Security telemetry indicates a distinct shift in operational behavior. Threat actors are moving away from immediate, disruptive tactics toward long-term persistence strategies that leverage legitimate system processes. Reports from Singapore and Poland identify state-sponsored groups establishing extended presence within critical infrastructure, while broader data shows a significant increase in the misuse of trusted enterprise tools to evade modern detection. For security teams, effective defense now requires monitoring for unauthorized actors who operate within the existing foundation of the network, utilizing the very tools designed for administration and maintenance.
Infrastructure Persistence and Strategic Mapping
Operation Cyber Guardian, a coordinated 11-month effort in Singapore, illustrates this strategic pivot. The Singapore Cyber Security Agency (CSA), working with major telecommunications providers, identified and neutralized unauthorized access by UNC3886, a sophisticated group linked to China. The operators maintained access for nearly a year. Their objective was not service disruption or customer data exfiltration, but rather the collection of network blueprints to support long-term persistence.
This activity parallels the "Salt Typhoon" campaign in North America, which accessed systems at nearly a dozen US and Canadian telecommunications firms and National Guard units. In both theaters, actors utilized previously unknown vulnerabilities in perimeter firewalls and deployed rootkits to integrate into the network infrastructure, rendering their presence difficult to detect through traditional monitoring.
Resilience in Decentralized Energy Sectors
Findings from Poland’s energy sector reinforce the need for infrastructure resilience. Late last year, the Polish grid was subject to a campaign targeting decentralized energy resources (DERs), such as wind and solar farms. Attribution suggests involvement from Russia-aligned clusters, specifically Sandworm (Electrum) and Berserk Bear.
The unauthorized groups accessed more than 30 renewable energy sites by leveraging internet-facing edge devices and default credentials. Once inside, they deployed disruptive software targeting remote terminal units (RTUs) and corrupted system firmware. Although Poland’s specific energy mix ensured grid stability, the incident demonstrates that decentralized power sources require the same rigorous protection as central IT environments.
The Rise of "Living-off-the-Land" Tactics
The methodology for securing access is evolving. We observe a decline in the use of custom unauthorized binaries in favor of "Living-off-the-Land" (LotL) techniques. Data from the last 24 hours indicates a 277% year-over-year increase in the misuse of Remote Monitoring and Management (RMM) tools such as ScreenConnect, AnyDesk, and NetSupport. Because these applications are trusted for legitimate administration, they allow actors to maintain command-and-control (C2) and move laterally without triggering endpoint protection alerts. Often, when an unapproved RMM tool is present, no other malware is detected, as the RMM agent provides all necessary administrative functionality.
Supply Chain and Firmware Implications
This misuse of trust extends to the device firmware level. Security researchers recently identified "Keenadu," an unauthorized component embedded in the firmware of approximately 13,000 Android devices. This represents a supply chain compromise where code is introduced before the device reaches the user. Technically, Keenadu integrates with the Android "Zygote" master process. Since Zygote is responsible for forking every new application, the unauthorized code automatically replicates into the memory space of every app launched. This grants operators persistent, high-level access for remote administration that survives standard factory resets.
Evolving Social Engineering Techniques
Social engineering campaigns are also adopting native system utilities. The "ClickFix" campaign has shifted to using the Windows nslookup command to retrieve scripts. By instructing users to execute a DNS lookup, operators mask the retrieval of data within standard infrastructure queries. The command queries a TXT record controlled by the actor, triggering a sequence involving Python and Visual Basic scripts that installs the ModeloRAT. This technique often bypasses web filters and PowerShell monitoring because the traffic resembles routine network troubleshooting.
Recommendations for Defense
These developments suggest a need to adjust monitoring priorities. When actors utilize nslookup or legitimate RMM tools, the indicator is not the file itself, but the context of its execution. Defenders should prioritize monitoring for unusual parent-child process relationships, such as nslookup initiated directly by a browser or the Windows Run dialog.
Additionally, we recommend strict application allowlisting for RMM tools. Organizations should block all unapproved RMM binaries and treat unauthorized remote access software as a high-severity finding, even in the absence of other indicators.
In operational technology (OT) environments, the findings from Poland highlight the risk of default credentials on edge devices. Hardening strategies must include replacing manufacturer defaults and enforcing firmware verification to prevent the corruption of field devices. Because actors like UNC3886 and Electrum spend months mapping networks, the ability to detect lateral movement between IT and OT environments is a critical defense layer.
Public-private partnerships, such as the collaboration in Singapore, are essential for sharing the actionable intelligence needed to identify these quiet, long-term intrusions. The focus must shift toward supply chain integrity and the continuous behavioral monitoring of "known good" tools. By assuming that actors may attempt to use administrative tools against the environment, teams can build detection strategies based on behavioral anomalies rather than relying solely on static file signatures.