Malicious Infrastructure Landscape Expands in 2025 — New C2 Tools, Loaders, and Threat Activity Enablers Surge Across All Sectors
What Happened — Insikt Group’s 2025 Year‑in‑Review reports a dramatic broadening of tracked malicious infrastructure, covering additional malware families, newer command‑and‑control (C2) frameworks (e.g., RedGuard, Ligolo, Supershell) and emerging loaders such as CastleLoader. The report also highlights the rise of “threat activity enablers” (TAEs) that supply or amplify malicious services, and a shift in infostealer dynamics after law‑enforcement takedowns.
Why It Matters for TPRM —
- Threat actors continuously evolve their infrastructure, increasing the attack surface for third‑party services.
- New C2 and loader tools bypass many legacy detection signatures, exposing gaps in vendor security controls.
- TAEs amplify risk for supply‑chain partners that rely on shared cloud or network services.
Who Is Affected — All industries that depend on external SaaS, cloud hosting, or third‑party network services, notably Technology/SaaS, Financial Services, Healthcare, and Retail.
Recommended Actions —
- Review third‑party network monitoring and detection rules (YARA, Sigma, Snort) for the newly identified tools.
- Validate that vendors employ continuous threat‑intel feeds and can detect TAEs.
- Conduct tabletop simulations that incorporate the highlighted loaders and C2 frameworks.
Technical Notes — The shift is driven by open‑source/off‑the‑shelf C2 frameworks, custom loaders (CastleLoader) attributed to GrayBravo, and traffic‑distribution systems (TAG‑124, GrayCharlie). No specific CVEs are cited; the threat is infrastructure‑centric. Source: https://www.recordedfuture.com/research/2025-year-in-review-malicious-infrastructure