Keypoints
- Governments are expected to increase takedowns of malicious infrastructure, driven in part by attacks on critical services such as hospitals.
- Criminal groups demonstrate operational resilience (e.g., TA577 activity continuing after QakBot takedown), highlighting the need to target actors as well as infrastructure.
- Advanced threat actors are shifting toward commodity command-and-control (C2) frameworks to hinder attribution.
- Threat actors increasingly abuse legitimate remote management tools (AnyDesk, ConnectWise) and internet platforms (Telegram, GitHub) for C2 and operations.
- AI is anticipated to be used incrementally for domain generation, network planning, and improved obfuscation in malware development.
- Common offensive tools and RATs observed include Cobalt Strike, Viper, Meterpreter, AsyncRAT, QuasarRAT, PlugX, ShadowPad, and DarkComet.
- Organizations are advised to baseline legitimate services, tighten controls, and consider advanced measures (e.g., TLS inspection) balanced against privacy and operational impacts.
MITRE Techniques
- [T1021] Remote Services – Threat actors abused remote monitoring and management tools for access and control (‘exploit remote monitoring and management software, such as AnyDesk and ConnectWise’).
- [T1071] Application Layer Protocol – Actors leveraged legitimate internet platforms for C2 and hosting (‘legitimate internet infrastructure like Telegram and GitHub, capitalizing on perceived legitimacy and inadequate network controls’).
- [T1105] Ingress Tool Transfer – Use and distribution of offensive/security tools and payloads was observed (‘top offensive security tools, including Cobalt Strike, Viper, and Meterpreter’).
- [T1027] Obfuscated Files or Information – Actors are expected to adopt advanced obfuscation techniques in malware development (‘advanced obfuscation techniques for malware development’).
- [T1583] Acquire Infrastructure – AI and other methods are being used to plan and provision infrastructure (domains, network layouts) (‘AI…particularly in areas like domain naming, network planning’).
Indicators of Compromise
- [Malware / RAT / Backdoor names] Mentioned as commonly observed tools – Cobalt Strike, AsyncRAT, and 6 more items (Viper, Meterpreter, QuasarRAT, PlugX, ShadowPad, DarkComet).
- [Legitimate services abused] Platforms and tools used for abuse – AnyDesk, ConnectWise, and other services like Telegram and GitHub.
- [Report URLs] Reference/source links found in the article – https://go.recordedfuture.com/hubfs/reports/cta-2024-1209.pdf, https://www.recordedfuture.com/2023-adversary-infrastructure-report
Recorded Future’s analysis focuses on observable adversary infrastructure trends and defensive implications. It documents a continued preference among APTs and cybercriminals for commodity C2 frameworks and widely used remote management tools to reduce attribution, and highlights extensive use of RATs and backdoors (e.g., Cobalt Strike, Meterpreter, AsyncRAT) observed across unique C2 servers. The report also notes increased exploitation of legitimate platforms (Telegram, GitHub) for C2 and hosting, which complicates network detection and forces defenders to refine baselining and allowlisting strategies.
The report anticipates incremental integration of AI into adversary workflows—primarily for domain generation, network planning, and automated obfuscation—improving operational efficiency and lowering technical barriers for attackers. As a result, defenders should prioritize establishing clear baselines for legitimate internet services, optimize detection for abused remote services (AnyDesk, ConnectWise), monitor for known offensive tooling, and evaluate advanced controls such as TLS decryption with careful consideration of privacy, cost, and operational impact.
Operationally, takedowns of infrastructure will likely continue to disrupt operations but are insufficient alone; the persistence of groups like TA577 after dismantling campaigns such as QakBot demonstrates the necessity of coupling takedowns with actions to identify and prosecute operators. Security teams should combine infrastructure disruption, improved network controls, telemetry focused on abused legitimate services and tools, and proactive threat hunting to mitigate evolving adversary infrastructure trends.
Read more: https://www.recordedfuture.com/2023-adversary-infrastructure-report