HomeIntelligenceBrief
BREACH BRIEF⚪ Informational ThreatIntel

Malicious Infrastructure Landscape Expands in 2025 — New C2 Tools, Loaders, and Threat Activity Enablers Surge Across All Sectors

Insikt Group’s 2025 Year‑in‑Review reveals a broadened malicious‑infrastructure ecosystem, with new command‑and‑control frameworks, loaders, and threat‑activity‑enablers emerging across the globe. The findings signal heightened third‑party risk for organizations that rely on external network services.

LiveThreat™ Intelligence · 📅 March 19, 2026· 📰 recordedfuture.com
Severity
Informational
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
5 sector(s)
Actions
3 recommended
📰
Source
recordedfuture.com

Malicious Infrastructure Landscape Expands in 2025 — New C2 Tools, Loaders, and Threat Activity Enablers Surge Across All Sectors

What Happened — Insikt Group’s 2025 Year‑in‑Review reports a dramatic broadening of tracked malicious infrastructure, covering additional malware families, newer command‑and‑control (C2) frameworks (e.g., RedGuard, Ligolo, Supershell) and emerging loaders such as CastleLoader. The report also highlights the rise of “threat activity enablers” (TAEs) that supply or amplify malicious services, and a shift in infostealer dynamics after law‑enforcement takedowns.

Why It Matters for TPRM

  • Threat actors continuously evolve their infrastructure, increasing the attack surface for third‑party services.
  • New C2 and loader tools bypass many legacy detection signatures, exposing gaps in vendor security controls.
  • TAEs amplify risk for supply‑chain partners that rely on shared cloud or network services.

Who Is Affected — All industries that depend on external SaaS, cloud hosting, or third‑party network services, notably Technology/SaaS, Financial Services, Healthcare, and Retail.

Recommended Actions

  • Review third‑party network monitoring and detection rules (YARA, Sigma, Snort) for the newly identified tools.
  • Validate that vendors employ continuous threat‑intel feeds and can detect TAEs.
  • Conduct tabletop simulations that incorporate the highlighted loaders and C2 frameworks.

Technical Notes — The shift is driven by open‑source/off‑the‑shelf C2 frameworks, custom loaders (CastleLoader) attributed to GrayBravo, and traffic‑distribution systems (TAG‑124, GrayCharlie). No specific CVEs are cited; the threat is infrastructure‑centric. Source: https://www.recordedfuture.com/research/2025-year-in-review-malicious-infrastructure

📰 Original Source
https://www.recordedfuture.com/research/2025-year-in-review-malicious-infrastructure

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · SOC 2 Readiness

Could you prove your access controls held up here?

Credential and access failures map directly to SOC 2 access-control criteria. The Verisq AI Trust Operations platform shows where your evidence is thin before an auditor — or an attacker — finds out.

Explore the Verisq AI Trust Operations platform →