behind them.

In our latest webinar, “OPSEC Fails: The Secret Weapon for People-Centric OSINT”,  Flashpoint was joined by Joshua Richards, founder of OSINT Praxis. Josh shared an intriguing case study where an attacker’s digital breadcrumbs led to a life-saving intervention. 

Here is how OSINT techniques, leveraged by Flashpoint’s expansive data capabilities, can dismantle illegal threat actor campaigns by turning a technical investigation into a human one.

Leveraging OPSEC as a Mindset

In a technical context, OPSEC is a risk management process that identifies seemingly innocuous pieces of information that, when gathered by an adversary, could be pieced together to reveal a larger, sensitive picture.

In the webinar, we break down the OPSEC mindset into three core pillars that every practitioner, and threat actor, must navigate. When these pillars fail, the investigation begins.

  • Analyzing the Signature: Every human has a digital signature, such as the way they type (stylometry), the times they are active, and the tools they prefer.
  • Identity Masking & Persona Management: This involves ensuring that your investigative identity has zero overlap with your real life. A common failure includes using the same browser for personal use and investigative research, which allows cookies to bridge the two identities.
  • Traffic Obfuscation: Even with a VPN, certain behaviors such as posting on a dark web forum and then using that same connection to check personal banking can expose an IP address, linking it to a practitioner or threat actor.

“Effective OPSEC isn’t about the tools you use; it’s about what breadcrumbs you are leaving behind that hackers, investigation subjects, or literally anyone could find about you.”

Joshua Richards, founder of Osint Praxis

Leveraging the Mindset for CTI

Understanding the OPSEC mindset allows security teams to think like the target. When we know the psychological traps attackers fall in, we know exactly where to look for their mistakes.

AssumptionThe Mindset TrapThe Investigative Reality
Insignificant“I’m not a high-value target; no one is looking for me.”Automated Aggression: Hackers use scripts to scan millions of accounts. You aren’t “chosen”; you are “discovered” via automation.
Invisible“I don’t have a LinkedIn or X account, so I don’t have a footprint.”Shadow Data: Public birth records, property taxes, and historical data breaches create a footprint you didn’t even build yourself.
Invincible“I have 2FA and complex passwords; I’m unhackable.”Session Hijacking: Infostealer malware steals “session tokens” (cookies). This allows an actor to be you in a browser without ever needing your 2FA code.

During the webinar, Joshua shares a masterclass in how leveraging these concepts can turn a vague dark web threat into a real-world arrest. Check out the on-demand webinar to see exactly how the investigation started on Torum, a dark web forum, and ended with an arrest that saved the lives of two individuals.

Turn the Tables Using Flashpoint

The insights shared in this session powerfully illustrate that even the most dangerous threat actors are rarely as anonymous as they believe. Their downfall isn’t usually a failure of their technical prowess, but a failure of their mindset. By understanding these OSINT techniques, intelligence practitioners can transform a sea of digital noise into a clear path toward attribution.

The most effective way to dismantle threats is to bridge the gap between technical indicators and human behavior. Whether your teams are conducting high-stakes OSINT or protecting your own organization’s digital footprint, every breadcrumb counts. By leveraging Flashpoint’s expansive threat intelligence collections and real-time data, you can stay one step ahead of adversaries. Request a demo to learn more.

Request a demo today.

The post The Human Element: Turning Threat Actor OPSEC Fails into Investigative Breakthroughs appeared first on Flashpoint.

  •  

N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation

Blogs

Blog

N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation

In this post we explore the data-driven shrinkage of the Time to Exploit (TTE) window from 745 days to just 44, and examine why N-day vulnerabilities have become the “turn-key” weapon of choice for modern threat actors.

SHARE THIS:
Default Author Image
February 11, 2026

The race between defenders and threat actors has entered a new, more volatile phase: the rapidly accelerating exploitation of N-day vulnerabilities. Different from zero-days, N-day vulnerabilities are known security flaws that have been publicly disclosed but remain unpatched or unmitigated on an organization’s systems.

Historically, enterprises operated under the assumption of a “patching grace period,” the designated window of time allowed for a vendor to test and deploy a fix before a system is considered non-compliant or at high risk. However, this window is effectively collapsing, with Flashpoint finding that N-days now represent over 80% of all Known Exploited Vulnerabilities (KEVs) tracked over the past four years.

The Collapse of the Time to Exploit (TTE) Window

The most sobering trend for security operations (SecOps) and exposure management teams is the dramatic reduction in Time to Exploit (TTE). In 2020, the average TTE, the time between a vulnerability’s disclosure and its first observed exploitation, was 745 days. By 2025, Flashpoint found that this window has now plummeted to an average of just 44 days.

202520242023202220212020
Average TTE44115296405518745

This contraction represents a strategic shift in adversary tempo. Attackers are no longer waiting for complex, bespoke exploits; they are moving at breakneck speeds to weaponize public disclosures.

N-Days Provide a “Turn-Key” Exploit Advantage

Adversaries have gained a significant advantage through the rapid weaponization of researcher-published Proof-of-Concept (PoC) code. When a fully functional exploit is released alongside a vulnerability disclosure, it becomes a “turn-key” solution for attackers. By combining these ready-made exploits with internet-wide scanning tools like Shodan or FOFA, even unsophisticated threat actors can conduct mass exploitation across large segments of the internet in hours.

A prime example of this path of least resistance approach was observed in the leaked internal chat logs of the BlackBasta ransomware group. Analysis revealed that of the 65 CVEs discussed by the group, 54 were already known KEVs. Rather than spending resources on original zero-day research, threat actors are simply leveraging known, yet unpatched and exploitable vulnerabilities for their campaigns.

Defensive Software is a Primary Target for N-Days

The very software designed to protect enterprise firewalls, VPN gateways, and edge networking devices is consistently the most targeted category for both N-day and zero-day exploitation.

Because cybersecurity devices must be internet-facing to function, they provide a constant, unauthenticated attack surface. In 2025 alone, Flashpoint observed 37 N-days and 52 zero-days specifically targeting security and perimeter software. The requirement for these systems to remain open to external traffic means they will continue to be disproportionately targeted by advanced persistent threat (APT) groups and cybercriminals alike.

Attributing N-Day Attacks

While tracking the “how” of an attack is critical, tracking who is responsible remains a fragmented challenge for the industry. Attribution is often hampered by naming fatigue, where different vendors assign their own designated unique monikers to the same actor. For instance, the widely known threat actor group Lazarus has over 40 distinct designations across the industry, including “Diamond Sleet,” “NICKEL ACADEMY,” and “Guardians of Peace”.

Despite these naming complexities, global activity patterns remain clear. China remains the most active nation-state actor in the vulnerability exploitation space, consistently outpacing Russia, Iran, and North Korea in both the volume and scope of their campaigns.

Obstacles for Enterprise Security: Asset Blindness and the CVE Dependency Trap

Why are organizations struggling to keep pace? The primary factor isn’t a lack of effort, but a lack of visibility.

1. The Asset Inventory Gap

The single greatest breakthrough an enterprise can achieve is not a new AI tool, but a complete asset inventory. Most large organizations are lucky to have an accurate inventory of even 25% of their total assets. Without knowing what you own, vulnerability scans can take days or weeks to return results that the adversary is already using to probe your network.

2. The CVE Blindspot

Most traditional security tools are CVE-dependent. However, thousands of vulnerabilities are disclosed every year that never receive an official CVE ID. These “missing” vulnerabilities represent a massive blindspot for standard scanners. Intelligence-led exposure management requires looking beyond the CVE ecosystem into proprietary databases like Flashpoint’s VulnDB™, which tracks over 105,000 vulnerabilities that public sources miss.

Move Towards Intelligence-Led Exposure Management Using Flashpoint

To survive in an era where weaponization can happen in under 24 hours, organizations must shift from reactive patching to a threat-informed and proactive security approach. This means:

  • Prioritizing by Exploitability and Threat Actor Activity: Focus on vulnerabilities that are remotely exploitable and have known public exploits, rather than just high CVSS scores.
  • Adopting an Asset-Inventory Approach: Moving away from slow, periodic scans in favor of continuous asset mapping that allows for immediate triage.
  • Operationalizing Intelligence: Embedding real-time threat data directly into SOC and IR workflows to reduce the “mean time to action”.

The goal of exposure management is to look at your organization through the adversary’s lens. By understanding which N-days threat actors are actually discussing and weaponizing in the wild, defenders can finally start to close the window of exposure before a potential compromise can occur.

Flashpoint’s vulnerability threat intelligence can help your organization go from reactive to proactive. Request a demo today and gain access to quality vulnerability intelligence that enables intelligence-led exposure management.

Request a demo today.

The post N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation appeared first on Flashpoint.

  •  
❌