{ "id": "8163dcc2-1564-4e47-a7df-531bc00c1e73", "created_at": "2026-04-29T02:21:39.577146Z", "updated_at": "2026-04-29T08:21:20.156657Z", "deleted_at": null, "sha1_hash": "56357662a440b7e183247380dc5a4094dffc4645", "title": "", "llm_title": "", "authors": "", "file_creation_date": "2026-03-17T16:11:35Z", "file_modification_date": "2026-03-17T16:12:44Z", "file_size": 20200986, "plain_text": "Decoding the Accelerated\r\nCyber Attack Cycle\r\n2026 GLOBAL THREAT LANDSCAPE REPORT\n\n2\r\nCONTENTS\r\nIntroduction 3\r\nExecutive Summary 4\r\nKey findings 5\r\nThe Disappearance of Predictive Lead Time 8\r\nThe Industrialization of Access 14\r\nExposure Surfaces as a Strategic Terrain 20\r\nAI as an Acceleration Layer 22\r\nRansomware as a Downstream Income 24\r\nEmbedded Access and Pre-positioning\r\nCreates Geopolitical Waves 30\r\nThe Path Forward: From Reactive Defense to\r\nExposure Management 34\n\n3\r\nINTRODUCTION\r\nThe role of intelligence is evolving, as threat actors gather greater access\r\nto tools that compromise organizations globally and geopolitics continues\r\nits transition to becoming either entirely digital or hybrid. Our 2026 report\r\ndemonstrates that cyber intelligence is now more important than ever, in\r\nparticular, the need for actionable insights. For example, the growth in the\r\nnumber of exploited vulnerabilities means remediation has to keep pace with\r\nthese changes. In other words, reviewing security advisories, determining\r\nexposure, and implementing updates to manage the risk each must keep pace\r\nwith well-funded threat groups.\r\nThis demonstrates exactly why vulnerability intelligence is quickly becoming\r\na critical component of an organization’s threat intelligence strategy.\r\nUnderstanding these initial entry vectors, used by threat groups that previously\r\nrelied almost entirely on weak or compromised credentials, is imperative given\r\nthat we know the number of criminal groups are increasing (e.g., ransomware\r\nas detailed within the report).\r\nTraditional threat intelligence, which focused on collating large datasets of\r\nIndicators of Compromise (IoCs), is broadening to demand higher efficacy\r\nand context. This new, broader perspective involves integrating preemptive\r\nindicators, such as dark web signals, into alerts to accurately identify potential\r\nexposure before an attack materializes. Furthermore, it emphasizes the\r\nimportance of prioritizing the remediation process to address exposures before\r\nadversaries gain a network foothold.\r\nRapid7 Labs embodies this approach, using \"curated intelligence\" and\r\n\"actionable insights\" derived from a broad ingestion of signals to provide\r\naccurate, actionable information for both organizations and the open-source\r\ncommunity.\r\n— The Rapid7 Labs Team\n\n4\r\nCyber risk fundamentally changed in 2025. For years, organizations invested in faster detection and\r\nresponse, assuming that speed would offset exposure. That assumption no longer holds. The balance has\r\nshifted from reacting quickly to anticipating risk before it materializes.\r\nThe core drivers of cyber incidents remain unchanged. Weak credentials, unpatched systems, and\r\nexposed services continue to account for the majority of successful intrusions. What has changed is the\r\npace at which these conditions are identified and exploited. Automation and artificial intelligence (AI)\r\nhave dramatically compressed the time between exposure and impact, often reducing the opportunity for\r\nmeaningful intervention to minutes, or eliminating it altogether.\r\nEXECUTIVE SUMMARY\r\nSecurity did not fail\r\nin 2025 because\r\ndefenders were slow.\r\nIt failed because speed\r\nwas no longer the\r\nadvantage.”\r\nThis report does not suggest a sudden\r\ntransformation in attacker intent or sophistication.\r\nRather, it reflects the acceleration of existing\r\nmethods. AI is being used to scale reconnaissance,\r\nautomate decision-making, and industrialize\r\nsocial engineering, compressing the time between\r\nexposure and exploitation. Our findings show that\r\nthe majority of successful intrusions still originate\r\nfrom known, preventable conditions: exposed\r\nservices, weak identity controls, and unpatched\r\nedge infrastructure. What has changed is how\r\nquickly those conditions are discovered and\r\nweaponized.\r\nThis shift requires a fundamental mindshift toward\r\npreemptive security. Preemptive security means\r\nreducing the conditions attackers rely on before\r\nexploitation occurs, detecting and responding with\r\nfull environmental context, and prioritizing action\r\nbased on material risk, not alert volume. Organizations that fail to adopt this approach face a widening\r\nasymmetry: as attacker velocity increases, reactive decision models become increasingly misaligned with\r\nhow risk now materializes.\r\nAt the same time, the traditional perimeter of the enterprise has dissolved. Our findings show attackers\r\nconsistently targeting the most trusted and operationally critical layers of modern organizations,\r\nincluding identity systems, cloud environments, and collaboration platforms. These environments blur\r\nthe distinction between legitimate activity and malicious behavior, increasing the difficulty and cost of\r\ncontainment once access is established.\r\nIn this environment, the advantage comes from clarity. Organizations that continuously understand their\r\nattack surface, apply curated intelligence to what matters most, and connect technical exposure to\r\nbusiness impact are best positioned to reduce risk before it becomes disruption. In 2026, effective cyber\r\ndefense is defined by informed prioritization and anticipation rather than simply reacting to alerts.\n\n5\r\nCyber risk did not transform in 2025 because attackers discovered entirely new techniques. It\r\ntransformed because the entire ecosystem surrounding compromise accelerated, from underground\r\naccess markets, to ransomware deployment, to nation-state pre-positioning. What once unfolded over\r\nweeks now materializes in days, and in some cases, minutes.\r\nKEY FINDINGS\r\nKEY FINDING #1: THE PREDICTIVE WINDOW HAS COLLAPSED\r\nIn 2025, the statistical buffer between disclosure and exploitation materially narrowed:\r\n• Within newly disclosed CVSS 7–10 vulnerabilities, confirmed exploitation increased\r\n105% year over year, rising from 71 in 2024 to 146 in 2025.\r\n• Median time from publication to CISA KEV inclusion dropped from 8.5 days to\r\n5.0 days, while mean time dropped from 61.0 days to 28.5 days.\r\n• The number of “high-risk but not yet exploited” vulnerabilities (EPSS ≥ 0.7 without\r\nconfirmed exploitation) fell dramatically, indicating that high-probability\r\nvulnerabilities are being operationalized almost immediately.\r\nKEY FINDING #2: ATTACKERS ARE MONETIZING UNMANAGED EXPOSURE\r\nThe intrusion lifecycle increasingly begins with known, preventable exposure conditions\r\nrather than breakthrough exploitation techniques:\r\n• Valid account / no MFA accounted for 43.9% of all IR incidents in 2025, making it the\r\nsingle most common initial access vector.\r\n• Vulnerability exploitation accounted for 24.6%, and exposed services for 7.0%.\r\n• On underground forums, RDP (21.2%), VPN (12.8%), and RDWeb (11.2%) were the most\r\nfrequently advertised access types.\r\n• “Domain User” privileges were the most commonly sold level of access.\n\n6\r\nKEY FINDING #3: EXPLOITATION IS CONCENTRATING ON A\r\nNARROW SET OF RELIABLE WEAKNESS CLASSES\r\nRapid7’s Vulnerability Intelligence team observed that confirmed exploitation clustered\r\naround a small number of weakness classes:\r\n• CWE-502 (Deserialization) was the most common root cause among exploited\r\nvulnerabilities.\r\n• Authentication bypass and memory corruption vulnerabilities remained consistently\r\nrepresented in confirmed exploitation data.\r\n• Several high-profile ransomware campaigns focused on deserialization flaws and\r\nauthentication bypasses in file transfer systems, edge appliances, and collaboration\r\nplatforms.\r\nKEY FINDING #4: RANSOMWARE HAS MATURED INTO A SPEED-OPTIMIZED ACCESS ECONOMY\r\nRansomware was not a peripheral threat in 2025, it was the dominant operational outcome.\r\n42% of Rapid7 MDR incident response investigations in 2025 involved ransomware.\r\nAt the same time:\r\n• Total ransomware leak posts increased from 6,034 in 2024 to 8,835 in 2025\r\n(a 46.4% YoY rise).\r\n• The number of unique active ransomware groups grew from 102 to 140.\r\n• Data theft increasingly preceded encryption, reinforcing smash-and-grab\r\nextortion models.\n\n7\r\nKEY FINDING #5: EMBEDDED ACCESS, NOT PERIMETER BREACH, DEFINES STRATEGIC RISK\r\nAcross both financially motivated and state-aligned operations, adversaries converged\r\non the same high-value control surfaces:\r\n• Telecommunications and network-edge infrastructure\r\n• Cloud identity and device-code authentication flows\r\n• Collaboration platforms abused as command-and-control channels\r\n• SaaS APIs and trusted third-party integrations\r\n7\n\n8\r\nIf we take a careful look at the CVE data coming out of 2025, the story isn’t really about volume anymore.\r\nYes, vulnerability counts continue to rise, and yes, the numbers are large enough to overwhelm most\r\nprograms on their own. But that problem is familiar. What stands out in the 2025 data is something more\r\nsubtle and, frankly, more difficult to deal with: risk is no longer accumulating quietly. It is being realized\r\nalmost immediately.\r\nThat shift changes how we should interpret nearly every metric we rely on today.\r\nVolume increased and exploitation accelerated\r\nAt a high level, the growth in high and critical vulnerabilities (CVSS 7–10) from 2024 to 2025 was notable\r\nbut not unprecedented. The total count increased from roughly 16,200 in 2024 to just over 18,100 in 2025,\r\nwhich is consistent with longer-term disclosure trends rather than a dramatic inflection point on its own.\r\nThe more meaningful change appears when looking specifically at exploitation within the high to critical\r\nCVSS constrained dataset. For this analysis, “exploited in the wild” refers only to vulnerabilities that meet\r\nall three of the following criteria: a CVSS score between 7 and 10, publication in the same calendar year\r\nbeing analyzed, and confirmed exploitation within that dataset. Using that scope, the number of exploited\r\nvulnerabilities increased by approximately 105% year over year, rising from 71 in 2024 to 146 in 2025 (see\r\nFigure 1). This increase far outpaced the year-over-year growth in newly disclosed vulnerabilities within\r\nthe CVSS 7–10 range. As shown in the figure below, this acceleration is not a single-year anomaly.\r\nTHE DISAPPEARANCE OF PREDICTIVE LEAD TIME\r\nFigure 1\r\n8\n\n9\r\nAcross the four-year window from 2022 to 2025, exploited vulnerabilities grew roughly twentyfold, from 7\r\nto 146, while the total number of CVSS 7–10 disclosures more than doubled. The exploitation rate relative\r\nto disclosure volume has shifted from less than 0.1% in 2022 to 0.8% in 2025. These combined findings\r\nindicate that attackers are weaponizing a larger share of the critical vulnerability surface each year. The\r\ngrowing volume of critical disclosures is not merely expanding the attack surface, but actively outpacing\r\ndefenders' capacity to prioritize and patch, creating an environment where a larger proportion of available\r\nvulnerabilities are successfully weaponized each year.\r\nAdditional timing data reinforces the trend toward faster exploitation. When restricting the analysis to\r\nCVSS 7–10 vulnerabilities published in the same calendar year and later added to CISA KEV, the median\r\ntime from publication to KEV inclusion dropped from 8.5 days in 2024 to 5.0 days in 2025, with the mean\r\ndropping from 61.0 days to 28.5 days. While not every vulnerability is exploited immediately, the overall\r\ndistribution has shifted noticeably toward shorter timelines.\r\nTaken together, these findings suggest that attackers are not simply benefiting from an expanding pool\r\nof vulnerabilities. They are becoming more efficient at identifying which newly disclosed, high-severity\r\nvulnerabilities are worth operationalizing and doing so more quickly. From a defensive perspective, this\r\nfurther compresses the decision window. The challenge is increasingly not whether a vulnerable system\r\nwill eventually be patched, but whether exposure can be identified and addressed before exploitation\r\nbecomes widespread.\r\nWhile AI has a part to play in this acceleration, it is further fueled by the industrialization of the cybercrime\r\necosystem, where Initial Access Brokers (IABs) and specialized collectives remove operational friction by\r\nselling verified access and pooling expertise. Attackers have strategically pivoted toward abusing valid\r\ncredentials and converging on edge infrastructure to bypass hardened perimeters. This shift, combined\r\nwith \"smash-and-grab\" tactics that prioritize immediate exfiltration, ensures that risk is realized almost\r\nimmediately after a vulnerability is operationalized.\n\n10\r\nCWE shifts reveal attacker preferences\r\nBefore looking at how CWEs shifted year over year, it is important to separate two related but distinct views\r\nof the data: CWEs ranked by total CVE volume and CWEs associated with vulnerabilities actually exploited in\r\nthe wild. These two perspectives often diverge and, in 2025, that divergence became more pronounced.\r\nFrom a volume standpoint, the overall picture remained relatively stable at the top. CWE-79 (Cross-Site\r\nScripting) and CWE-89 (SQL Injection) continued to be the most common weaknesses disclosed. However,\r\nthe broader top-five composition shifted meaningfully from 2024. Memory handling issues such as CWE-119, filename control problems like CWE-98, and CWE-352 (Cross-Site Request Forgery) re-emerged\r\nprominently in disclosure counts. This reflects ongoing software complexity and recurring development\r\npatterns rather than a sudden change in attacker behavior.\r\nThat picture changes when the focus shifts to vulnerabilities exploited in the wild. In 2025, CWE-502\r\n(Deserialization) was the most common root cause among exploited vulnerabilities, followed by memory\r\ncorruption issues and command injection. Notably, several CWEs that ranked highly by disclosure volume,\r\nincluding CSRF, were far less prominent in confirmed exploitation data.\r\nThis distinction matters. High-volume CWEs largely reflect how software is built. Exploited CWEs reflect how\r\nattackers operate. The two are related, but they are not interchangeable. Counting vulnerabilities tells us\r\nwhere defects exist. Tracking exploited weaknesses tells us where attackers consistently succeed.\r\nAcross multiple years, attackers have continued to favor weaknesses that offer reliability and scale. These\r\nare issues that enable pre-authentication access, remote code execution, or rapid data exfiltration. The\r\npersistent presence of deserialization flaws among exploited vulnerabilities helps explain why file transfer\r\nsystems, management platforms, and edge-facing services remain disproportionately attractive targets,\r\neven when those weaknesses are not the most common by raw CVE count.\r\nEPSS is declining, but that doesn’t mean risk is\r\nOne of the more counterintuitive trends in the 2025 data is the decline in average EPSS (Exploit Prediction\r\nScoring System) scores. Across the full population of critical vulnerabilities, the average EPSS score\r\ndropped significantly compared to 2024 (see Figure 2).\r\nFigure 2\r\n10\n\n11\r\nAt first glance, this might suggest improvement: fewer vulnerabilities appear likely to be exploited. In\r\nisolation, that interpretation is reasonable. EPSS may indeed be getting better at identifying that the vast\r\nmajority of CVEs never become operational attack vectors.\r\nThe problem is what happens at the extremes.\r\nDespite lower average EPSS scores, the number of exploited vulnerabilities increased sharply, jumping\r\nfrom 71 in 2024 to 146 in 2025 in critical vulnerabilities (CVSS 7–10). Even within subsets such as\r\nvulnerabilities already confirmed as exploited in the wild, average EPSS scores declined year over year.\r\nThe same pattern appears in the data for Emerging Threat Response (ETR) vulnerabilities.\r\nThis essentially creates a paradox: predicted probability is going down, while realized exploitation is going\r\nup (see Figure 3).\r\nThe most plausible explanation is not that EPSS is “wrong,” but that the window in which prediction is useful\r\nhas narrowed. Vulnerabilities no longer remain in a high-probability, pre-exploitation state for very long.\r\nOnce a vulnerability is identified as attractive, it often transitions directly into active exploitation.\r\nThis shift is most clearly visible in the collapse of the “high-risk but unexploited” category of vulnerabilities.\r\nIn 2024, there were 338 CVEs with an EPSS score of 0.7 or higher that had not yet been observed exploited\r\nin the wild. These vulnerabilities represented latent risk — flaws that defenders knew were likely to be\r\nweaponized but still had some measurable window for prioritization, mitigation, or compensating controls.\r\nIn 2025, that number fell to just 65, despite an overall increase in both disclosed vulnerabilities and\r\nconfirmed exploitation. The same pattern appears even more starkly in the Emerging Threat Response\r\n(ETR) dataset. In 2024, 15 ETR vulnerabilities fell into the high-risk-but-unexploited category. In 2025, that\r\nnumber dropped to one, while the number of ETR vulnerabilities confirmed as exploited in the wild surged\r\nfrom 5 to 22.\r\nThe Paradox: Rising Exploitation vs. Declining Predictive Scores\r\nFigure 3\n\n12\r\nThe implication is not that fewer high-risk vulnerabilities exist. Rather, it suggests that high-risk\r\nvulnerabilities are no longer remaining unexploited long enough to be managed as latent risk. Once\r\na vulnerability is identified as highly exploitable — either through EPSS, ETR designation, or public\r\ndisclosure — it is being operationalized by attackers almost immediately. This aligns with broader industry\r\nobservations that the time between disclosure and confirmed exploitation has continued to compress,\r\noften to a matter of days or less.\r\nThe key takeaway is that defenders are losing the buffer between “this is likely to be exploited” and “this\r\nis actively being exploited.” In prior years, predictive indicators helped buy time. In 2025, that predictive\r\nwindow has largely collapsed. Risk is no longer something that accumulates quietly; for the highest-impact\r\nvulnerabilities, it is being exercised almost as soon as it becomes visible.\r\nFrom predictive signal to near-certain outcome\r\nThe Emergent Threat Response (ETR) data makes this trend especially clear. Rapid7’s ETR program\r\nis designed to highlight a small set of vulnerabilities that combine high severity, credible exploitation\r\npathways, and meaningful impact.\r\nIn 2024, only a minority of ETR vulnerabilities were confirmed as exploited in the wild. In 2025, nearly all of\r\nthem were.\r\nThe volume of ETR-designated CVEs remained stable year over year, and their average CVSS scores\r\nstayed extremely high. What changed was exploitation. The category effectively shifted from “likely to be\r\nexploited” to “expected to be exploited.”\r\nThis change has important implications. It suggests that once a vulnerability reaches a certain threshold of\r\nvisibility and impact, exploitation is no longer a probabilistic outcome, it is an operational assumption.\r\n12\n\n13\r\nSmash-and-grab and the compression of response time\r\nOverlaying all of this is the continued maturation of “smash-and-grab” extortion campaigns. Earlier\r\nresearch documented the initial shift toward these operations, where attackers prioritized speed over\r\npersistence and moved from initial compromise to data exfiltration in hours or even minutes. The 2025 data\r\nshows that this behavior was not a short-lived tactic but a durable operating model. What was emerging in\r\nprior years has now become routine, with attackers increasingly optimizing for rapid exploitation, immediate\r\naccess to sensitive data, and minimal dwell time rather than long-term footholds.\r\nThe specific vulnerabilities weaponized by ransomware campaigns in 2025 validate this operational\r\nshift, showing a ruthless concentration on file transfer logistics and network perimeters. Data from 2025\r\nconfirms ransomware focusing on CVEs such as CVE-2025-10035 in Fortra GoAnywhere MFT and CVE-2025-49704 in Microsoft SharePoint, both of which allowed attackers to bypass defenses and exfiltrate\r\nsensitive enterprise data rapidly. Simultaneously, the perimeter remained a primary battleground as\r\ngroups leveraged CVE-2025-0282 in Ivanti Connect Secure and CVE-2025-5777 in Citrix NetScaler as\r\nreliable initial access vectors. Notably, the root causes driving these ransomware-enabling flaws, primarily\r\ndeserialization (CWE-502) and authentication bypass, mirror the broader exploitation trends observed this\r\nyear. This confirms that ransomware operators are prioritizing the speed and reliability of these specific\r\nweakness classes to maximize extortion pressure.\r\nThis tactic aligns closely with the observed CWE patterns and ETR exploitation rates. It also explains why\r\ntraditional assumptions about dwell time, phased intrusion models, and gradual escalation are becoming\r\nless reliable.\r\nFrom a purely analytical standpoint, this forces a shift in how risk should be discussed. Vulnerability\r\nmanagement alone does not capture exposure. Exposure depends on asset role, network placement,\r\naccessibility, and how quickly anomalous behavior can be observed once exploitation begins.\r\nThis is where concepts like exposure management and managed detection and response become relevant,\r\nnot as products, but as responses to measurable changes in attacker behavior. The data suggests that\r\nunderstanding where a vulnerability exists and how quickly exploitation is detected now matters as much\r\nas the vulnerability itself.\r\nWhat the 2024–2025 comparison really tells us\r\nTaking a step back, the comparison between 2024 and 2025 points to a clear conclusion: the threat\r\nlandscape is not just expanding, it is accelerating. Predictive indicators are losing lead time. Exploitation is\r\nbecoming the default outcome for high-impact vulnerabilities. And attackers continue to concentrate on a\r\nnarrow set of reliable weakness classes.\r\nNone of this suggests that any single metric or control has failed. Instead, it highlights a growing mismatch\r\nbetween the speed of modern exploitation and defensive processes that were designed for slower cycles.\r\nThe challenge moving forward is less about identifying every vulnerability and more about understanding\r\nexposure, prioritizing realistically, and responding within increasingly compressed timelines. While the data\r\ndoes not suggest an easy fix, it clearly indicates that both delayed response and misinformed prioritization\r\nhave become increasingly costly.\n\n14\r\nRapid7’s incident response data and underground marketplace monitoring tell the same story from opposite\r\nends of the intrusion lifecycle.\r\nThe access types most frequently observed in our 2025 investigations are the same access types openly\r\nadvertised for sale on underground forums, reflecting a mature ecosystem in which access is systematically\r\nharvested, packaged, priced, and resold to ransomware affiliates and other threat actors.\r\nThreat actors have therefore industrialized access in a way that makes it no longer a byproduct of intrusion,\r\nbut a commodity.\r\nInitial access vectors and trends\r\nIncident response in 2025, as a whole, was dominated by specific initial access vectors and malware\r\ninfections. Missing or lax multi-factor authentication (MFA) accounted for 43.9% of all the incidents our\r\nteam observed last year, with vulnerability exploitation sitting in second place with 24.6%. Third place\r\ngoes to exposed services (7.0%), with fourth (5.3%) shared by brute force, SEO poisoning, and social\r\nengineering.\r\nWhile the downward trend in Figure 4 may appear positive at first glance, the Y axis is sobering. That’s\r\nbecause the MFA-related access vector took the top spot across nine of the previous twelve quarters (only\r\noccasionally coming second to vulnerability exploitation). Year-over-year data for 2024 to 2025 reveals a\r\nsteady decline across most quarters, generally, and a final drop in Q4 2025 resulting in a total for the last\r\nfour quarters down 7.4% YoY.\r\nTHE INDUSTRIALIZATION OF ACCESS\r\nFigure 4\r\n14\n\n15\r\nA deeper look at the year highlights additional important themes:\r\n• Perimeter Weakness: The exploitation of remote access services (VPNs, RDP) remained the most\r\nconsistent initial access vector throughout the year, heavily impacting SonicWall, Cisco, and\r\nFortiGate appliances.\r\n• Credential Dominance: Attackers moved beyond simple theft to sophisticated manipulation, utilizing\r\n\"Direct Send\" features for phishing and social-engineering help desks to bypass MFA.\r\n• Living Off the Land (LOTL): Threat actors consistently utilized legitimate administrative tools such\r\nas Impacket, Advanced IP Scanner, and WinSCP to mask their lateral movement and exfiltration\r\nefforts.\r\n• Ransomware Evolution: The threat landscape was dominated by the Akira, Cl0p, and Warlock\r\ngroups, with a clear trend toward \"Data Exfiltration as a Service,\" where data theft is executed prior\r\nto or alongside encryption.\r\n• MITRE Technique Progression: Based on the top 10 techniques observed, the landscape shifted\r\nfrom broad account compromise in the early part of 2025 to specific exploitation and impact in\r\nQ4 (Figure 5). Whereas the start of the year involved \"getting in\" via weak credentials and scanning\r\nfor secrets of repositories and cloud-services, the latter part of the year featured \"digging in\"\r\nby exploiting specific software flaws, manipulating identity controls (i.e., MFA), and executing\r\nhigh-impact ransomware explicitly.\r\nFigure 5\r\n15\r\nQ1 2025 Top 10 vs Q4 2025 Top 10\n\n16\r\nA deeper look at MITRE ATT\u0026CK TTPs\r\nAPTs are still very successful in compromising environments with spear phishing emails and attachments,\r\nbut now they have AI’s capabilities to assist them in making it even more convincing. This shows us that\r\nthe human factor in security risk is important to keep in mind and in check. See Figures 6 and 7, which\r\ndepict the MITRE ATT\u0026CK tactics, techniques, and procedures (TTPs) our observed threat actor groups\r\nare using in their events/attacks, and those that are being used by each industry sector.\r\n16\r\nFigure 6\r\nFigure 7\n\n17\r\nObserved malware and exploits\r\nMultiple vulnerabilities were seen to have been\r\nexploited across a number of 2025 incident\r\nresponse investigations. These ranged from the\r\ntargeting of super-admin privileges (CVE-2024-\r\n55591, FortiOS and FortiProxy authentication\r\nbypass) in Q1, to multiple Microsoft SharePoint\r\nvulnerabilities involving authentication, code\r\ninjection, and code execution in both Q3 and Q4\r\n(CVE-2025-49706, CVE-2025-49704, and CVE-2025-53770).\r\nElsewhere, vulnerabilities targeting SonicWall\r\nSonicOS (CVE-2024-40766), and SonicWall’s\r\nSSLVPN authentication mechanism (CVE-2024-\r\n53704) were observed in investigations across all\r\nquarters except Q1.\r\nMalware usage in 2025 solidified trends and\r\nnumbers we had observed in previous quarters.\r\nMalware as a Service (MaaS) phenomenon Bunny Loader accounted for 45.61% of all incidents involving\r\nmalware. To give a sense of scale, second place belonged to Infostealers with just 12.02% of the overall\r\ntotal. That’s not one specific Infostealer — that’s all of the Infostealers, including Katz, Filch, Strela, Vidar,\r\nand many more.\r\nThreat actor targets\r\nNorth America was the most heavily targeted region in 2025, appearing in 82.04% of observed incidents.\r\nEMEA was a distant second place with 13.97%, and APAC came third with 3.99%.\r\nThe most targeted industries in incident response engagements were manufacturing, business services,\r\nand retail. This follows trends seen elsewhere, with both business services and manufacturing featuring\r\nheavily in ransomware leak posts across 2025.\r\nManufacturing was most heavily targeted by malware, social engineering, and account compromise/\r\nBusiness Email Compromise (BEC). The top forms of malware include Bunny Loader, ClickFix,\r\nand trojanized/renamed tools. VPN with no MFA was observed across multiple incident response\r\ninvestigations.\r\nBusiness services attack vectors for 2025 mirror manufacturing, with malware, social engineering, and\r\naccount compromise/BEC being the most commonly seen. Bunny Loader, renamed remote access tools,\r\nSocGholish, and ClickFix were the top files observed.\r\nSocial engineering, malware, and BEC lead the way for retail. In terms of top malware, Bunny Loader is,\r\nof course, present, with NetSupportRAT, Raspberry Robin, and Mintstealer making up some of the other\r\ntop malware threats. VPN with no MFA was, as with manufacturing, observed in a majority of investigated\r\nincidents. Inconsistent MFA enforcement, and compromise via legitimate credentials, along with eventual\r\ndeployment of several ransomware strains, were all features of 2025 incident response.\n\n18\r\nSelling Access in the Underground Marketplace\r\nNow we pivot to Initial Access Brokers (IABs): specialized cybercriminals who compromise corporate\r\nnetworks to establish an initial foothold (e.g., a VPN account, RDP session, or web shell). IABs’ core\r\nbusiness is the sale of this unauthorized access to other criminal entities, most notably affiliates of\r\nRansomware-as-a-Service (RaaS) operations.\r\nThis specialization enables sophisticated ransomware groups to outsource the complex network\r\nintrusion phase, allowing them to focus their resources exclusively on extortion.\r\nIABs, often referred to as the \"digital real estate agents\" of the dark web, undertake the labor-intensive\r\ntask of exploiting vulnerabilities and then transacting verified access credentials on underground forums.\r\nTo get a better understanding of their patterns of exploitation, we browsed threads from the past six\r\nmonths published on the most notorious cybercrime forums: DarkForums, Breached, XSS, Exploit[.]in,\r\nand RAMP.\r\nThe most active forum in the past six months was DarkForums with 221 access offerings, followed by\r\nRAMP with 208 (Figure 8).\r\nFigure 8\n\n19\r\nDarkForums and RAMP were identified as the most concentrated source of activity for the exchange of\r\nnetwork access. Geographically, the United States remains the primary target, accounting for 30.9% of\r\nglobal illicit network access listings.\r\nIAB activity is primarily concentrated on sectors offering the highest potential for financial gain or\r\nintelligence acquisition. The most targeted industry verticals are government (14.2%), retail (13.1%), and\r\nInformation Technology (10.8%). Where the government sector is concerned, “admin panel” access is the\r\nmost commonly observed type offered, with DarkForums serving as the principal platform for this type of\r\nsale. Retail is an attractive target due to a combination of payment card information (PCI) and personally\r\nidentifiable information (PII), and the IT sector is similarly valuable to threat actors given its potential as a\r\nsupply chain vector for a wide range of targets.\r\nThe average alleged revenue of the organizations whose access is being sold in these forums topped $3.2\r\nbillion USD, and the average base price was $113,275.\r\nRemote Desktop Protocol (RDP) was the most frequently advertised access type, representing 21.2% of\r\nforum listings, followed by Virtual Private Network (VPN) at 12.8%, and RDWeb at 11.2%. These findings\r\nare consistent with our incident response observations, indicating that much of the access threat actors\r\nare achieving is likely ending up for sale in an IAB forum.\r\nPrivileged access adds value to the IAB’s sale. When we analyzed the various privilege types offered,\r\nwe found that the “domain user” and “domain admin” privilege levels were the most commonly offered,\r\ntogether accounting for roughly 75% of the privileges offered (Figure 9).\r\nFigure 9\n\n20\r\nThe sophistication of 2025's threats lies in their architecture. Adversaries are building resilience through\r\ndecentralized infrastructure, polymorphism via AI, and the co-opting of trusted platforms.\r\nState-nexus actors conceal themselves with ORB networks\r\nThe shift from traditional botnets to Operational Relay Box (ORB) networks represents a sophisticated\r\nevolution in cyber espionage. Throughout 2025, we observed a surge in ORB adoption, particularly by\r\nstate-nexus actors who require long-term, non-attributable access to sensitive targets.\r\nORB networks are made up of compromised edge devices, such as Small Office/Home Office (SOHO)\r\nrouters, firewalls, and IoT hardware, and are used as a private proxy mesh. While old-school botnets\r\nprioritize volume and \"noise\" to overwhelm targets, ORBs prioritize stealth, stability, and the obfuscation\r\nof state-sponsored activity.\r\nFurthermore, unlike a standard botnet used for DDoS attacks or spam, an ORB network is designed to act\r\nas a chameleon layer. It sits between the threat actor and their victim, making the malicious traffic look\r\nlike legitimate, everyday internet traffic originating from residential or small business IP addresses.\r\nFor example, the LapDogs ORB network is not a massive, noisy botnet. It consists of approximately 1,000\r\ncarefully selected high-bandwidth nodes, primarily compromised SOHO routers and Linux-based edge\r\ndevices from vendors like Ruckus, ASUS, and Mikrotik. These devices are used to proxy command traffic,\r\ncreating a non-attributable mesh network that routes traffic between the operator and the victim.\r\nThis \"just-In-time\" code generation creates a nightmare for traditional security operations:\r\n• Bypassing hash-based detection — Since\r\nthe payload is generated in real-time and\r\nexists only in memory, there is no static file\r\n(hash) for EDR tools to blacklist.\r\n• Defeating pattern matching — Standard\r\nbehavioral strings (like Get-WmiObject) are\r\nabsent. Because the AI varies its \"style\" for\r\nevery request, signature-based detection\r\nbecomes useless.\r\n• Creating a new detection frontier —\r\nDefenders can no longer look for \"what the\r\nmalware is.\" They must now look for \"what\r\nthe malware is doing\"; specifically, identifying\r\nthe anomaly of an unauthorized process\r\nquerying an AI API followed immediately by\r\ndynamic script execution.\r\nEXPOSURE SURFACES AS A STRATEGIC TERRAIN\n\n21\r\nCloud hijacking places a trojan in the meeting\r\nThe APT group Earth Kurma has pioneered a \"Living Off the App\" strategy by weaponizing Cisco Webex\r\nas a covert Command-and-Control (C2) infrastructure. Their specialized toolkit, consisting of DOWNBEGIN\r\nand SIMPOWEBEXSPY, treats Webex \"Rooms\" as virtual staging areas for espionage. DOWNBEGIN polls\r\nthese rooms via the legitimate Webex API to receive encoded instructions, while SIMPOWEBEXSPY\r\nautomates the theft of sensitive documents by uploading them as standard file attachments directly into\r\nthe collaboration platform.\r\nThis technique is exceptionally difficult to detect because the malicious activity is indistinguishable from\r\nroutine business operations. The traffic is encrypted, authenticated with valid API tokens, and destined for\r\ntrusted Cisco domains, allowing it to bypass standard firewalls and Data Loss Prevention (DLP) sensors. By\r\nhiding within the noise of daily enterprise communication, Earth Kurma ensures that their data exfiltration\r\nand command traffic appear as nothing more than legitimate employee collaboration.\r\nModern API and supply chain infrastructure weaponized\r\nAdversaries are increasingly exploiting GraphQL APIs, leveraging their inherent complexity and\r\nintrospection features to mask malicious intent. A major 2025 supply chain attack targeted this ecosystem\r\nvia the \"GraphQL Network Inspector\" Chrome extension. After hijacking the developer's account, threat\r\nactors pushed a malicious update (version 2.22.6) containing obfuscated scripts. These scripts silently\r\nharvested session cookies, API keys, and sensitive authentication tokens directly from the browsers of\r\ndevelopers using the tool to debug their own production environments.\r\nBeyond credential theft, attackers are also weaponizing the structural logic of these APIs to cripple\r\ninfrastructure. A notable exploit in GitLab (CVE-2025-12562) demonstrated how unauthenticated users\r\ncould bypass query complexity limits within the GraphQL API. By submitting deeply nested or resource-intensive queries that the system failed to properly throttle, attackers could trigger massive resource\r\nexhaustion. This effectively turned a sophisticated query language into a tool for highly efficient Denial of\r\nService (DoS) attacks against critical DevOps infrastructure.\r\nDedicated malware for ICS environments\r\nIn 2025, the emergence of FrostyGoop malware marked a chilling milestone in industrial control systems\r\n(ICS) warfare, as it became the first malware specifically tailored to disrupt physical infrastructure by\r\nmanipulating the Modbus TCP protocol. This malware was deployed in devastating cyber-physical attacks\r\nagainst district heating companies in Ukraine, cutting off essential heating services for civilians during sub-zero temperatures. Unlike traditional exploits that target software bugs, FrostyGoop targets the industrial\r\nprocess itself, sending legitimate Modbus commands to read and write to holding registers on controllers.\r\nBy altering these operational parameters, attackers can force industrial systems into unsafe states or\r\ntrigger complete shutdowns without ever tripping standard security alarms.\r\nThis evolution signifies a critical shift from Living Off the Land in IT environments to \"Living Off the\r\nProtocol\" in OT sectors. Because FrostyGoop uses authorized, standard commands, traditional security\r\ntools that only check for protocol compliance or known vulnerabilities are rendered ineffective. To counter\r\nthis threat, defenders must move toward semantic monitoring, analyzing not just whether a command is\r\n\"legal\" according to the protocol, but whether its intent is safe for the physical process. This shift requires\r\ndeep integration between cybersecurity monitoring and the engineering logic that governs industrial safety.\n\n22\r\nAI AS AN ACCELERATION LAYER\r\nIn 2025, generative AI shifted from “novel tooling”\r\nto a legitimate force-multiplier across the threat\r\nlandscape. What we saw most consistently wasn’t\r\nbrand-new “magic” attacks, it was adversaries\r\nbolting AI onto proven playbooks to move faster,\r\nscale wider, and reduce operator skill requirements.\r\nOpenAI’s threat reporting over 2025 characterized\r\nthis pattern clearly: models were used to accelerate\r\nphishing content creation, scripting, and iterative\r\nproblem-solving rather than unlock wholly new\r\noffensive capability. Others similarly documented\r\nbroad experimentation by both cybercrime and\r\ngovernment-backed actors with AI across the\r\nattack lifecycle (recon, initial access, development,\r\nand influence operations).\r\nMonitoring outbound calls to AI APIs, protecting\r\nAPI tokens, and logging agent and tool actions\r\nbecame core detective controls in 2025, not “nice-to-haves.” As adversaries began experimenting with adaptive and AI-assisted malware, SOCs increasingly\r\nfaced volumes and speeds of activity that exceeded human-only analysis. This shift reinforced the need for\r\ndefenders to embrace the same AI technologies, using machine learning and generative AI to triage alerts,\r\ncorrelate telemetry across domains, summarize investigations, and surface weak signals at machine speed.\r\nEffective defense in 2026 requires pairing traditional detection engineering with AI-augmented SOC\r\nworkflows, ensuring defenders can match adversary acceleration rather than fall behind it.\r\nThe AI attack surface expands faster than controls\r\nThe most dangerous aspect of AI in security isn’t only what attackers are doing today, but that the AI\r\nattack surface is exploding (agents, tool use, connectors, plugins, model servers, prompt pipelines) while\r\ndefenders struggle to inventory, test, and constrain it at the same speed. In practice, this leads to the\r\nfailure of classic security controls. Excessive privilege, exposed services, unsafe deserialization, weak\r\nsecret handling, all now appear inside LLM/agent stacks, often deployed quickly and operated by teams\r\nwithout mature security ownership.\r\nHere is where we’re currently seeing AI leveraged in real intrusions:\r\n• Social engineering at industrial scale — As noted in Figures 6 and 7, our observations show that AI\r\nhas materially improved speed and personalization of lures, especially multilingual phishing, pretexting,\r\nand “brand-accurate” impersonation. This aligns with public reporting that threat actors increasingly\r\nuse automation and AI tooling to make campaigns more convincing and to iterate quickly. In\r\nransomware ecosystems, multiple observers described automation (including AI-assisted workflows)\r\nshrinking the time from initial access to broader compromise, aka compressing the defender’s\r\nresponse window.\n\n23\r\n• Ransomware operations — AI is increasingly being embedded into ransomware workflows to refine\r\ntargeting, accelerate analysis of stolen data, and scale extortion operations. For example, the\r\nemergence of LAMEHUG, a toolset utilized by the threat actor Pawn Storm, marks a pivot toward\r\n\"generative espionage.\" By leveraging a \"Bring-Your-Own-AI\" (BYOAI) model, the malware moves\r\naway from static, predictable payloads toward polymorphic, AI-generated code that adapts in\r\nreal-time.\r\n• “Shadow AI” and data leakage: prompts became an asset — In 2025, “prompt/data exhaust”\r\nbecame a new collection surface as organizations adopted dozens of genAI tools. We saw increasing\r\ndiscussion of attackers targeting AI-related data stores and user interactions (e.g., exfiltrating\r\nchatbot conversations via malicious browser extensions), because those chat logs can contain\r\ncredentials, sensitive internal context, or step-by-step operational procedures.\r\nAI infrastructure vulnerabilities actively exploited\r\nWhile AI itself was rarely the direct exploit vector, AI infrastructure rapidly became a high-value target in\r\n2025. Model servers, orchestration frameworks, and LLM web interfaces were often deployed quickly,\r\nexposed to the internet, and secured like internal tooling, creating familiar but dangerous failure modes.\r\nThe most impactful vulnerability patterns we have observed across AI stacks include:\r\n• Unsafe deserialization and memory handling in model servers — Vulnerabilities in high-performance\r\ninference frameworks (e.g., vLLM and NVIDIA Triton) enabled denial-of-service conditions and, in\r\nsome cases, risked remote code execution through crafted requests or model artifacts.\r\n• Weak authentication and token exposure in LLM platforms — Self-hosted AI platforms and model\r\nrunners (such as Ollama-based deployments) exposed API tokens or allowed authentication bypass,\r\ncreating straightforward takeover paths when combined with default configurations.\r\n• Arbitrary file access in AI web interfaces — Popular AI front-ends and demo frameworks exposed\r\nfile-copy or file-read primitives, enabling attackers to stage sensitive data, crash services, or pivot to\r\nfurther compromise.\r\n• Serialization and injection flaws in agent and orchestration frameworks — Frameworks designed\r\nto “chain” tools and actions (e.g., LangChain ecosystems) inherited classic injection risks, made\r\nmore severe by the fact that LLM-generated content frequently crosses trust boundaries inside\r\napplications.\r\n• Supply chain compromise: The \"Postmark-MCP\" incident — Attackers have begun poisoning the\r\nMCP ecosystem. A malicious version of the postmark-mcp package (version 1.0.16 and higher) was\r\ndiscovered on npm. This package, intended to let AI agents send emails via Postmark, contained a\r\nbackdoor that secretly BCC'd every email sent by the AI agent to an attacker-controlled domain. This\r\nrepresents a \"rug pull\" attack where a trusted tool is weaponized post-deployment.\r\nAll of the above were not exotic bugs. They were well-understood vulnerability classes appearing in a\r\nnew, fast-moving technology stack that attackers increasingly view as soft, high-impact targets. As AI\r\nsystems become embedded into security operations, business workflows, and data processing pipelines,\r\nflaws in AI infrastructure increasingly represent privileged execution paths, not experimental side projects.\n\n24\r\nRANSOMWARE AS A DOWNSTREAM INCOME\r\nAccess isn’t all that’s for sale on the dark web. In 2025, 42% of our MDR incident response investigations\r\ninvolved ransomware, making it the single most common operational outcome observed.\r\nThe market for personally identifiable information (PII) is foundational to identity theft, with \"Fullz\" being\r\nthe primary commodity for fraudsters. These comprehensive identity packages contain a victim’s full name,\r\naddress, Social Security Number (SSN), and date of birth, typically selling for between $20 and $100 based\r\non the freshness of the data and the victim’s credit score. Individual identity components are sold at lower\r\ntiers, with standalone US SSNs priced from $1 to $6, while scanned identity documents such as driver's\r\nlicenses and passports command between $70 and $165 depending on the country of origin.\r\nFinancial data, particularly credit and debit card dumps, remains highly sought after for direct monetization.\r\nA standard US credit card with its CVV typically sells for $10 to $40, though cards verified to have high\r\ncredit limits (over $5,000) can fetch up to $120. Regional differences are significant; cards from the UK and\r\nGermany are often priced higher (up to $60) due to stricter fraud detection and rarer supply.\r\nIn early 2025, a massive breach involving 270,000 customer identities from a German electronics brand\r\nwas sold for a total of $250, illustrating how data saturation from large-scale leaks can drive bulk prices\r\ndown.\r\nSpecialized logins for online banking and cryptocurrency exchanges are valued for the immediate\r\nliquidity they provide. Access to a retail consumer's bank account is priced between $150 and $500,\r\nbut credentials for accounts with verified balances exceeding $100,000 can command several thousand\n\n25\r\ndollars. Similarly, verified crypto exchange accounts on platforms like Kraken or Coinbase sell for $120 to\r\n$1,170, with the highest prices paid for accounts that are fully \"laundering ready\" and have high-level Know\r\nYour Customer (KYC) verification.\r\nOur observations indicate that the trade has increasingly shifted toward \"infostealer logs,\" which harvest\r\nentire browser environments, including saved passwords and session cookies. These logs sell for an\r\naverage of $10 each and are particularly dangerous because stolen cookies allow attackers to bypass\r\nmulti-factor authentication (MFA) by hijacking active sessions. This market is now highly industrialized, with\r\ncriminals purchasing \"bulk cloud subscriptions\" for $200 to $500 per month to receive a continuous stream\r\nof fresh logs delivered via private Telegram channels.\r\nLeak site posts convert ransomware to income\r\n2025 was a year of continued escalation and power-base solidification by major ransomware threat actors.\r\nOne last burst of activity at the end of the year served to push leak post numbers higher than they’d been\r\nup to that point, edging out Q1’s high of 1,611 with a Q4 close of 1,661. This more than made up for Q2’s\r\nslight dip of 871, with Q3 bouncing back up to 943.\r\nThis increase in leak posts was accompanied by Ransomware-as-a-Service (RaaS) and double extortion\r\ncementing themselves as go-to tactics for threat actors large and small. The emergence of “collectives”\r\n(experienced threat actors joining forces and layering their expertise in initial access, ransomware\r\ndeployment, and data exfiltration) has become a persistent cause for concern when planning out defensive\r\nstrategies.\r\nKey industries have remained under fire all year long, with threat actors particularly focused on healthcare,\r\nbusiness services, and manufacturing where double extortion is concerned.\r\nQilin leak post total far surpasses other top ransomware groups\r\nWe’re able to learn a lot by tracking the groups making the greatest number of leak site posts. The top 10\r\nransomware groups of 2025 (Figure 10) reflect the trends Rapid7 has observed over much of the previous\r\n12 months.\r\n380\r\n369\r\n293\r\n271\r\n236\r\n222\r\nAkira\r\nCl0p\r\nPlay\r\nSafePay\r\nINC Ransom\r\nKillSec\r\nLynx\r\nRansomHub\r\nDragonForce\r\n640\r\n549\r\n385\r\n1029 Qilin\r\n25 Figure 10\r\nTOP 10\r\nRANSOMWARE\r\nGROUPS\r\nby Number of Extortion Attempts\r\nJAN 1 - DEC 31, 2025\r\nNumber of Leak Site Posts by Group\n\n26\r\nIn February 2025, Qilin began moving up the ranks\r\namong our top 10 ransomware groups. It reached\r\nthe number one spot in May and maintained that\r\nposition, with the exception of a brief overtaking by\r\nCl0p in November, for the remainder of the year.\r\nQilin’s double-extortion tactics, combined with a\r\nsuccessful RaaS business model, are making it a\r\nsignificant threat. The cost to victims has ranged\r\nfrom exfiltration of large amounts of sensitive\r\ninformation, to disruption and shutdown of services\r\nin the most severe cases.\r\nOverall, we saw an average of 56 active groups\r\nper month in 2025, with 140 unique active groups\r\nin the entire dataset (versus 102 unique groups in\r\n2024), and 78 new groups not seen previously. The\r\ntotal number of posts overall rose from 6,034 in\r\n2024 to 8,835 in 2025, a rise of 46.4%. The number\r\nof unique ransomware groups grew from 102 in 2024 to 140 in 2025, with average posts per group also\r\nincreasing slightly: 59.2 posts per group in 2024, versus 63.1 posts per group in 2025.\r\nThis 2025 data highlights the continued expansion of the ransomware ecosystem, thanks to numerous\r\nthreat actors entering the space alongside a notable rise in leak post output. There is no slowing down\r\nhere; rather, there is a sustained pace of operations and a dynamic, always-shifting edge to the groups\r\nthemselves. With so many threat actor specializations to contend with, smart use of accurate ransomware\r\nthreat intelligence has never been more important.\r\nBusiness services, manufacturing, and healthcare a prime target\r\nBusiness services, manufacturing, and healthcare retain the same top three places from Q3, broadening\r\nthese positions out into the top three targeted industries across 2025. Construction and technology are in\r\nfourth and fifth place, with legal, finance, and retail taking the next three places. Hospitality and education\r\nround out the most popular industry targets of 2025.\r\nThe top regional targets of 2025 solidify what Rapid7 analysis has evidenced all year long. The US is, by\r\nfar, the most heavily targeted region of 2025 with 70% of all observed leak posts. Second place goes to\r\nCanada (6%), with the UK and Germany both sitting at 5%.\r\nThreat actors know they stand the best chance of big payouts by targeting US sectors which are wealthy,\r\nprovide critical services, or take up important pieces of supply chains. A supply chain attack specifically\r\ncould ripple out across countless other industries and services. Sectors that are filled with legacy or\r\nbespoke systems that by default aren’t easily upgradeable due to cost or complexity, will also be appealing\r\ntargets.\r\nThe healthcare, education, manufacturing, and business services sectors contain significant amounts of\r\nsensitive data, financial information, and business critical data, all of which command high prices during\r\ndouble-extortion negotiations. Many of the top threat actors listed have displayed a fondness for these\r\nsectors for several years, and this is unlikely to change.\n\n27\r\nThe RaaS ecosystem matures and industrializes\r\nA top-level trend Rapid7 has observed over time has been the continued industrialization and maturation\r\nof the cybercrime ecosystem. Nowhere has this progression been more pronounced than in ransomware-as-a-service (RaaS). This trend is characterized by a professionalized supply chain, increasing tactical\r\nsophistication, and sharpened focus on high-value exploits.\r\nGroups shift from slick branding to tactical evasion\r\nWhile law enforcement continued to raise the temperature on ransomware groups, some threat actors\r\nattempted to dial down the heat. In H1, Rapid7 Labs observed that new groups were using glossy branding\r\nand splashy attacks to gain visibility, and perhaps be snapped up by major RaaS operations. Anubis, with\r\nslick branding and social media hyping of attacks, stood out in this regard. H2 saw a reversal of this trend,\r\nwith newer and smaller groups removing URLs and other identifiers from their data leak teasing.\r\nPerhaps these groups wanted to evade law enforcement action, or simply avoid being infiltrated and\r\ndetailed by security researchers. Whatever the reason, some groups chose to deliberately end the year with\r\na visibility whimper, instead of a bang.\r\nRaaS and double-extortion tactics maximize gains\r\nWe observed many ransomware groups leaning heavily on favored tactics in 2025. Some allowed their\r\naffiliate networks to do the talking, while others ventured into the cloud, or advertised their wares on\r\nauction sites to maximize ill-gotten gains.\r\nRaaS and double extortion were firm favorites, featuring heavily in every quarter’s Top 10. Almost every\r\nthreat actor in 2025’s overall Top 10 makes use of one or both, with few exceptions. The primary standout\r\nhere is SafePay, a group originating in 2024 which avoids RaaS entirely in favor of running its own self-contained operation.\r\nWhile RaaS-free and fileless ransomware groups will continue to gather victims, RaaS is currently the\r\ndominant force among ransomware threat actors. This will almost certainly be the case for some time to\r\ncome, as threat actors invested in this approach continue to refine their tactics and expand their operations.\r\nAffiliate drift and collaboration make for uneasy extortion alliances\r\nAffiliate drift and alliances which seemed as though they may break at any moment were observed\r\nthroughout 2025, likely spurred on by restructuring activities. Many affiliates moved to RaaS offerings,\r\nencouraged by features such as Qilin’s “call a lawyer” service, or Lynx’s slick affiliate sections containing\r\nvictim profiles, executable archives, and news pages.\r\nThreat actors which largely operated alone, or were not particularly known for collaboration, started to\r\npool resources and work together. This is perhaps best illustrated by the formation of “Scattered LAPSUS$\r\nHunters,” a collective made up of Scattered Spider, ShinyHunters, and LAPSUS$. Each of these groups\r\noffered up unique skills and specializations, from phishing to data exfiltration, and their group — sometimes\r\nreferred to as an “extortion alliance” — was responsible for many major breaches worldwide.\r\nSome groups, most notably DragonForce and Cicada3301, reduced fees or more general barriers to entry, in\r\nan effort to attract new affiliates. It’s not unheard of for affiliates to go rogue, generating unwanted attention\r\nfor RaaS operations either through visible activity or leaking internal secrets. This brittle environment, made\r\nmore confusing by infighting and power struggles (DragonForce’s “hostile takeover” of RansomHub in Q2,\r\nfor example), made for a tense 2025.\n\n28\r\nFigure 11\r\nHigh-profile exploits of the cloud, ESXi, and major enterprise suites\r\nElsewhere, threat actors made use of open source software such as TruffleHog, a tool designed to detect\r\nand highlight insecurely stored credentials in GitHub repositories, to hunt down cloud credentials. The\r\nRapid7 Incident Response team observed two examples of Crimson Collective making use of TruffleHog\r\nin September, creating new users and escalating privileges once inside the network. ESXi, VMware’s bare-metal hypervisor software, also became a popular target.\r\nCl0p made waves with a devastating coordinated campaign which targeted users of Oracle’s E-Business\r\nsuite. The latter involved potentially months of undetected access, and emails sent to targets threatening\r\nto leak stolen data. Curiously, the exploit likely used in these attacks may have been leaked in a Telegram\r\nchannel accidentally.\r\nWe observed threat actors favoring initial access techniques leaning toward rapid data exfiltration and\r\nheightened pressure for the victims, as highlighted earlier in this report. From ransomware to incident\r\nresponse, software which enables file sharing, transfer, and collaboration are frequently key targets in the\r\nrace to breach the network and extract business critical data.\r\nData auctions have also become part and parcel of some threat actors’ strategy, most notably Rhysida and\r\nWarlock making use of double extortion and the possibility of selling off stolen data if ransom demands are\r\nnot met.\r\nAn underground market for tools of the trade\r\nThreat actors generate additional income by offering their exploits, tools, services, and malware at a price\r\non the underground market.\r\nThe 2025 ecosystem for cybercrime tools is defined by professionalized \"Malware-as-a-Service\" (MaaS)\r\nplatforms that lower the technical barrier to entry. A prominent example is \"Olymp Loader,\" an assembly-based malware that surfaced in mid-2025 and is marketed for its anti-analysis and anti-detection\r\ncapabilities. These tools are sold via subscription models on forums like XSS and HackForums, providing\r\nattackers with modular features such as stager generators, botnet management, and built-in stealer\r\nmodules for browser data and cryptocurrency wallets.\r\nHigh-end exploit chains for zero-day vulnerabilities command the highest prices in the subterranean\r\neconomy, often used by state-sponsored actors and sophisticated ransomware groups. Exploit brokers like\r\nCrowdfense currently pay between $5 million and $7 million for zero-click full-chain exploits for iPhone or\r\nAndroid devices. Remote code execution (RCE) vulnerabilities in desktop browsers like Chrome and Safari are\r\nalso highly valued, with prices ranging from $2 million to $3.5 million. An exploit targeting a vulnerability in the\r\nOracle E-Business Suite (CVE-2025-61882) was observed being offered for sale in the RAMP forum (Figure 11).\r\n28\n\n29\r\nCVE-2025-61882 represents a critical vulnerability within the Oracle E-Business Suite (versions 12.2.3–\r\n12.2.14). This flaw enables unauthenticated attackers to execute arbitrary code through HTTP, thereby\r\nenabling complete system compromise. The vulnerability has been exploited as a zero-day by Cl0p to\r\nexfiltrate financial and human resources data for subsequent extortion attempts.\r\nTo evade modern security solutions, attackers utilize fully undetectable (FUD) “crypters” (aka encrypters)\r\nwhich obfuscate malicious code to bypass EDR and antivirus detection. These crypters typically cost\r\naround $100 for a monthly subscription, though specialized versions like \"Nightmangle\" offer lifetime\r\naccess for $999 and include a 24-hour trial period. Some crypters are specifically advertised for their\r\nability to bypass major defenses like Windows Defender, Kaspersky, and ESET.\r\nResilient hosting is provided by bulletproof hosting (BPH) providers who ignore abuse complaints and\r\nlegal requests. These providers often utilize advanced techniques like fast-flux BGP and ASN hijacking\r\nto maintain uptime, with servers located in nuclear-protected bunkers in jurisdictions like Russia and the\r\nNetherlands. Bulletproof VPS hosting is sold at a premium, typically costing $20 to $50 per month, which\r\nis significantly higher than the $2 to $10 charged for legitimate commodity hosting services.\r\nHow to stay out of ransomware’s cross-hairs in 2026\r\nTactics used by ransomware threat actors in 2025 did not change significantly in terms of innovation\r\nor a unique evolution of techniques. If anything, the favoritism shown toward certain intrusion methods\r\nindicates key areas where defenders can focus their attention in 2026.\r\n• Social engineering is a popular choice for major ransomware threat actors, as well as being a key\r\ntactic deployed against the top targeted sectors in Rapid7’s incident response data. Locking down\r\nthe help desk, as well as limiting high-risk password resets, will both help here.\r\n• Making strict use of correctly configured MFA controls for critical systems, remote access points, and\r\nprivileged accounts will (for example) prevent attackers from gaining easy access via insecure RDP\r\nand VPN. Limit push attempts, and enable number matching, to ward off MFA fatigue attacks.\r\n• Spam filtering will help to reduce ransomware attacks pinned to social engineering, and user\r\nawareness training will educate users about the risks of convincingly crafted emails bearing malicious\r\nattachments. Training will also help in the fight against Business Email Compromise (BEC), often\r\ndeployed against specific industries as observed in Rapid7 Incident Response investigations.\r\n• Network edge devices are a favored method of initial access for many types of threat actors, and\r\nransomware groups are no exception. Continuous patch management, prioritizing fixes by known\r\nexploits, and potential risk to your organization, is key.\r\n• While data may be exfiltrated despite your best efforts, knowing business operations won’t crash\r\nto a halt thanks to backups — and knowing you won’t need to pay a ransom — will help you\r\nthrough the early stages of a confirmed breach. Implementing immutable backups, regularly testing\r\nrecovery procedures, and ensuring backups are isolated from the production network, will make all\r\nthe difference. So too will being able to rapidly invalidate active sessions and tokens, and forcing\r\nenterprise-wide password resets alongside maintaining control of help desk password resets.\n\n30\r\nEMBEDDED ACCESS AND PRE-POSITIONING\r\nCREATES GEOPOLITICAL WAVES\r\nThe cyber threat landscape of 2025 marks a definitive departure from the paradigms of previous decades.\r\nWe are no longer observing a distinct separation between state-sponsored espionage and destructive\r\ncyber warfare, nor are we seeing a clear delineation between advanced persistent threats (APTs) and the\r\ntools of cybercrime.\r\nInstead, 2025 has been defined by the convergence of these domains into a unified theater of hybrid\r\noperations.\r\nNation-state activities highlight a shift to pre-positioning\r\nof assets\r\nNation-state actors, particularly those aligned with the People's Republic of China (PRC) and the\r\nRussian Federation, have shifted their operational focus from pure intelligence gathering to the strategic\r\npre-positioning of assets within critical infrastructure for the kinetic effects. Simultaneously, the\r\ndemocratization of advanced offensive capabilities — fueled by the weaponization of artificial intelligence\r\n(AI) and the proliferation of \"One-Day\" exploits — has empowered cybercriminal syndicates to execute\r\nintrusions with state-like sophistication.\r\nChina is guided by a doctrine of pre-positioning, which involves embedding persistent access into critical\r\ninfrastructure for intelligence collection today and optional disruption during future geopolitical crises.\r\nThe Volt Typhoon group exemplifies this by using extreme operational security and Living Off the Land\r\ntechniques to maintain stealthy persistence within critical sectors like energy and telecommunications,\r\naiming for covert footholds rather than immediate sabotage.\r\nFurther illustrating China's focus on deep\r\naccess, Salt Typhoon targets the global\r\ntelecommunications backbone, including lawful\r\ninterception systems, to conduct large-scale\r\ntraffic collection without deploying noisy endpoint\r\nmalware. Other groups like Earth Kurma and\r\nSuperjumpers blend espionage with legitimate\r\ncloud service abuse, leveraging platforms like\r\nCisco Webex and Operational Relay Box (ORB)\r\ninfrastructure to create encrypted command-and-control (C2) channels embedded within normal\r\nenterprise workflows.\r\nRussian cyber operations integrate sustained\r\nintelligence collection with the preservation\r\nof disruptive capabilities. Intelligence-focused\r\ngroups like APT29 refine cloud-centric intrusion\n\n31\r\ntechniques, utilizing credential theft, access token abuse, and manipulation of trusted SaaS and identity\r\nrelationships to achieve extended dwell times with minimal forensic footprint. This includes campaigns\r\nthat leverage Microsoft 365 device-code authentication abuse to capture access without traditional\r\npassword-based intrusion paths.\r\nThe evolution of Russian tradecraft is seen in Pawn Storm (APT28), which now uses LAMEHUG malware\r\nto dynamically generate command-line instructions via Large Language Model (LLM) APIs, effectively\r\nreducing static signatures. Meanwhile, military-aligned actors like Sandworm focus on strategic sabotage,\r\ndeploying destructive tools like PathWiper to target critical infrastructure, reinforcing the concept of\r\noperational readiness as a key component of their integrated power model.\r\nIranian nexus threat actors show increased operational adaptability, with a recurring emphasis on\r\nexploiting internet-facing infrastructure, network-edge devices, and cloud-hosted services. These paths\r\nprovide access in environments with reduced defensive visibility, supporting extended dwell times. Their\r\ncampaigns prioritize persistent access, intelligence collection, and strategic positioning through the rapid\r\nrotation of C2 and the use of compromised third-party hosting.\r\nNorth Korean (DPRK) activities are structurally distinct, driven primarily by financial generation and\r\nsanctions evasion alongside intelligence objectives. Their defining feature is a heavy reliance on people-centric access — such as developer-focused social engineering, recruitment lures, and fake job offers\r\n— to compromise individuals. This approach enables direct financial theft, as seen in the $1.5 billion Bybit\r\ntheft, and also introduces downstream supply-chain risk via trojanized coding assessments.\r\nFinally, DPRK groups like Earth Kumiho (Kimsuky) emphasize \"Weapons on the Cloud,\" hosting encrypted\r\npayloads in public GitHub repositories and using legitimate SaaS platforms such as Dropbox for C2 and\r\nexfiltration. This tactic embeds their malicious traffic within normal, encrypted enterprise cloud usage,\r\neffectively rendering traditional network-based blocking largely ineffective for sustaining their espionage\r\nand financial extraction at scale.\n\n32\r\nFigure 12\r\nFigure 12\n\n33\r\nHacktivists and politically-motivated actors are\r\nprofessionally crowdsourced\r\nAlongside state-aligned operations, 2025 featured sustained and highly visible activity from geopolitically\r\naligned hacktivist ecosystems, particularly during periods of heightened international tension. Pro-Russian\r\ndenial-of-service collectives, notably NoName057 (16), conducted repeated and coordinated campaigns\r\ntargeting government portals, public-sector services, election-related infrastructure, transportation-related systems, and media organizations across multiple European countries. Activity patterns frequently\r\naligned with geopolitical flashpoints, including elections, sanctions announcements, and security-related\r\nincidents.\r\nWhile these operations historically relied on volumetric DDoS tactics, late 2025 saw a shift toward more\r\nsophisticated application-layer (Layer 7) attacks. By targeting specific functions of web applications rather\r\nthan just flooding bandwidth, these groups successfully bypassed traditional Content Delivery Network\r\n(CDN) protections. This evolution, fueled by the DDoSia project, signals a transition from a \"limited\r\ntechnical sophistication\" model to a \"crowdsourced professional\" model. Despite the lack of deep lateral\r\nmovement or persistence, these campaigns generated a measurable operational impact, including service\r\noutages, public-facing disruptions, and a sustained incident-response burden for affected organizations.\r\nAn emerging arena of strategic competition\r\nLooking toward 2026 and beyond, geopolitical cyber risk will be shaped less by isolated crises and\r\nmore by a world entering a prolonged period of instability. Multiple regions are already volatile, and\r\ncurrent and emerging conflicts will increasingly spill into the digital domain, directly affecting global\r\ndigital infrastructures. Cyberspace is no longer a secondary theater but a permanent arena of strategic\r\ncompetition, where state-aligned actors seek long-term advantage by degrading resilience, shaping\r\ninfluence, and positioning themselves for future escalation.\r\nAs instability deepens, cyber operations will grow more virulent and systemic in nature. Rather than\r\nfocusing on individual organizations, adversaries will exploit global interdependencies, fragile supply\r\nchains, shared platforms, identity systems, and edge infrastructure to achieve persistent access while\r\nminimizing attribution and escalation risks. Disrupted trade routes, contested maritime corridors, and\r\nenergy chokepoints will further elevate logistics, transportation, and industrial ecosystems as high-value\r\ncyber targets used to apply economic and political pressure rather than immediate disruption alone.\r\nAt the same time, the rapid deployment of autonomous and semi-autonomous AI systems will expand the\r\nattack surface through poorly governed machine identities and opaque processes. These weaknesses\r\nwill increasingly be leveraged as strategic enablers within broader geopolitical campaigns. In response,\r\norganizations and governments alike will continue to prioritize geopolitically driven cyber risk, accelerating\r\nmoves toward identity-centric security, resilience-focused architectures, and, in some regions, tighter\r\nsovereign control over critical digital infrastructure.\n\n34\r\nTHE PATH FORWARD: FROM REACTIVE DEFENSE\r\nTO EXPOSURE MANAGEMENT\r\nThe 2026 cyber threat landscape is all about acceleration, fundamentally changing the defender’s\r\noperational calculus. The balance of power has shifted from one defined by speed of response to one\r\ndefined by speed of exploitation. Our findings confirm that the statistical buffer between vulnerability\r\ndisclosure and confirmed exploitation (i.e., the \"predictive window\") has materially collapsed. High-impact\r\nvulnerabilities are now operationalized almost immediately, a trend evidenced by the 105% increase in\r\nconfirmed CVSS 7–10 exploitation year over year. Risk is no longer an accumulation of latent debt; for the\r\nmost critical flaws, it is an immediate, realized event. This seismic shift highlights a growing mismatch\r\nbetween the velocity of modern threats and defensive processes designed for slower, more predictable\r\ncycles.\r\nThis acceleration is enabled by two primary forces: the industrialization of the cybercrime ecosystem\r\nand the pervasive adoption of AI. Initial access brokers have commoditized pre-authentication access,\r\nallowing ransomware collectives to bypass the complex intrusion phase and focus on smash-and-grab\r\ndata monetization. Simultaneously, adversaries have strategically pivoted to high-value, exposed surfaces\r\nsuch as identity systems, cloud control planes, and collaboration platforms, blurring the line between\r\nlegitimate and malicious activity. AI is bolting speed and scale onto these proven playbooks, accelerating\r\nsocial engineering, shrinking the dwell time of ransomware operations, and dynamically expanding the\r\nattack surface within fast-moving AI infrastructure itself.\r\nTo effectively manage cyber risk in 2026, organizations must adopt a fundamental mindshift toward\r\npreemptive security. This means moving beyond a reactive, volume-based vulnerability management\r\napproach and embracing an exposure management model focused on informed prioritization and\r\nanticipation.\r\nBy reducing the known, preventable conditions attackers monetize before exploitation occurs, defenders\r\ncan regain a measure of control. The data unequivocally proves that delayed response and misinformed\r\nprioritization are no longer merely costly; they are increasingly determinative of a breach. Success will\r\nbe defined by the capacity to connect technical exposure to business impact and apply AI-augmented\r\nworkflows to match the adversary’s machine speed.\n\nSECURE YOUR\r\nCloud | Applications | Infrastructure | Network | Data\r\n© RAPID7 2026 V1.0\r\nACCELERATE WITH\r\nCommand Platform | Exposure Management |\r\nAttack Surface Management | Vulnerability Management |\r\nCloud-Native Application Protection | Application Security |\r\nNext-Gen SIEM | Threat Intelligence | MDR Services |\r\nIncident Response Services | MVM Services\r\nSECURITY BUILT TO\r\nOUTPACE ATTACKERS\r\nTry our security platform risk-free -\r\nstart your trial at rapid7.com\r\nABOUT RAPID7\r\nRapid7, Inc. (NASDAQ: RPD) is a global leader in AI-powered managed cybersecurity operations, trusted to advance\r\norganizations’ cyber resilience. Open and extensible, the Rapid7 Command Platform integrates security data,\r\nenriching it with AI, threat intelligence, and 25 years of expertise and innovation to reduce risk and disrupt attackers.\r\nAs a recognized leader in preemptive managed detection and response (MDR), Rapid7 unifies exposure and detection\r\nto transform the cybersecurity operations of more than 11,500 customers worldwide. For more information, visit our\r\nwebsite, check out our blog, or follow us on LinkedIn or X.", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "pdf" ], "references": [ "https://www.rapid7.com/cdn/assets/bltc1ddd6561ab54a26/69ba67de50ca691edcd3f5b7/rapid7-threat-landscape-report-2026.pdf" ], "report_names": [ "rapid7-threat-landscape-report-2026.pdf" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-29T06:58:56.876406Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-29T06:58:58.007866Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "846522d7-29cb-4a0c-8ebe-ffba7429e2d7", "created_at": "2023-06-23T02:04:34.793629Z", "updated_at": "2026-04-29T06:58:58.270898Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Bronze Silhouette", "Dev-0391", "Insidious Taurus", "Redfly", "Storm-0391", "UAT-5918", "UAT-7237", "UNC3236", "VOLTZITE", "Vanguard Panda" ], "source_name": "ETDA:Volt Typhoon", "tools": [ "FRP", "Fast Reverse Proxy", "Impacket", "LOLBAS", "LOLBins", "Living off the Land" ], "source_id": "ETDA", "reports": null }, { "id": "8e1bae2f-2a21-4ba8-a6f1-42155f96aec8", "created_at": "2022-10-25T16:07:23.645758Z", "updated_at": "2026-04-29T06:58:57.892885Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Ajax Security Team", "Flying Kitten", "G0130", "Group 26", "Operation Saffron Rose" ], "source_name": "ETDA:Flying Kitten", "tools": [ "Stealer" ], "source_id": "ETDA", "reports": null }, { "id": "c071c8cd-f854-4bad-b28f-0c59346ec348", "created_at": "2023-11-08T02:00:07.132524Z", "updated_at": "2026-04-29T06:58:56.647929Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "MISPGALAXY:ShinyHunters", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2", "created_at": "2025-10-24T02:04:50.086223Z", "updated_at": "2026-04-29T06:58:57.587988Z", "deleted_at": null, "main_name": "GOLD CRYSTAL", "aliases": [ "Scattered LAPSUS$ Hunters", "ShinyCorp", "ShinyHunters" ], "source_name": "Secureworks:GOLD CRYSTAL", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d90307b6-14a9-4d0b-9156-89e453d6eb13", "created_at": "2022-10-25T16:07:23.773944Z", "updated_at": "2026-04-29T06:58:57.977922Z", "deleted_at": null, "main_name": "Lead", "aliases": [ "Casper", "TG-3279" ], "source_name": "ETDA:Lead", "tools": [ "Agentemis", "BleDoor", "Cobalt Strike", "CobaltStrike", "RbDoor", "RibDoor", "Winnti", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "be5097b2-a70f-490f-8c06-250773692fae", "created_at": "2022-10-27T08:27:13.22631Z", "updated_at": "2026-04-29T06:58:57.759076Z", "deleted_at": null, "main_name": "LAPSUS$", "aliases": [ "LAPSUS$", "DEV-0537", "Strawberry Tempest" ], "source_name": "MITRE:LAPSUS$", "tools": [ "Mimikatz" ], "source_id": "MITRE", "reports": null }, { "id": "d4b9608d-af69-43bc-a08a-38167ac6306a", "created_at": "2023-01-06T13:46:39.335061Z", "updated_at": "2026-04-29T06:58:56.518404Z", "deleted_at": null, "main_name": "LAPSUS", "aliases": [ "LAPSUS$", "DEV-0537", "SLIPPY SPIDER", "Strawberry Tempest", "UNC3661", "Lapsus" ], "source_name": "MISPGALAXY:LAPSUS", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-29T06:58:57.795751Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "6608b798-f92b-42af-a93f-d72800eeb3a3", "created_at": "2023-11-30T02:00:07.292Z", "updated_at": "2026-04-29T06:58:56.71531Z", "deleted_at": null, "main_name": "DragonForce", "aliases": [], "source_name": "MISPGALAXY:DragonForce", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "222835b0-22fb-406e-8fd5-f36dae694212", "created_at": "2025-06-29T02:01:56.985922Z", "updated_at": "2026-04-29T06:58:57.863951Z", "deleted_at": null, "main_name": "Earth Kurma", "aliases": [], "source_name": "ETDA:Earth Kurma", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "DMLOADER", "DUNLOADER", "KRNRAT", "Moriya", "ODRIZ", "SIMPOBOXSPY", "TESDAT", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "8c8fea8c-c957-4618-99ee-1e188f073a0e", "created_at": "2024-02-02T02:00:04.086766Z", "updated_at": "2026-04-29T06:58:56.786897Z", "deleted_at": null, "main_name": "Storm-1567", "aliases": [ "Akira", "PUNK SPIDER", "GOLD SAHARA" ], "source_name": "MISPGALAXY:Storm-1567", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-29T06:58:56.803236Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "RedMike", "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "843f4240-33a7-4de4-8dcf-4ff9f9a8c758", "created_at": "2025-07-24T02:05:00.538379Z", "updated_at": "2026-04-29T06:58:57.518246Z", "deleted_at": null, "main_name": "GOLD FLAME", "aliases": [ "DragonForce" ], "source_name": "Secureworks:GOLD FLAME", "tools": [ "ADFind", "AnyDesk", "Cobalt Strike", "FileSeek", "Mimikatz", "SoftPerfect Network Scanner", "SystemBC", "socks.exe" ], "source_id": "Secureworks", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-29T06:58:56.587412Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scatter Swine", "Storm-0971", "Starfraud", "Muddled Libra", "Oktapus", "Octo Tempest", "0ktapus", "DEV-0971", "UNC3944", "Scattered Swine" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "5b748f86-ac32-4715-be9f-6cf25ae48a4e", "created_at": "2024-06-04T02:03:07.956135Z", "updated_at": "2026-04-29T06:58:57.544055Z", "deleted_at": null, "main_name": "IRON HEMLOCK", "aliases": [ "APT29 ", "ATK7 ", "Blue Kitsune ", "Cozy Bear ", "The Dukes", "UNC2452 ", "YTTRIUM " ], "source_name": "Secureworks:IRON HEMLOCK", "tools": [ "CosmicDuke", "CozyCar", "CozyDuke", "DiefenDuke", "FatDuke", "HAMMERTOSS", "LiteDuke", "MiniDuke", "OnionDuke", "PolyglotDuke", "RegDuke", "RegDuke Loader", "SeaDuke", "Sliver" ], "source_id": "Secureworks", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-29T06:58:57.705351Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail", "Earth Kumiho", "PatheticSlug" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "HTTPTroy", "schtasks", "certutil", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "910b38e9-07fe-4b47-9cf4-e190a07b1b84", "created_at": "2024-04-24T02:00:49.516358Z", "updated_at": "2026-04-29T06:58:57.756962Z", "deleted_at": null, "main_name": "Akira", "aliases": [ "Akira", "GOLD SAHARA", "PUNK SPIDER", "Howling Scorpius" ], "source_name": "MITRE:Akira", "tools": [ "Mimikatz", "PsExec", "AdFind", "Akira _v2", "Akira", "Megazord", "LaZagne", "Rclone" ], "source_id": "MITRE", "reports": null }, { "id": "2347282d-6b88-4fbe-b816-16b156c285ac", "created_at": "2024-06-19T02:03:08.099397Z", "updated_at": "2026-04-29T06:58:57.522649Z", "deleted_at": null, "main_name": "GOLD RAINFOREST", "aliases": [ "Lapsus$", "Slippy Spider ", "Strawberry Tempest " ], "source_name": "Secureworks:GOLD RAINFOREST", "tools": [ "Mimikatz" ], "source_id": "Secureworks", "reports": null }, { "id": "a241a1ca-2bc9-450b-a07b-aae747ee2710", "created_at": "2024-06-19T02:03:08.150052Z", "updated_at": "2026-04-29T06:58:57.574351Z", "deleted_at": null, "main_name": "IRON RITUAL", "aliases": [ "APT29", "Blue Dev 5 ", "BlueBravo ", "Cloaked Ursa ", "CozyLarch ", "Dark Halo ", "Midnight Blizzard ", "NOBELIUM ", "StellarParticle ", "UNC2452 " ], "source_name": "Secureworks:IRON RITUAL", "tools": [ "Brute Ratel C4", "Cobalt Strike", "EnvyScout", "GoldFinder", "GoldMax", "NativeZone", "RAINDROP", "SUNBURST", "Sibot", "TEARDROP", "VaporRage" ], "source_id": "Secureworks", "reports": null }, { "id": "52d5d8b3-ab13-4fc4-8d5f-068f788e4f2b", "created_at": "2022-10-25T16:07:24.503878Z", "updated_at": "2026-04-29T06:58:58.321796Z", "deleted_at": null, "main_name": "Lapsus$", "aliases": [ "DEV-0537", "G1004", "Slippy Spider", "Strawberry Tempest" ], "source_name": "ETDA:Lapsus$", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "8941e146-3e7f-4b4e-9b66-c2da052ee6df", "created_at": "2023-01-06T13:46:38.402513Z", "updated_at": "2026-04-29T06:58:56.199012Z", "deleted_at": null, "main_name": "Sandworm", "aliases": [ "Blue Echidna", "FROZENBARENTS", "UAC-0113", "UAC-0082", "Quedagh", "TEMP.Noble", "TeleBots", "IRIDIUM", "Seashell Blizzard", "APT44", "VOODOO BEAR", "IRON VIKING", "G0034", "ELECTRUM" ], "source_name": "MISPGALAXY:Sandworm", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "760f2827-1718-4eed-8234-4027c1346145", "created_at": "2023-01-06T13:46:38.670947Z", "updated_at": "2026-04-29T06:58:56.291188Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "G0086", "THALLIUM", "Sparkling Pisces", "Velvet Chollima", "Black Banshee", "Operation Stolen Pencil", "APT43", "Emerald Sleet", "Springtail", "Thallium" ], "source_name": "MISPGALAXY:Kimsuky", "tools": [ "RevClient", "xrat", "QUASARRAT", "RDP Wrapper", "TightVNC", "BabyShark" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-29T06:58:58.140449Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "a88747e2-ffed-45d8-b847-8464361b2254", "created_at": "2023-11-01T02:01:06.605663Z", "updated_at": "2026-04-29T06:58:57.735943Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "Volt Typhoon", "BRONZE SILHOUETTE", "Vanguard Panda", "DEV-0391", "UNC3236", "Voltzite", "Insidious Taurus", "DazedToad" ], "source_name": "MITRE:Volt Typhoon", "tools": [ "netsh", "PsExec", "ipconfig", "Wevtutil", "VersaMem", "Tasklist", "Mimikatz", "Impacket", "Systeminfo", "netstat", "Nltest", "certutil", "FRP", "cmd" ], "source_id": "MITRE", "reports": null }, { "id": "de5630ec-93e0-4ef5-9ac3-fe422789e03d", "created_at": "2024-11-01T02:00:52.730802Z", "updated_at": "2026-04-29T06:58:57.782463Z", "deleted_at": null, "main_name": "INC Ransom", "aliases": [ "INC Ransom", "GOLD IONIC" ], "source_name": "MITRE:INC Ransom", "tools": [ "PsExec", "Nltest", "Rclone", "AdFind", "esentutl", "INC Ransomware" ], "source_id": "MITRE", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-29T06:58:57.746126Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "7bd810cb-d674-4763-86eb-2cc182d24ea0", "created_at": "2022-10-25T16:07:24.1537Z", "updated_at": "2026-04-29T06:58:58.147234Z", "deleted_at": null, "main_name": "Sandworm Team", "aliases": [ "APT 44", "ATK 14", "BE2", "Blue Echidna", "CTG-7263", "FROZENBARENTS", "G0034", "Grey Tornado", "IRIDIUM", "Iron Viking", "Quedagh", "Razing Ursa", "Sandworm", "Sandworm Team", "Seashell Blizzard", "TEMP.Noble", "UAC-0082", "UAC-0113", "UAC-0125", "UAC-0133", "Voodoo Bear" ], "source_name": "ETDA:Sandworm Team", "tools": [ "AWFULSHRED", "ArguePatch", "BIASBOAT", "Black Energy", "BlackEnergy", "CaddyWiper", "Colibri Loader", "Cyclops Blink", "CyclopsBlink", "DCRat", "DarkCrystal RAT", "Fobushell", "GOSSIPFLOW", "Gcat", "IcyWell", "Industroyer2", "JaguarBlade", "JuicyPotato", "Kapeka", "KillDisk.NCX", "LOADGRIP", "LOLBAS", "LOLBins", "Living off the Land", "ORCSHRED", "P.A.S.", "PassKillDisk", "Pitvotnacci", "PsList", "QUEUESEED", "RansomBoggs", "RottenPotato", "SOLOSHRED", "SwiftSlicer", "VPNFilter", "Warzone", "Warzone RAT", "Weevly" ], "source_id": "ETDA", "reports": null }, { "id": "c8bf82a7-6887-4d46-ad70-4498b67d4c1d", "created_at": "2025-08-07T02:03:25.101147Z", "updated_at": "2026-04-29T06:58:57.620982Z", "deleted_at": null, "main_name": "NICKEL KIMBALL", "aliases": [ "APT43 ", "ARCHIPELAGO ", "Black Banshee ", "Crooked Pisces ", "Emerald Sleet ", "ITG16 ", "Kimsuky ", "Larva-24005 ", "Opal Sleet ", "Ruby Sleet ", "SharpTongue ", "Sparking Pisces ", "Springtail ", "TA406 ", "TA427 ", "THALLIUM ", "UAT-5394 ", "Velvet Chollima " ], "source_name": "Secureworks:NICKEL KIMBALL", "tools": [ "BabyShark", "FastFire", "FastSpy", "FireViewer", "Konni" ], "source_id": "Secureworks", "reports": null }, { "id": "f161dc2b-a18e-43b9-9786-2285bc745a10", "created_at": "2025-05-29T02:00:03.214326Z", "updated_at": "2026-04-29T06:58:57.032428Z", "deleted_at": null, "main_name": "Earth Kurma", "aliases": [], "source_name": "MISPGALAXY:Earth Kurma", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-29T06:58:57.516698Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "49b3063e-a96c-4a43-b28b-1c380ae6a64b", "created_at": "2025-08-07T02:03:24.661509Z", "updated_at": "2026-04-29T06:58:57.508616Z", "deleted_at": null, "main_name": "BRONZE SILHOUETTE", "aliases": [ "Dev-0391 ", "Insidious Taurus ", "UNC3236 ", "Vanguard Panda ", "Volt Typhoon ", "Voltzite " ], "source_name": "Secureworks:BRONZE SILHOUETTE", "tools": [ "Living-off-the-land binaries", "Web shells" ], "source_id": "Secureworks", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-29T06:58:57.819377Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "f4d7cba1-dbdd-42a9-88c5-4d0c81659ee0", "created_at": "2023-01-06T13:46:38.357581Z", "updated_at": "2026-04-29T06:58:56.185893Z", "deleted_at": null, "main_name": "Flying Kitten", "aliases": [ "Saffron Rose", "AjaxSecurityTeam", "Ajax Security Team", "Group 26", "Sayad", "SaffronRose" ], "source_name": "MISPGALAXY:Flying Kitten", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "46b3c0fc-fa0c-4d63-a38a-b33a524561fb", "created_at": "2023-01-06T13:46:38.393409Z", "updated_at": "2026-04-29T06:58:56.195997Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "COZY BEAR", "The Dukes", "YTTRIUM", "Cloaked Ursa", "Blue Kitsune", "BlueBravo", "Group 100", "Minidionis", "SeaDuke", "Grizzly Steppe", "G0016", "ATK7", "TA421", "Nobelium", "IRON HEMLOCK", "UAC-0029", "ITG11" ], "source_name": "MISPGALAXY:APT29", "tools": [ "SNOWYAMBER", "HALFRIG", "QUARTERRIG" ], "source_id": "MISPGALAXY", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-29T06:58:56.194866Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Forest Blizzard", "STRONTIUM", "Blue Athena", "T-APT-12", "UAC-0028", "UAC-0001", "Fancy Bear", "TG-4127", "TA422", "Sofacy", "BlueDelta", "GruesomeLarch", "Pawn Storm", "FANCY BEAR", "SNAKEMACKEREL", "Group 74", "SIG40", "Grizzly Steppe", "Fighting Ursa", "ITG05", "Sednit", "Tsar Team", "IRON TWILIGHT", "G0007", "ATK5", "APT-C-20", "FROZENLAKE" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b05a0147-3a98-44d3-9b42-90d43f626a8b", "created_at": "2023-01-06T13:46:39.467088Z", "updated_at": "2026-04-29T06:58:56.559219Z", "deleted_at": null, "main_name": "NoName057(16)", "aliases": [ "NoName05716", "05716nnm", "Nnm05716", "NoName057" ], "source_name": "MISPGALAXY:NoName057(16)", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-29T06:58:57.620229Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "d8dff631-87b0-4320-8352-becff28dbcf1", "created_at": "2022-10-25T16:07:24.565038Z", "updated_at": "2026-04-29T06:58:58.337954Z", "deleted_at": null, "main_name": "ShinyHunters", "aliases": [], "source_name": "ETDA:ShinyHunters", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "93d94f09-e09e-4597-b926-3417f8dc77c8", "created_at": "2025-10-05T02:00:04.681998Z", "updated_at": "2026-04-29T06:58:57.050469Z", "deleted_at": null, "main_name": "Crimson Collective", "aliases": [], "source_name": "MISPGALAXY:Crimson Collective", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4ed2b20c-7523-4852-833b-cebee8029f55", "created_at": "2023-05-26T02:02:03.524749Z", "updated_at": "2026-04-29T06:58:56.581488Z", "deleted_at": null, "main_name": "Volt Typhoon", "aliases": [ "VOLTZITE", "Dev-0391", "Storm-0391", "BRONZE SILHOUETTE", "VANGUARD PANDA", "UNC3236", "Insidious Taurus" ], "source_name": "MISPGALAXY:Volt Typhoon", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-29T06:58:57.48365Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-29T06:58:57.725302Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "LAMEHUG", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "20d3a08a-3b97-4b2f-90b8-92a89089a57a", "created_at": "2022-10-25T15:50:23.548494Z", "updated_at": "2026-04-29T06:58:57.739757Z", "deleted_at": null, "main_name": "APT29", "aliases": [ "APT29", "IRON RITUAL", "IRON HEMLOCK", "NobleBaron", "Dark Halo", "NOBELIUM", "UNC2452", "YTTRIUM", "The Dukes", "Cozy Bear", "CozyDuke", "SolarStorm", "Blue Kitsune", "UNC3524", "Midnight Blizzard" ], "source_name": "MITRE:APT29", "tools": [ "PinchDuke", "ROADTools", "WellMail", "CozyCar", "Mimikatz", "Tasklist", "OnionDuke", "FatDuke", "POSHSPY", "EnvyScout", "SoreFang", "GeminiDuke", "reGeorg", "GoldMax", "FoggyWeb", "SDelete", "PolyglotDuke", "AADInternals", "MiniDuke", "SeaDuke", "Sibot", "RegDuke", "CloudDuke", "GoldFinder", "AdFind", "PsExec", "NativeZone", "Systeminfo", "ipconfig", "Impacket", "Cobalt Strike", "PowerDuke", "QUIETEXIT", "HAMMERTOSS", "BoomBox", "CosmicDuke", "WellMess", "VaporRage", "LiteDuke" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-29T06:58:58.181568Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null }, { "id": "71a1e16c-3ba6-4193-be62-be53527817bc", "created_at": "2022-10-25T16:07:23.753455Z", "updated_at": "2026-04-29T06:58:57.969738Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "APT 43", "Black Banshee", "Emerald Sleet", "G0086", "G0094", "ITG16", "KTA082", "Kimsuky", "Larva-24005", "Larva-25004", "Operation Baby Coin", "Operation Covert Stalker", "Operation DEEP#DRIVE", "Operation DEEP#GOSU", "Operation Kabar Cobra", "Operation Mystery Baby", "Operation Red Salt", "Operation Smoke Screen", "Operation Stealth Power", "Operation Stolen Pencil", "SharpTongue", "Sparkling Pisces", "Springtail", "TA406", "TA427", "Thallium", "UAT-5394", "Velvet Chollima" ], "source_name": "ETDA:Kimsuky", "tools": [ "AngryRebel", "AppleSeed", "BITTERSWEET", "BabyShark", "BoBoStealer", "CSPY Downloader", "Farfli", "FlowerPower", "Gh0st RAT", "Ghost RAT", "Gold Dragon", "GoldDragon", "GoldStamp", "JamBog", "KGH Spyware Suite", "KGH_SPY", "KPortScan", "KimJongRAT", "Kimsuky", "LATEOP", "LOLBAS", "LOLBins", "Living off the Land", "Lovexxx", "MailPassView", "Mechanical", "Mimikatz", "MoonPeak", "Moudour", "MyDogs", "Mydoor", "Network Password Recovery", "PCRat", "ProcDump", "PsExec", "ReconShark", "Remote Desktop PassView", "SHARPEXT", "SWEETDROP", "SmallTiger", "SniffPass", "TODDLERSHARK", "TRANSLATEXT", "Troll Stealer", "TrollAgent", "VENOMBITE", "WebBrowserPassView", "xRAT" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429299, "ts_updated_at": 1777450880, "ts_creation_date": 1773763895, "ts_modification_date": 1773763964, "files": { "pdf": "https://archive.orkl.eu/56357662a440b7e183247380dc5a4094dffc4645.pdf", "text": "https://archive.orkl.eu/56357662a440b7e183247380dc5a4094dffc4645.txt", "img": "https://archive.orkl.eu/56357662a440b7e183247380dc5a4094dffc4645.jpg" } }