Executive Summary
In 2025, Insikt Group significantly expanded its tracking of malicious infrastructure, broadening
coverage across additional malware families and threat categories spanning cybercriminal and APT activity. This expansion included deeper analysis of infrastructure types, enhanced integration of data sources such as Recorded Future Network Intelligence®, improved threat detection methodologies,more granular higher-tier infrastructure insights, expanded victimology analysis, and a new focus on so-called threat activity enablers (TAEs). While many patterns identified in 2024 persisted, including Cobalt Strike’s dominance among offensive security tools (OSTs), AsyncRAT and QuasarRAT leading the remote access trojan (RAT) landscape, the widespread use of open-source or cracked malware variants, and the continued prevalence of Android malware within the mobile threat ecosystem, Insikt Group observed several notable shifts and emerging trends throughout 2025.
For example, although Cobalt Strike remained the most prominent OST, its relative share of detected command-and-control (C2) servers declined as detection coverage expanded and competing tools gained traction. Tools such as RedGuard, Ligolo, and Supershell saw significant growth in use throughout 2025. Following law enforcement disruption efforts targeting LummaC2, Vidar and other infostealers partially filled the gap, reflecting continued volatility in the infostealer ecosystem. Similar fluctuations were observed in the loader and dropper landscape, where new malware families consistently emerged, including CastleLoader, attributed to GrayBravo. Additionally, Insikt Group observed sustained and widespread use of traffic distribution systems (TDS), including activity by TAG-124, GrayCharlie, and other threat actors.
Defenders should leverage the insights from this report to strengthen security controls by prioritizing the detection and mitigation of the most prevalent malware families and infrastructure techniques. This includes enhancing network monitoring capabilities and deploying relevant detection mechanisms such as YARA, Sigma, and Snort rules. Organizations should also invest in tracking evolving malicious infrastructure dynamics, conducting threat simulations to validate their defensive posture, and maintaining continuous monitoring of the broader threat landscape. With respect to legitimate infrastructure services (LIS), defenders must carefully balance blocking, flagging, or allowing high-risk services based on assessed criticality and organizational risk tolerance.
As malicious infrastructure continues to evolve alongside improving detection capabilities, Insikt Group anticipates that many current trends will persist into 2026. Rather than dramatic shifts, change is likely to be driven by incremental innovation, adaptation to defensive measures, and reactions to public reporting and law enforcement actions. Threat actors are expected to continue leveraging legitimate tools, services, and content delivery networks (CDNs) such as Cloudflare, a pattern also heavily observed among multiple APT groups, to blend malicious activity with legitimate traffic. While not yet widely observed at the infrastructure layer, Insikt Group assesses that artificial intelligence may increasingly be leveraged to support evasion and operational resilience. The “as-a-service” ecosystem is likely to continue expanding across malware categories, enabling scalability and lowering barriers to entry for threat actors. Although public reporting and sanctions targeting certain TAEs have triggered increased scrutiny, the ecosystem’s underlying economic and operational logic is expected to remain
intact, allowing established actors to continue operating. At the same time, Insikt Group anticipates increasingly assertive international law enforcement actions targeting malicious infrastructure, including coordinated takedowns and other disruption efforts.
Key Findings
- Infostealers remained the primary infection vector in 2025, with malware-as-a-service (MaaS)offerings dominating. Vidar outperformed competitors, Lumma proved resilient despite law enforcement and doxxing pressure, and the wider ecosystem remained highly volatile.
- Cobalt Strike retained clear dominance in OST detections (~50%) despite declining share, while Metasploit and Mythic held their positions. RedGuard, Ligolo, and Supershell expanded notably, and jQuery again led as the most prevalent malleable C2 profile by detections and geographic reach.
- The malware ecosystem remained anchored in MaaS and open-source tooling across desktop and mobile, with AsyncRAT and Quasar RAT leading the RAT landscape, DcRAT and REMCOS RAT gaining share, and families such as XWorm, SectopRAT, and GOSAR entering the top tier, while Android dominated mobile activity (nine of the top ten families) amid rising use of mercenary spyware.
- Droppers, loaders, and TDS remained dynamic but resilient in 2025, with high loader turnover following Operation Endgame 2024, driven by Latrodectus expansion and the rise of MintsLoader and GrayBravo’s CastleLoader, alongside sustained and widespread TDS activity linked to TAG-124, GrayCharlie, and other threat actors.
- Lastly, in 2025, Insikt Group pivoted to identifying TAEs via the Threat Density List, highlighting high-risk networks such as Virtualine Technologies, often transiting via aurologic GmbH, that sustained operations through Regional Internet Registry (RIR) resource abuse and rapid rebranding despite sanctions and law enforcement pressure.
Background
Insikt Group proactively identifies and monitors infrastructure linked to hundreds of malware families,threat actors, and related artifacts, including phishing kits, scanners, and relay networks. Through daily,automated validation using proprietary methods, Insikt Group delivers accurate risk representation,enabling Recorded Future customers to strengthen their detection and defense capabilities.
Building on Insikt Group’s annual malicious infrastructure reports from 2022, 2023, and 2024, this year’s report delivers a concise, data-driven overview of malicious infrastructure observed throughout 2025. While the percentages presented throughout the report are intended to provide insight into trends and the state of malicious infrastructure in 2025, it is important to note that Insikt Group continuously adds new detections for both existing and emerging families, which makes year-over-year comparisons imperfect.
This year, the focus continues to be on the synergy between passive infrastructure detection,
higher-tier infrastructure insights powered by Recorded Future Network Intelligence, and victim
identification. It also expands to examine trends across the ecosystem of TAEs that underpin cyber threats, including how sanctions against selected entities have reshaped that landscape. Overall, this report is intended for anyone interested in malicious infrastructure, providing a high-level overview of its current state along with summaries of key findings to support informed decision-making and offer a broad perspective on this rapidly evolving landscape.
Recognizing the challenge of categorizing malware types in a mutually exclusive manner due to their overlapping functionalities, this report establishes a set of malware categories to facilitate analysis, as detailed in Appendix A, with brief definitions for each. Notably, certain malware categories, such as crypters, have been intentionally excluded because they typically lack network artifacts.
Beyond examining malicious infrastructure through the lens of malware categories, Insikt Group also monitors it by type, assigning each a distinct risk score within the Recorded Future Intelligence Operations Platform®. This differentiation reflects varying levels of severity. For instance, network traffic to or from a C2 server in a corporate network may indicate a higher risk compared to the presence of a management panel, as the former typically implies active malicious activity. The infrastructure types defined by Insikt Group are detailed in Appendix B.
Source: RecordedFuture
Source Link: https://www.recordedfuture.com/research/2025-year-in-review-malicious-infrastructure