2025 Year in Review: Malicious, Infrastructure

Recorded Future's Insikt Group 2025 Malicious Infrastructure Report reveals a dynamic threat landscape where Cobalt Strike maintains dominance (~50% of OST detections) despite declining market share, while infostealers remained the primary infection vector. The malware-as-a-service ecosystem continued expanding, with Vidar outperforming competitors and LummaC2 proving resilient despite law enforcement disruptions. RedGuard, Ligolo, and Supershell gained significant traction among threat actors, while Android malware dominated mobile threats. Traffic distribution systems saw sustained use by multiple threat actors including TAG-124, GrayBravo, and GrayCharlie. Organizations should prioritize detection rules (YARA, Sigma, Snort), enhance network monitoring, and maintain continuous threat landscape awareness. The report anticipates incremental rather than dramatic changes in 2026, with AI-assisted evasion and continued legitimate infrastructure abuse expected.

Explore Insikt Group’s 2025 Malicious Infrastructure Report. Gain insights into Cobalt Strike, Vidar infostealers, and AI-driven threats to secure your 2026 strategy.

Recorded Future's Insikt Group 2025 Malicious Infrastructure Report reveals a dynamic threat landscape where Cobalt Strike maintains dominance (~50% of OST detections) despite declining market share, while infostealers remained the primary infection vector. The malware-as-a-service ecosystem continued expanding, with Vidar outperforming competitors and LummaC2 proving resilient despite law enforcement disruptions. RedGuard, Ligolo, and Supershell gained significant traction among threat actors, while Android malware dominated mobile threats. Traffic distribution systems saw sustained use by multiple threat actors including TAG-124, GrayBravo, and GrayCharlie. Organizations should prioritize detection rules (YARA, Sigma, Snort), enhance network monitoring, and maintain continuous threat landscape awareness. The report anticipates incremental rather than dramatic changes in 2026, with AI-assisted evasion and continued legitimate infrastructure abuse expected. Explore Insikt Group’s 2025 Malicious Infrastructure Report. Gain insights into Cobalt Strike, Vidar infostealers, and AI-driven threats to secure your 2026 strategy. Executive Summary In 2025, Insikt Group significantly expanded its tracking of malicious infrastructure, broadening coverage across additional malware families and threat categories spanning cybercriminal and APT activity. This expansion included deeper analysis of infrastructure types, enhanced integration of data sources such as Recorded Future Network Intelligence®, improved threat detection methodologies,more granular higher-tier infrastructure insights, expanded victimology analysis, and a new focus on so-called threat activity enablers (TAEs). While many patterns identified in 2024 persisted, including Cobalt Strike’s dominance among offensive security tools (OSTs), AsyncRAT and QuasarRAT leading the remote access trojan (RAT) landscape, the widespread use of open-source or cracked malware variants, and the continued prevalence of Android malware within the mobile threat ecosystem, Insikt Group observed several notable shifts and emerging trends throughout 2025. For example, although Cobalt Strike remained the most prominent OST, its relative share of detected command-and-control (C2) servers declined as detection coverage expanded and competing tools gained traction. Tools such as RedGuard, Ligolo, and Supershell saw significant growth in use throughout 2025. Following law enforcement disruption efforts targeting LummaC2, Vidar and other infostealers partially filled the gap, reflecting continued volatility in the infostealer ecosystem. Similar fluctuations were observed in the loader and dropper landscape, where new malware families consistently emerged, including CastleLoader, attributed to GrayBravo. Additionally, Insikt Group observed sustained and widespread use of traffic distribution systems (TDS), including activity by TAG-124, GrayCharlie, and other threat actors. Defenders should leverage the insights from this report to strengthen security controls by prioritizing the detection and mitigation of the most prevalent malware families and infrastructure techniques. This includes enhancing network monitoring capabilities and deploying relevant detection mechanisms such as YARA, Sigma, and Snort rules. Organizations should also invest in tracking evolving malicious infrastructure dynamics, conducting threat simulations to validate their defensive posture, and maintaining continuous monitoring of the broader threat landscape. With respect to legitimate infrastructure services (LIS), defenders must carefully balance blocking, flagging, or allowing high-risk services based on assessed criticality and organizational risk tolerance. As malicious infrastructure continues to evolve alongside improving detection capabilities, Insikt Group anticipates that many current trends will persist into 2026. Rather than dramatic shifts, change is likely to be driven by incremental innovation, adaptation to defensive measures, and reactions to public reporting and law enforcement actions. Threat actors are expected to continue leveraging legitimate tools, services, and content delivery networks (CDNs) such as Cloudflare, a pattern also heavily observed among multiple APT groups, to blend malicious activity with legitimate traffic. While not yet widely observed at the infrastructure layer, Insikt Group assesses that artificial intelligence may increasingly be leveraged to support evasion and operational resilience. The “as-a-service” ecosystem is likely to continue expanding across malware categories, enabling scalability and lowering barriers to entry for threat actors. Although public reporting and sanctions targeting certain TAEs have triggered increased scrutiny, the ecosystem’s underlying economic and operational logic is expected to remain intact, allowing established actors to continue operating. At the same time, Insikt Group anticipates increasingly assertive international law...