A Look Back at 11 of the Red Report 2026 Featured Threats

Keypoints

Picus identified the top ATT&CK techniques used in 2025 and focused on 11 attacks that demonstrated six of those techniques with associated subtechniques and threat actors.
Notable malware and groups observed include STATICPLUGIN, SadBridge Loader, XLoader (6 & 7), NoisyBear (Operation BarrelFire), ClickFix, APT36 (Python ELF), Chihuahua Stealer, Earth Ammit, PlushDaemon, Docker Swarm/Kubernetes cryptojacking, and Earth Alux.
The study compiled 147 network IoCs: 104 domains, 26 subdomains, and 17 IP addresses tied to the analyzed attacks and expanded that set with additional connected artifacts (WHOIS, DNS resolutions, email-linkage).
DNS and WHOIS enrichment showed 23 of the IoC domains were bulk-registered with 2–936 typosquatting lookalikes, and 28 domains likely had malicious intent 46–516 days before being reported as IoCs.
DNS resolution history revealed extensive domain-to-IP mappings (5,823 domain-to-IP resolutions for 101 domains) and large client query volumes (e.g., 616 unique client IPs making 4,138 DNS queries to five IoC domains in a month-long window).
Additional artifacts discovered include 125 historical WHOIS email addresses (28 public), 7,770 unique email-connected domains (25 weaponized), and numerous IPs/domains confirmed malicious after enrichment.

MITRE Techniques

[T1036 ] Masquerading – General use of masquerading to disguise malicious files or infrastructure (‘abused file typemasquerading to deliver STATICPLUGIN to diplomatic targets’ systems’)
[T1036.008 ] Masquerade File Type – UNC6384 used file-type masquerading to deliver STATICPLUGIN to diplomatic targets (‘abused file typemasquerading to deliver STATICPLUGIN to diplomatic targets’ systems’)
[T1055 ] Process Injection – Multiple threats leveraged process injection to execute payloads within legitimate processes (e.g., SadBridge, XLoader, NoisyBear, ClickFix) (‘SadBridge Loader used APC injection as a key technique to execute malicious code within a legitimate process’)
[T1055.004 ] Asynchronous Procedure Call – SadBridge Loader and XLoader 6/7 used APC injection to run code inside trusted processes (‘SadBridge Loader used APC injection as a key technique to execute malicious code within a legitimate process’; ‘XLoader 6 and 7 used APC injection to execute their payloads within legitimate processes’)
[T1055.003 ] Thread Execution Hijacking – NoisyBear used execution hijacking in Operation BarrelFire to run payloads under trusted processes (‘NoisyBear used execution hijacking in Operation BarrelFire to run its payload under trusted processes’)
[T1055.002 ] Portable Executable Injection – ClickFix performed PE injection to execute its final payload entirely in memory (‘ClickFix used PE injection to execute its finalpayload entirely in memory’)
[T1059 ] Command and Scripting Interpreter – Threat actors abused interpreters such as Python and PowerShell to deliver and execute payloads (‘APT36 or Transparent Tribe demonstrated a significant evolution in their capabilities with the Python-based ELF malware’; ‘Chihuahua Stealer launched a compact PowerShell command that decoded a Base64 payload, executing it in memory’)
[T1059.006 ] Python – APT36 (Transparent Tribe) deployed a Python-based ELF malware showing evolution toward Python tooling (‘APT36 or Transparent Tribe demonstrated a significant evolution in their capabilities with the Python-based ELF malware’)
[T1059.001 ] PowerShell – Chihuahua Stealer used PowerShell to decode and execute a Base64 payload in memory (‘Chihuahua Stealer launched a compact PowerShell command that decoded a Base64 payload, executing it in memory’)
[T1555 ] Credentials from Password Stores – Actors enumerated stored credentials to harvest secrets (Earth Ammit activity) (‘Earth Ammit enumerated credentials saved on compromised systems’)
[T1555.004 ] Windows Credential Manager – Earth Ammit specifically targeted Windows Credential Manager to enumerate saved credentials (‘Earth Ammit enumerated credentials saved on compromised systems’)
[T1562 ] Impair Defenses – Multiple campaigns modified or disabled defenses such as firewalls to maintain access and manipulate traffic (‘PlushDaemon used the Ruler system to dynamically modify iptables firewall rules to intercept and manipulate networktraffic on compromised systems’; ‘Cryptojacking campaign leveraged Docker Swarm and Kubernetes for attack’)
[T1562.004 ] Disable or Modify System Firewall – PlushDaemon dynamically modified iptables rules and other campaigns disabled or altered firewall settings to intercept or evade detection (‘PlushDaemon used the Ruler system to dynamically modify iptables firewall rules to intercept and manipulate networktraffic on compromised systems’; ‘Docker Swarm and Kubernetes Attack’ leveraged orchestration environments)
[T1486 ] Data Encrypted for Impact – Earth Alux used host-specific identifiers to support impact operations, querying MachineGUID as a persistent ID (‘Earth Alux queried the MachineGUID value from the Windows Registry to serve as a persistent, unique identifier for each target host’)

Indicators of Compromise

[Domains ] Reported IoC domains tied to 11 analyzed threats – mediareleaseupdates[.]com, carpmaxxbait[.]online, and other 102 domains (104 total domains identified as IoCs)
[Subdomains ] Subdomain IoCs for seven attacks with some confirmed malicious – four Earth Ammit-related subdomains, one Earth Alux-related subdomain, and other 21 subdomains (26 total subdomains identified as IoCs)
[IP Addresses ] Reported IP IoCs tied to eight threats – 166[.]88[.]2[.]90 (STATICPLUGIN), 178[.]159[.]94[.]81 (Operation BarrelFire), and other 15 IPs (17 total IP addresses identified as IoCs)
[WHOIS Email Addresses ] Historic WHOIS email artefacts linked to IoC domains – 125 unique WHOIS email addresses in history (examples: 28 public WHOIS email addresses), plus 7,770 email-connected domains discovered after enrichment

SHARE THIS STORY

WhatsApp X (Twitter)Telegram Bluesky Facebook LinkedIn Threads Email Print