Skip to content
.ca
sign in
4 minhigh

2025 Year in Review: Malicious Infrastructure

In 2025, Insikt Group observed the continued dominance of Cobalt Strike, AsyncRAT, and infostealers like Vidar, alongside the rise of new offensive tools such as RedGuard, Ligolo, and CastleLoader. The report highlights the critical role of Threat Activity Enablers (TAEs) and the abuse of legitimate infrastructure services, such as CDNs, in sustaining cybercriminal and APT operations.

Conf:highAnalyzed:2026-03-19reports

Authors: Insikt Group

ActorsGrayBravoTAG-124GrayCharlieCobalt StrikeAsyncRATQuasarRATVidarLummaC2CastleLoaderLatrodectusMintsLoaderRedGuardLigoloSupershellDcRATREMCOS RATXWormSectopRATGOSARMetasploitMythic
InfostealersMalicious InfrastructureThreat Activity EnablersRATsCobalt Strike

Source:Recorded Future

Key Takeaways

  • Infostealers remain the primary infection vector, with Vidar outperforming competitors and Lumma remaining resilient despite law enforcement pressure.
  • Cobalt Strike retains dominance in Offensive Security Tool (OST) detections (~50%), though emerging tools like RedGuard, Ligolo, and Supershell are expanding notably.
  • The malware ecosystem is anchored in MaaS and open-source tooling, with AsyncRAT and Quasar RAT leading the desktop RAT landscape, while Android dominates mobile activity.
  • High loader turnover was observed following Operation Endgame, driven by Latrodectus, MintsLoader, and GrayBravo's CastleLoader.
  • Threat Activity Enablers (TAEs) like Virtualine Technologies sustain operations through Regional Internet Registry (RIR) resource abuse and rapid rebranding despite sanctions.

Affected Systems

  • Windows
  • Android

Attack Chain

Threat actors leverage Malware-as-a-Service (MaaS) offerings, primarily infostealers, as initial infection vectors. Traffic Distribution Systems (TDS) are frequently used to route victims to malicious payloads. Once initial access is achieved, actors deploy loaders like CastleLoader or Latrodectus to drop secondary payloads. Post-exploitation and command-and-control are maintained using Offensive Security Tools (OSTs) like Cobalt Strike or various RATs, often obfuscated through legitimate CDNs like Cloudflare or hosted on resilient Threat Activity Enabler (TAE) networks.

Detection Availability

  • YARA Rules: No
  • Sigma Rules: No
  • Snort/Suricata Rules: No
  • KQL Queries: No
  • Splunk SPL Queries: No
  • EQL Queries: No
  • Other Detection Logic: No

The article recommends deploying YARA, Sigma, and Snort rules to detect prevalent malware families, but does not provide specific rule bodies or queries within the text.

Detection Engineering Assessment

EDR Visibility: High — EDR solutions are highly effective at detecting the execution and in-memory presence of known OSTs (Cobalt Strike), RATs, and loaders mentioned in the report. Network Visibility: High — The report heavily emphasizes network infrastructure tracking, C2 detection, and TDS activity, which are highly visible at the network layer if proper decryption and flow logging are in place. Detection Difficulty: Moderate — While standard tools like Cobalt Strike have known signatures, actors increasingly use CDNs, legitimate services, and emerging tools (RedGuard, Ligolo) to evade traditional network detection.

Required Log Sources

  • DNS query logs
  • Network flow logs
  • Proxy/Web filter logs
  • Process creation logs

Hunting Hypotheses

HypothesisTelemetryATT&CK StageFP Risk
Threat actors are utilizing emerging OSTs like RedGuard, Ligolo, and Supershell for C2 communication, bypassing traditional Cobalt Strike detections.Network flow logs, EDR network connectionsCommand and ControlLow
Traffic Distribution Systems (TDS) are routing users to malicious infrastructure via compromised or actor-controlled domains.Proxy/Web filter logs, DNS query logsInitial AccessMedium

Control Gaps

  • Legitimate Infrastructure Services (LIS) abuse (e.g., Cloudflare)
  • Threat Activity Enabler (TAE) resilience despite sanctions

Key Behavioral Indicators

  • Connections to known high-risk ASNs/networks (e.g., Virtualine Technologies, aurologic GmbH)
  • Use of default or widely known malleable C2 profiles (e.g., jQuery)

False Positive Assessment

  • Low

Recommendations

Immediate Mitigation

  • Prioritize detection and mitigation of prevalent malware families like Cobalt Strike, AsyncRAT, and Vidar.
  • Review and update network blocklists for known Threat Activity Enabler (TAE) networks.

Infrastructure Hardening

  • Enhance network monitoring capabilities to detect C2 and TDS activity.
  • Carefully balance blocking, flagging, or allowing high-risk Legitimate Infrastructure Services (LIS) based on assessed criticality and organizational risk tolerance.

User Protection

  • Deploy robust endpoint protection to detect infostealers, loaders, and RATs.
  • Implement mobile device management (MDM) and security controls to mitigate Android-based malware threats.

Security Awareness

  • Conduct threat simulations to validate defensive posture against prevalent OSTs and malware.
  • Maintain continuous monitoring of the broader threat landscape and evolving infrastructure dynamics.

MITRE ATT&CK Mapping

  • T1003 - OS Credential Dumping
  • T1071 - Application Layer Protocol
  • T1105 - Ingress Tool Transfer
  • T1583 - Acquire Infrastructure
  • T1584 - Compromise Infrastructure

Additional IOCs

  • Other:
    • Virtualine Technologies - High-risk network / Threat Activity Enabler (TAE) sustaining operations through RIR resource abuse.
    • aurologic GmbH - Network frequently used for transit by high-risk TAEs like Virtualine Technologies.

Related