Alexander Leslie

Threats to the 2025 NATO Summit: Cyber, Influence, and Hybrid Risks Explore how state-sponsored actors, cybercriminals, and hacktivists are targeting the 2025 NATO Summit. Insight from Recorded Future’s Insikt Group reveals escalating cyber, AI, and hybrid threats fro...

🚨 👀 New Insikt Group report! As NATO leaders gather in The Hague next week, the upcoming summit comes under threat from adversary activity: state-sponsored espionage, malign influence operations, and a surge of chatter across the dark web.

Blog: www.recordedfuture.com/research/thr...

China’s PLA Leverages Generative AI for Military Intelligence: Insikt Group Report Explore how China’s PLA is adopting generative AI for military intelligence. This Insikt Group report reveals AI-driven intelligence tools, strategic adaptations, and implications for global security.

🇨🇳 🤖 New Insikt Group report! This research details how the People’s Liberation Army is rapidly experimenting with generative AI to augment — and potentially transform — its military intelligence capabilities.

Blog: www.recordedfuture.com/research/art...

Join me tomorrow for a live briefing on the conflict between Israel and Iran.

We’ll address specific geopolitical risks, cybercriminal and hacktivist groups, state-sponsored cyber threats, influence operations, and more.

Registration: recordedfuture.registration.goldcast.io/webinar/4b72...

Thank you to everyone who attended my session at our inaugural Insikt After Dark conference in New York City!

I spoke on our recent efforts to disrupt traffer teams, infostealer operators, and global scam infrastructure.

It’s always an honor to represent Recorded Future!

Outstanding work from @julianferdinand.bsky.social, @lawrencesec.bsky.social, and our Malicious Infrastructure Discovery (MID) team.

GrayAlpha shows how financially motivated actors operate with APT-level tradecraft.

Time to retire old threat models. Think in terms of ecosystems, not just malware.

Predator isn’t dead — it’s mutating.

New reporting from @julianferdinand.bsky.social just dropped. It confirms that Predator C2 is very much alive and attracting new clients.

Targets? The same. Activists, politicians, journalists, executives. The spyware economy isn’t slowing — it’s adapting.

Read more! This report includes an extensive list of capabilities and indicators linked to TAG-110 and its recent campaigns targeting Central Asia.

PDF: go.recordedfuture.com/hubfs/report...

🔑: “TAG-110’s recent use of macro-enabled Word templates (.dotm), placed in the Microsoft Word STARTUP folder for automatic execution, highlights a tactical evolution prioritizing persistence.”

🌏: “TAG-110’s persistent targeting of Tajik government, educational, and research institutions supports Russia’s strategy to maintain influence in Central Asia. These cyber-espionage operations likely aim to gather intelligence for influencing regional politics or security…”

🔍: “This campaign has been attributed to TAG-110 based on its reuse of VBA code found in lures from previous campaigns, overlap in C2 infrastructure, and use of suspected legitimate government documents for lure material.”

🎣: “TAG-110 has changed its spearphishing tactics in recent campaigns against Tajikistan, as they now rely on macro-enabled Word templates (.dotm files).”

TAG-110 Targets Tajikistan: New Macro Word Documents Phishing Tactics Russia-aligned TAG-110 shifts to .dotm phishing lures in a 2025 campaign against Tajikistan’s public sector, advancing cyber-espionage in Central Asia.

New report! Check it out.

🇷🇺 🇹🇯 This research examines a campaign targeting Tajikistan attributed to Russia-aligned TAG-110 — linked to BlueDelta (APT28). This campaign is likely targeting government, educational, and research institutions.

Link: www.recordedfuture.com/research/rus...

Europol and Microsoft disrupt world’s largest infostealer Lumma | Europol Europol’s European Cybercrime Centre has worked with Microsoft to disrupt Lumma Stealer (“Lumma”), the world’s most significant infostealer threat.

Good riddance! This should make a sizable dent in the ecosystem.

🪦 Lumma Stealer 🪦

Link: www.europol.europa.eu/media-press/...

Read more! This report includes extensive research and analysis that can’t be fully captured in a single thread.

PDF: go.recordedfuture.com/hubfs/report...

🇺🇸: “Although the current US presidential administration has signalled that maintaining the US’s leading position… a priority, early actions to decrease public funding for science and target international students over alleged visa infractions likely risk undermining this goal.”

🏭: “China’s semiconductor industry likely still faces a bottleneck in producing sub-7 nanometer chips, and it is almost certainly attempting to develop its own extreme ultraviolet lithography tools using alternative techniques to advance domestic AI accelerator production.”

📉: “US export controls have also almost certainly prompted the Chinese government to accelerate funding for its AI hardware and semiconductor industries and high-performance computing infrastructure for training and hosting AI models.”

🔑: “Adopting open source is more prevalent among Chinese AI companies and likely enables China to diffuse its models more broadly than US proprietary models.”

🧑‍🏫: “Access to high-quality training data and IP is an increasingly contested domain where the US likely retains a competitive advantage; companies in both countries are likely leveraging user-generated content to train generative AI models.”

⚖️: “Closing the performance gap while being cost-competitive is very likely to pay off for China by driving the adoption of Chinese generative AI models domestically and abroad.”

🗓️: “According to Insikt Group's analysis of model benchmarks, Elo scores, and industry expert assessments, Chinese generative AI models likely now have a three to six-month performance gap behind US rivals, though this time lag is shortening.”

💡: “AI diffusion rather than innovation will very likely determine the ‘winner’ in the competition… but whether the US or China has greater levels of diffusion is unclear, with one metric (patents) nevertheless showing China has a lead in many industries.”

🧑‍🎓: “The international AI talent pool likely continues to favor the US due to a continuing — though declining — immigration advantage and the quality of elite educational institutions, but the practical implications of this lead for AI competition are likely eroding.”

🧑‍⚖️: “China’s regulatory scheme likely hampers Chinese AI capabilities and extends development and deployment timelines — but only among developers aiming for public-facing products, meaning frontier advancements are unlikely to be impeded.”

💰: “China’s overall government-led funding likely exceeds investment by US federal and state governments… however, total private-sector investment in AI companies in the US vastly outmatches private-sector investment in China.”

🤝: “China’s rapidly maturing AI ecosystem is very likely increasingly fostering collaboration between government, industry, and academia, and is supported by steady advances in semiconductor manufacturing.”

US-China AI Gap: 2025 Analysis of Model Performance, Investment, and Innovation Explore Insikt Group's in-depth 2025 report on the US-China AI race—comparing funding, talent, regulation, compute capacity, and model benchmarks. Discover why China trails the US and what could chang...

New report! Check it out.

This research examines US-China AI gap and the drivers of competition. Insikt Group assesses that China is unlikely to sustainably surpass the US on its desired timeline to become the world leader in AI by 2030.

Link: www.recordedfuture.com/research/mea...

Recorded Future’s Alexander Leslie on the ‘MarkoPolo’ traffer team Safe Mode Podcast · Episode

I had a great time talking with @gregotto.bsky.social from @cyberscoop.bsky.social at RSAC 2025. Always fun!

Check out our conversation about my work on cryptoscam gangs, infostealer “traffer” teams, and the “Marko Polo” cybercriminal group.

Link: open.spotify.com/episode/70AY...

🔑: “Insikt Group observed ten distinct TerraStealerV2 distribution samples between January and March 2025 that employed varied delivery methods, including MSI, DLL, and LNK files.”

🛠️: “TerraStealerV2 lacks support for decrypting Chrome ABE-protected credentials, indicating the tool is likely outdated or still under development.”