Cybersecurity

Executive Summary This report provides an overview of trends and developments in the cybercriminal ecosystem of Latin America and the Caribbean (LAC) in 2025. Insikt Group found that threat actors operating in or targeting the LAC region predominantly use client-server applications and end-to-end encrypted messaging platforms such as Telegram, as well as established English- or Russian-speaking dark web and special-access forums, to communicate and conduct activities. Threat actors demon

Payment fraud no longer operates as a collection of discrete schemes run by individual threat actors. It is increasingly sustained by an industrial support ecosystem: purpose-built infrastructure, packaged toolkits, and professionalized services that allow threat actors to maximize fraud output while minimizing the skill and effort required to execute attacks.According to Recorded Future's Annual Payment Fraud Intelligence Report: 2025, this industrialization was driven by technical adva

The expanding conflict around Iran signals a deeper shift. We have entered an era of quantum geopolitics, where the old rules of the international order no longer apply. What began as a regional confrontation is already reshaping global markets, supply chains, and corporate security planning. Leaders must adapt how they think, spend, and communicate in a system where uncertainty is not a risk to manage—it is the operating environment itself. What is Quantum Geopolitics? A useful

Executive Summary Insikt Group identified five distinct clusters leveraging the ClickFix social engineering technique to facilitate initial access to host systems. Observed since at least May 2024, these clusters include those impersonating financial application Intuit QuickBooks and the travel agency Booking.com. Insikt Group leveraged the Recorded Future® HTML Content Analysis dataset, which enables systematic monitoring of embedded web artifacts to identify and track new malicious dom

Last updated: 20 March 2026 at 2200 GMT This report is continuously updated as the situation evolves across the geopolitical, cyber, and influence operations dimensions of this conflict. It will be of greatest interest to organizations in the US, Israel, and Gulf states concerned about targeting by Iranian state-sponsored or state-aligned threat actors, as well as those with exposure to energy markets, maritime shipping, and critical infrastructure potentially impacted by regional escala

Executive Summary In 2025, Insikt Group significantly expanded its tracking of malicious infrastructure, broadeningcoverage across additional malware families and threat categories spanning cybercriminal and APT activity. This expansion included deeper analysis of infrastructure types, enhanced integration of data sources such as Recorded Future Network Intelligence®, improved threat detection methodologies,more granular higher-tier infrastructure insights, expanded victimology analysis,

Executive Summary Credential theft is the dominant initial access vector for enterprise breaches. In 2025, Recorded Future detected: 1.95 billion malware combo list credential exposures 36 million database combo list credential exposures 24 million database dump credential exposures 892 million malware log credential exposures Five findings stand out from the data: Credential theft accelerated as the yea

February 2026 saw a 43% decrease in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 13 vulnerabilities requiring immediate remediation, down from 23 in January 2026. All 13 carried a ‘Very Critical’ Recorded Future Risk Score. What security teams need to know: Microsoft dominates: Six of 13 vulnerabilities affected Microsoft products, accounting for 46% of February's findings; all were added to CISA's KEV catalog on the same day

Key Takeaways Latin America faces a distinct and evolving cyber threat landscape, from PIX payment fraud to ransomware hitting critical infrastructure. Most LATAM security teams are still reactive by necessity, and that posture is costing organizations in downtime, data, and trust. Recorded Future offers LATAM-specific threat intelligence, automation, and 100+ integrations to help stretched teams get ahead of attacks before they land. Meet us at R

Recorded Future is expanding its payment fraud prevention capabilities through a partnership with CYBERA, the industry leader in detecting and verifying data on scam-linked bank accounts. Available for purchase now via the Recorded Future Platform, Money Mule Intelligence helps fraud teams identify the accounts criminals use to extract and move stolen funds—addressing a critical gap as scams increasingly become banks' most pressing fraud challenge. The Growing Threat of Authorize

January 2026 saw a modest 5% increase in high-impact vulnerabilities, with Recorded Future's Insikt Group® identifying 23 vulnerabilities requiring immediate remediation, up from 22 in December 2025. Noteworthy trends last month included Russian state-sponsored exploitation of a Microsoft Office zero-day and critical authentication bypass flaws affecting enterprise infrastructure. What security teams need to know: APT28's Operation Neusploit: Russian state-sponsored ac

Executive Summary Since its full-scale invasion of Ukraine in February 2022, Russia has waged what we assess is largely opportunistic, though increasingly aggressive, hybrid warfare in NATO territory. Moscow has very likely not yet leveraged its full capability to integrate cyber, political, and sabotage tools into a full-scale campaign. Over the next two years, Russian President Vladimir Putin will likely escalate Russia’s hybrid warfare campaign against NATO members into a full

Executive Summary Insikt Group has observed continued trends of growth and increased activity of threat actors leveraging and exploiting cloud infrastructure to broaden the number of victims they target and infect. Recent reporting across the observed incidents shows that cloud-focused threats are converging on a few consistent patterns, which serve as the main sections of this report: Exploitation and Misconfiguration Cloud Abuse Cloud Ransomware

Executive Summary Insikt Group has been monitoring GrayCharlie, a threat actor overlapping with SmartApeSG and active since mid-2023, for some time, and is now publishing its first report on the group. GrayCharlie compromises WordPress sites and injects them with links to externally hosted JavaScript that redirects visitors to NetSupport RAT payloads delivered via fake browser update pages or ClickFix mechanisms. These infections often progress to the deployment of Stealc and SectopRAT.

The Problem with Pre-Packaged Intelligence Security teams are drowning in threat intelligence feeds. Hundreds of vendors promise comprehensive coverage, real-time alerts, and actionable insights. Yet sophisticated adversaries continue to operate undetected, incidents take weeks to scope, and attribution remains elusive. The fundamental issue isn't quality but control. Traditional network visibility solutions force passive consumption: their alerts, their priorities, their timelin

Fragmentation is the new normal The global threat landscape didn't simplify in 2025—it shattered. Geopolitical alliances strained. Criminal enterprises splintered and regrouped. State-sponsored actors shifted from dramatic disruptions to quiet pre-positioning. And as long-established norms unwound, convergence across once-distinct domains created unprecedented uncertainty. The 2026 State of Security report delivers Insikt Group's most comprehensive annual analysis of

Uncertainty has become the operating environment for business. And this year, fragmentation is driving it. The global threat landscape didn't simplify in 2025; it shattered. Geopolitical alliances strained. Criminal enterprises splintered under law enforcement pressure, then regrouped into smaller, faster, and harder-to-track operations. State-sponsored cyber actors shifted from dramatic disruptions to quiet pre-positioning, embedding themselves in networks and waiting. Hacktivist groups

The manual operations gap can be a business risk Manual threat hunting requires 27 steps that burn analyst time Autonomous Threat Operations can reduce 27 steps to 5 Autonomous operations prove measurable ROI

Executive Summary Insikt Group has identified a major cybercriminal operation specializing in large-scale cryptocurrency theft, operating under the moniker “Rublevka Team”. Since its inception in 2023, the threat group has generated over $10 million through affiliate-driven wallet draining campaigns. Rublevka Team is an example of a “traffer team,” composed of a network of thousands of social engineering specialists tasked with directing victim traffic to malicious pages. Unlike traditio

Key Takeaways: Recorded Future deployed Autonomous Threat Operations within its own SOC before customer release, ensuring real-world effectiveness and identifying critical capabilities. Autonomous Threat Operations reduced analyst-dependent, inconsistent processes, creating standardized hunts that deliver the same input, output, and expectations every time. Team members now run 15-20 threat hunts weekly—work that previously required days or weeks of manual