2025 Year in Review: Malicious, Infrastructure Explore Insikt Group’s 2025 Malicious Infrastructure Report. Gain insights into Cobalt Strike, Vidar infostealers, and AI-driven threats to secure your 2026 strategy.

Huge shoutout to the team for their efforts pulling all this together!

Read the full report here: www.recordedfuture.com/research/202...

6/6

Threat actors are increasingly abusing Legitimate Internet Services (LIS) like Cloudflare, Google Drive, and Telegram to hide in plain sight. It’s a structural challenge for every network defender. 5/6

Using our Threat Density Score, we identified Virtualine Technologies as the year's highest-risk network, followed by CrazyRDP, both of which are key Threat Activity Enablers (TAEs).

Following LE disruption of LummaC2, Vidar stepped in to fill the gaps. However, Lumma proved resilient, adapting its infrastructure to keep operating despite the pressure. 3/6

Cobalt Strike is still king, but its crown is slipping. While it remains the dominant OST (~50% share), we’re seeing a rise in alternatives like RedGuard, Ligolo, and Supershell as defenders get better at spotting the "standard" malleable profiles. 2/6

🧵 ICYMI: We just dropped our 2025 Malicious Infrastructure Review! Some of the highlights below👇 #Infosec #CyberThreats 1/6

www.recordedfuture.com/research/202...

-Iran internet outage not caused by strikes
-Russia expands internet blackout to Sankt Petersburg
-Oracle out-of-band security update
-Himmelblau vulnerability gives root
-Claudy Day vulnerabilities
-Leak in German uni campuses platform
-Langflow attacks started within a day

Noticed Microsoft Defender tagging #TheVoidStealer as #WallStealer thanks to some recent abuse_ch
uploads. Here’s the threat actor nikoniko (aka “TheVoidStl”) discussing the removal of multiple detections, including WallStealer.

GrayCharlie Hijacks Law Firm Sites in Suspected Supply-Chain Attack GrayCharlie turns compromised WordPress sites into malware delivery machines. Discover how this threat actor chains fake browser updates and ClickFix lures to deploy NetSupport RAT, Stealc, and Sectop...

1/ Today, Insikt Group is publishing on GrayCharlie, a threat actor active since mid-2023 that overlaps with SmartApeSG. GrayCharlie compromises WordPress sites and turns them into malware delivery hubs: www.recordedfuture.com/research/gra...

Pro-Russia hacktivist activity continues to target UK organisations The NCSC encourages local government and critical infrastructure operators to harden their ‘denial of service’ (DoS) defences

Today the NCSC has issued a warning highlighting Pro-Russian Hacktivist groups are targeting sectors across the UK.

All organisations are urged to act now by reviewing and implementing our free guidance to protect against DoS attacks.

Predator spyware demonstrates troubleshooting, researcher-dodging capabilities Predator spyware operators have the ability to recognize why an infection failed, and the tech has more sophisticated capabilities for averting detection than previously known, according to research p...

Predator spyware demonstrates troubleshooting, research-dodging capabilities cyberscoop.com/predator-spy...

NoName057(16) and DDoSia Project Analysis: Russia's Most Persistent Hacktivist Operation Threat actor card of NoName057(16)

NoName057(16) and DDoSia Project Analysis: Russia’s Most Persistent Hacktivist Operation
socradar.io/blog/noname0...
New SOCRadar Whitepaper Reveals the Inner Workings of DDoSia and Pro-Russian Cyber Aggression

GRU-Linked BlueDelta Evolves Credential Harvesting Insikt Group reveals how GRU-linked BlueDelta evolved credential-harvesting campaigns targeting government, energy, and research organizations across Europe and Eurasia.

Recorded Future’s Insikt Group identified multiple credential-harvesting campaigns conducted by BlueDelta, a Russian state-sponsored threat group associated with the Main Directorate of the General Staff of the Armed Forces of the Russian Federation (GRU).
www.recordedfuture.com/research/gru...

GRU-Linked BlueDelta Evolves Credential Harvesting Insikt Group reveals how GRU-linked BlueDelta evolved credential-harvesting campaigns targeting government, energy, and research organizations across Europe and Eurasia.

Today, we released new @RecordedFuture research detailing BlueDelta’s expanded credential-harvesting activity observed between February and September 2025. #BlueDelta #APT28 #FANCYBEAR #ForestBlizzard #FROZENLAKE #ITG05 #PawnStorm #Sednit #Sofacy #TA422 (1/5) www.recordedfuture.com/research/gru...

BlueDelta’s Persistent Campaign Against UKR.NET Discover how Russia’s BlueDelta targets UKR.NET users with advanced credential-harvesting campaigns, evolving tradecraft, and multi-stage phishing techniques.

Recorded Future’s Insikt Group identified a sustained credential-harvesting campaign targeting users of UKR.NET. The activity is attributed to the Russian state-sponsored threat group | www.recordedfuture.com/research/blu...

Local hackers and Russian-speaking cyber criminals stretching UK responses UK law enforcement must combat a diversifying array of cyber threats in the face of limited resources and a rapidly evolving cyber landscape

In their latest for Binding Hook, @nca-uk.bsky.social’s William Lyne and @rusi.bsky.social's @jamiemaccoll.bsky.social look at the challenges facing UK law enforcement as cybercriminals become more diverse at home and abroad: bindinghook.com/local-hacker...

Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups The Justice Department announced two indictments in the Central District of California charging Ukrainian national Victoria Eduardovna Dubranova, 33, also known as Vika, Tory, and SovaSonya, for her r...

Justice Department Announces Actions to Combat Two Russian State-Sponsored Cyber Criminal Hacking Groups (U.S. Department of Justice): www.justice.gov/opa/pr/justi...

GrayBravo’s CastleLoader Activity Clusters Target Multiple Industries

1/ @whoisnt.bsky.social, Marius, and I just published a report on #GrayBravo (formerly TAG-150), a highly adaptive, sophisticated threat actor that we first identified in Sept 2025. It uses a multi-layered infrastructure and responds quickly to exposure: www.recordedfuture.com/research/gra...

Recorded Future’s Insikt Group uncovered four GrayBravo activity clusters. TAG-160 impersonates logistics firms, while TAG-161 impersonates Booking.com, employing ClickFix to deliver CastleLoader and Matanbuchus. www.recordedfuture.com/research/gra...

"There is a lack of consensus regarding the current state of AI malware maturity."

So we put together #AIM3 to help #malware researchers describe the maturity level of an #AI_Malware Threat.
www.recordedfuture.com/blog/ai-malw...

⚠️ New victims of Predator #spyware identified, with malicious TikTok links revealing new targets, and evidence showing 🇪🇬Egypt & 🇸🇦Saudi clients still active.

➡️ Ad-based infections confirmed.

➡️ Leaked files & investigation expose post-sanctions Intellexa operations.

www.haaretz.com/israel-news/...

To Catch a Predator: Leak exposes the internal operations of Intellexa’s mercenary spyware - Amnesty International Security Lab Drawing on leaked internal company documents, sales and marketing material, as well as training videos, the “Intellexa Leaks” investigation gives a never-before-seen glimpse of the internal operations...

And check out the companion blog post by @amnestyuk.bsky.social tech with a detailed peek into Intellexa's setup based on leaked materials 👀

Giveaway: Intellexa can observe all of what their gov clients are doing with their hacking tech and more securitylab.amnesty.org/latest/2025/...

Intellexa’s Global Corporate Web

1/ Today we release a new report exposing previously undisclosed entities connected to the wider #Intellexa ecosystem as well as newly identified activity clusters in Iraq and indications of activity in Pakistan: www.recordedfuture.com/research/int...

Cyber Monday Deal 
Get 6 months of Modat Magnify Pro for just €5 total (save €355). 
Use code: MODAT2025CYBERMONDAY 
 
Try the platform. Run advanced queries. Find what others miss. 

magnify.modat.io

#CyberMonday #Cybersecurity #OSINT

1/ United States, Australia, and United Kingdom sanction Russian threat activity enabler Media Land (Yalishanda) and follow up on recent designations targeting Aeza. ofac.treasury.gov/recent-actio...

Great read from @lawrencesec.bsky.social & @whoisnt.bsky.social !

Dark Covenant 3.0: Controlled Impunity and Russia’s Cybercriminals Explore how Russia’s cybercriminal ecosystem evolved under Operation Endgame—where state control, selective enforcement, and criminal alliances collide.

Recorded Future just published Dark Covenant 3.0, revealing how global crackdowns and shifting Russian enforcement are reshaping the cybercriminal underground, exposing ties to state actors and turning cybercrime into a geopolitical tool: www.recordedfuture.com/research/dar...

Great work by my colleague, @lawrencesec.bsky.social ! He dives deep into the systemic flaw where "neutral" internet governance lets sanctioned ISPs evade restrictions and continue supporting #cyberattacks and #disinformation. A must-read on the infrastructure gap. 👇

BIETA: A Technology Enablement Front for China's MSS Discover how China's Ministry of State Security (MSS) almost certainly operates BIETA and its subsidiary CIII as public fronts for cyber-espionage, covert communications, and technology acquisition. C...

Recorded Future just published a report diving into the Beijing Institute of Electronics Technology and Application (BIETA), which is almost certainly a front for China’s MSS, developing technologies to support intelligence and military missions. Full report: www.recordedfuture.com/research/bie...