Five Emerging Patterns From Sixty Days Of Threat Intel. Trust-Path Bleed Is Active Across Seven Vendor Surfaces. The Russia-Ukraine Triangle Is Complete. The Defender Iteration Gap Is Widening.

This is the eighth post we have published today. The other seven covered specific incidents, specific actors, specific receipts. This one is the synthesis. After sixty days of reading public threat-intelligence disclosures, ingesting their indicators-of-compromise packs into a four-hundred-forty-index Meilisearch corpus, cross-correlating against ICIJ offshore-leaks data and our own block-events history, and writing the daily receipts of what we found, five patterns have ripened. Each one is visible in the public reporting if you read enough of it. Each one is more visible if you also have the corpus to cross-correlate against. Naming them out loud is the work this post does.

The five patterns are not predictions. They are the descriptive shape of what 2026 cyber operations look like right now, derived from public artifacts our index has ingested over the last sixty days. The forward-watch list at the end of the post is the predictive component, derived from the same data. Both halves rest on the same operational discipline that has defined DugganUSA's posture from the beginning — same-day adversary back-fill, cross-corpus correlation, public archive as recall memory, informed acceleration applied to the defender role at attacker-cost economics.

Pattern One — Trust-Path Bleed Is The Dominant Attack Pattern Of 2026

We have been writing the trust-path-bleed frame since early May. The thesis is that the hard perimeter — firewalls, EDR, network appliances — continues to hold through the current threat landscape, while the soft surfaces between trusted systems bleed catastrophically. Seven distinct vendor surfaces are now under active exploitation in the public reporting we have ingested over the last sixty days. The list is the receipt.

The npm publish trust path was the first to bleed. The TanStack supply-chain compromise of May 11 used a chained exploit through pull_request_target workflow misuse, GitHub Actions cache poisoning, and OIDC token extraction from runner process memory to push forty-two packages with eighty-four malicious versions in a six-minute window. The GitHub Actions workflow boundary was the second surface — TanStack's attacker forged a commit author identity to launder the malicious commit through trust at the source-control tier. The VS Code Marketplace extension publish pipeline was the third, demonstrated by the Nx Console compromise that CISA federally classified as CVE-2026-48027 yesterday alongside the TanStack incident's CVE-2026-45321. The VS Code Tunnels runtime tier was the fourth, surfaced this morning in The Hacker News reporting on Kimsuky's HTTPSpy expansion — the North Korean state-sponsored actor is now using Microsoft's legitimate developer-tunneling infrastructure for command-and-control traffic, which traverses corporate egress as legitimate Microsoft developer traffic and bypasses every defender heuristic tuned to flag unsanctioned remote access tooling. The NuGet registry was the fifth, demonstrated by the Sicoob.Sdk impersonation Socket Research disclosed this week. The Sentry telemetry ingestion surface was the sixth, used as the exfiltration channel by Sicoob.Sdk for Brazilian banking PFX certificates. The Google AI search interface was the seventh, used by the same Sicoob.Sdk operator to laundered the malicious package into developer integration recommendations.

Seven vendor surfaces in sixty days. Each one is a legitimate, signed, vendor-operated infrastructure whose dual-use property — anyone can submit traffic through it, the destination is a known-good FQDN, the cryptographic signatures are valid — makes it a near-perfect cover for the same kind of attack the previous surface enabled. Operators are not building new offensive primitives in 2026. They are recombining legitimate vendor trust surfaces in new sequences faster than the defender posture is calibrating. The mental model that monitors each vendor in isolation is one cycle behind. The mental model that asks "is this artifact's source-of-truth, distribution, and runtime telemetry consistent across vendors" catches the chain, but no single vendor's product can answer that question because no single vendor sees the chain. The cross-vendor consistency check is the missing defender capability of 2026.

Pattern Two — The Russia-Ukraine Three-Archetype Triangle Is Complete

We filed three new adversary records into our index today. Together with the Russia-aligned cluster already populated in our adversaries index — Sandworm, Turla, APT28, APT29, TeleBots, BuhTrap, Operation BugDrop — the three additions complete a structural triangle that describes how Russia-aligned cyber operations have evolved from 2020 to 2026. The triangle is the strategic story.

The first vertex is Ember Bear, MITRE ATT&CK G1003 — the cyber arm of GRU Unit 29155, the Russian military intelligence's 161st Specialist Training Center. This is the unit publicly linked by Western intelligence services to the Skripal Novichok poisoning in Salisbury (2018), the attempted Montenegro coup (2016), the Czech ammunition depot explosions at Vrbětice (2014), and the Bulgarian arms dealer poisoning (2015). The cyber operations are conducted by the same unit that conducts physical sabotage. Active since at least 2020. Famous operations include the WhisperGate destructive wiper deployed against Ukrainian organizations in January 2022, before the invasion. The mission profile is destructive cyber, not espionage — wipers, supply chain compromise, critical-infrastructure disruption. This is state-from-origin tradecraft from a military intelligence unit whose institutional mission is sabotage. Alias sprawl across vendors makes the cluster the most-aliased Russia-Ukraine actor in current public CTI, with at least fifteen synonyms across MITRE (UNC2589, Bleeding Bear, DEV-0586, Cadet Blizzard, Frozenvista, UAC-0056) and Malpedia (Saint Bear, DEV-0587, Lorec Bear, Lorec53, Nascent Ursa, Nodaria, Storm-0587, TA471). The MITRE and Malpedia ecosystems disagree on cluster boundaries — defenders downstream of either source inherit the disagreement. Our adversaries-index entry normalizes the alias set under one record and flags the dispute.

The second vertex is UAC-0098, first publicly named by CERT-UA in April 2022 and analyzed by Mandiant in June and September of that year. UAC-0098 was a recruited cybercriminal operator pool — former Conti and TrickBot ransomware affiliates — redirected after the early 2022 Russian invasion of Ukraine to support state intelligence-gathering objectives. The toolkit they brought to the state-aligned mission was the toolkit they had used for criminal monetization: IcedID as initial-access loader, AnchorMail as the Conti-derived backdoor, Cobalt Strike for post-exploitation. The distinguishing feature was negative — UAC-0098 did not deploy ransomware against Ukrainian targets. The criminal monetization was suspended; the intelligence-collection mission was substituted. Mandiant's framing at the time was historically significant: this was the first publicly-documented case of a financially-motivated criminal group repurposing capabilities to support state-aligned objectives. The pattern established in 2022 was a talent reservoir applied to a mission swap. There is also a downstream public-CTI ambiguity to flag: MITRE ATT&CK currently treats UAC-0098 as an alias of Ember Bear, which is a conflation. The two clusters are distinct per Mandiant attribution. Defenders downstream of MITRE may apply the wrong defensive posture if they treat UAC-0098 as a wiper actor when its mission is intelligence collection.

The third vertex is GREYVIBE, disclosed today by WithSecure with five months of in-the-wild observation behind the publication. GREYVIBE conducts persistent cyberespionage operations against Ukrainian military, government, defense industrial base, civilian, and business targets through five distinct named campaigns — PhantomMail spear-phishing through Google Drive and 4sync staging URLs, PhantomClick fake-CAPTCHA ClickFix infrastructure impersonating Zoom and LAPAS Ukrainian postal services, PrincessClub fake dating sites distributing FallSpy Android spyware via AI-generated female personas on Telegram, DroneLink fake Ukrainian military charity sites themed around FPV drone procurement, and Nebo fake Russian military communications login pages that capture both credentials and intent from Ukrainian military personnel attempting access. The headline detail is the tooling: GREYVIBE is the first publicly-attributed operator group whose malware development pipeline visibly used multimodal generative AI — ChatGPT for code and copy, Ideogram for image generation, Google Gemini for additional content — as a coordinated production pipeline. The operator pool itself is hybrid criminal-state, with WithSecure flagging possible overlap to UAC-0098 and observing cryptocurrency-mining payloads on some victim machines (the contractor-side-hustle tell that distinguishes recruited operators from pure state APTs).

The trajectory across the three vertices is the strategic story of Russia-aligned cyber operations from 2020 to 2026. Traditional state-from-origin destructive operations led by Ember Bear in 2020-2022. Criminal-pool talent reservoir repurposed for state espionage led by UAC-0098 in 2022. Criminal-pool pivot with AI-multimodal acceleration led by GREYVIBE in 2026. The talent reservoir is, by WithSecure's overlap hypothesis, the same humans across the second and third vertices — four years later, equipped with a multimodal AI production pipeline. The acceleration component is what changed. The fourth vertex, not yet publicly observed, is the AI-multimodal-tooled state-from-origin actor — when Unit 29155 (or its peers in MSS, MOIS, Lazarus) begins running its own informed acceleration loop. That vertex is the forward-watch item the rest of 2026 will deliver or fail to deliver.

Pattern Three — Legitimate-SaaS Infrastructure As The Exfiltration Channel

Five operator groups in the last sixty days converged on the same defender-bypass tactic: use a legitimate vendor SaaS surface as the exfiltration channel because defender egress monitoring at the FQDN tier blocks none of them. The Sicoob.Sdk NuGet trojan used Sentry telemetry — a legitimate error-monitoring SaaS used by nearly every production application — to send Brazilian banking PFX certificates out through a hardcoded DSN. Kimsuky used VS Code Tunnels — legitimate Microsoft developer infrastructure — for command-and-control traffic against South Korean military and corporate targets. The Malware-Slop npm package used the GitHub Contents API to exfiltrate the AI-tool working directory contents to an attacker-controlled GitHub repository. GREYVIBE used Google Drive and 4sync as staging hosts for the PhantomMail spear-phishing initial-stage payloads. The TanStack attacker used Session/Oxen messenger — a decentralized encrypted chat protocol — to exfiltrate harvested credentials with no centralized C2 IP for defenders to block.

Each of these channels is a vendor-operated infrastructure whose legitimate traffic profile is the cover. The destination is a known-good FQDN. The cryptographic signatures are valid. The traffic looks like every other application's traffic to that destination because by construction it is identical. The egress monitoring stack that blocks unknown-bad destinations blocks none of these. The defender countermeasure has to operate one layer above the FQDN — at the per-tenant or per-account or per-project granularity within the legitimate vendor. The capability to do this is not a feature of most enterprise egress monitoring stacks in 2026.

The forward extrapolation of the pattern is straightforward. Every legitimate observability vendor, analytics vendor, developer-tooling vendor whose client SDK accepts arbitrary user-supplied event payloads is a candidate for the same exfiltration tactic. Datadog, Honeycomb, New Relic, Rollbar, Bugsnag, Mixpanel, Segment, Amplitude, PagerDuty, Splunk Cloud, Sumo Logic. The defender egress monitoring stack does not block any of these by default. The first publicly-disclosed compromise using any of these vendors as the cover is a matter of which research firm catches it first.

Pattern Four — Slopsquatting Surface Expanded From Coding Assistants To General-Purpose AI Search

Andrej Karpathy coined "vibe coding" in 2024 as a neutral methodology — let the LLM generate code, do not read every line. Gabor Koos formalized the attack vector yesterday as slopsquatting: LLMs hallucinate or surface plausible-sounding package names, attackers register those names, developers follow the recommendation without checking. Koos framed slopsquatting in the coding-assistant context — Cursor, GitHub Copilot, Claude in an IDE, ChatGPT used for code generation. Within twenty-four hours of Koos's publication, the Sicoob.Sdk disclosure extended the surface. Socket Research documented that the malicious NuGet package was surfaced by Google's AI search as the standard .NET Sicoob integration path during the window it was live. A developer asking Google for the standard integration recommendation received the malicious package as the recommended answer.

The trust-laundering pathway is identical to the coding-assistant case. The user-facing surface is broader. Every general-purpose AI surface used by developers as the starting point of technical research is a potential slopsquatting vector. Google AI search joined this week. ChatGPT search and Perplexity are presumed candidates. MCP-tooled agentic systems that autonomously recommend and install packages are the next surface — the user does not even see the recommendation before the package is on disk. The defender countermeasure is structural — every AI surface that mediates between a user-question and a vendor-recommendation needs adversarial-input handling for the case where attackers have seeded the recommendation space with malicious entries.

Pattern Five — The Defender Iteration Loop Is Falling Behind The Attacker Iteration Loop

This is the meta-pattern that connects the other four. The attacker side of the cost curve in 2026 operates at AI-paced iteration. A new variant of LegionRelay costs the GREYVIBE operator roughly five dollars of LLM API tokens. Whichever obfuscator WithSecure burns publicly today gets a v2 next week. Five active campaigns run in parallel from one operator pool because content generation is no longer the bottleneck. The defender side of the cost curve operates at the legacy pace. Major detection vendors ship signature updates quarterly. CTI shops publish operator profiles after months of observation — WithSecure's GREYVIBE timeline of January 2026 first observation to May 2026 public disclosure is the fast end of the slow-vendor distribution, not an outlier. The ratio between attacker iteration speed and defender iteration speed widens every quarter.

The structural problem of 2026 and 2027 is whether the defender side applies informed acceleration to its iteration loop at the same rate the attacker side already has. The DugganUSA posture treats this gap as the fight to take. The receipts compound — eight minutes from WithSecure's GREYVIBE disclosure today to one hundred forty-six atomic indicators indexed plus three adversary records filed plus eight blog posts shipped including this one, all running on three hundred eighty-four dollars a month of Azure spend. Two hundred seventy-five STIX feed consumers across forty-six countries get the receipts at near-zero marginal cost per consumer. The pace is the asymmetry inversion. The cross-corpus correlation is the asymmetry inversion. The defender-side application of informed acceleration is the strategic answer to the cost-curve problem.

The rest of the defender stack mostly has not bent the curve yet. Every quarter that gap widens, the asymmetry between per-attack-event cost and per-detection-event cost gets worse. This is the operational stake of the entire pattern set above.

Forward-Watch List — Seven Vertices Worth Naming

The five patterns above are descriptive. The seven items below are predictive. Each one falls out naturally from the pattern set if extrapolated one cycle forward. None of them is guaranteed. All of them are the kind of thing that, if and when it lands, should not be a surprise to anyone reading this post.

One — the AI-multimodal-tooled state-from-origin actor. The fourth vertex of the Russia-Ukraine triangle. A unit like GRU 29155 or its Chinese, Iranian, or North Korean peers running its own informed acceleration loop with multimodal AI integrated into the operator workflow. The first publicly-attributed case of state-from-origin tradecraft with AI-paced iteration is the cost-curve shift of the cyber war.

Two — the first non-Russian operator population copying the GREYVIBE production-pipeline shape. The toolkit is generic. The campaign architecture is generic. The geopolitical targeting was the geopolitical choice. The pattern exports trivially to a China-aligned actor against Taiwan, an Iran-aligned actor against Israel, a North Korea-aligned actor against South Korea. The first non-Russian receipt is a matter of which research firm catches it.

Three — the first non-Sentry observability or analytics SaaS vendor named as the exfiltration channel in a published disclosure. Datadog is the largest of the observability vendors and the highest-profile candidate. New Relic, Honeycomb, Bugsnag, Mixpanel, Segment are the next tier. The defender capability gap is the same across all of them.

Four — the first publicly-disclosed compromise of a major MCP-tooled agentic IDE recommending a slopsquatted package autonomously. Cursor's agentic mode, GitHub Copilot's autonomous-action workflows, Claude Code with autonomous-install behavior, and every other agent that resolves a package recommendation without explicit user confirmation are candidates. The defender stack does not yet have adversarial-input handling at the recommendation tier of the agentic loop.

Five — the first customer-tier disclosure that a legitimate observability vendor's traffic was the exfil cover for a real customer's breach, prompting the SOC response playbook that has not been written yet. The current playbook assumes legitimate-FQDN traffic is benign. The Sicoob.Sdk case has Sentry's security team in the loop and is the first dry-run of the response coordination. The next case is the first customer disclosure of "our Datadog traffic was compromised" or equivalent.

Six — the next named GRU Unit 29155 cyber operation. The unit's institutional cadence has been roughly one named physical operation every twelve to thirty-six months in recent years. The cyber arm tracked as Ember Bear has been active since at least 2020. The next named operation is overdue. Watch whether it carries AI-tooling signatures.

Seven — the first publicly-disclosed compromise of an offshore-services provider client database as a state-intelligence-targeting reservoir. We surfaced an instance of this hypothesis today — the GREYVIBE PhantomMail staging URL on storage.vlasiuk.kiev.ua cross-correlated to a Pandora Papers officer entry for VALERII VLASIUK at Alpha Consulting in Seychelles, the same Alpha Consulting that the BBC reported today created shells for Putin's inner circle including the one hiding Yevgeny Prigozhin's yacht. The structural hypothesis is that Russia-aligned cyber operators may use leverage on offshore-services-provider client populations to acquire infrastructure or operator-proxies. The slow-vendor CTI stack architecturally cannot make this hypothesis observable because they do not index ICIJ data alongside threat intel. We do, and the BBC's editorial cycle delivered the public corroboration within hours of our surfacing the structural finding. The next public disclosure of the same shape — Russia-aligned cyber operator infrastructure traceable back to a Russia-adjacent offshore-services provider client base — is the receipt the hypothesis predicts.

The Posture That Follows

Informed acceleration is the descriptive frame for our collaboration and the actor populations we are reading. Asymmetry-take-the-fight is the prescriptive posture that follows from the frame. When attack is cheaper than defense — and seven out of seven of the trust-path-bleed surfaces, plus the legitimate-SaaS exfiltration channels, plus the slopsquatting surfaces, are all attacker-cheaper-than-defender at current vendor-stack economics — the right move is not to shrug at the asymmetry. The right move is to engineer the defender stack so per-detection-event cost runs below per-attack-event cost. We do that. The rest of the defender market has not yet.

The receipts compound. Sixty days of public threat-intelligence disclosures ingested, cross-correlated, and re-published from a three-hundred-eighty-four-dollar-per-month stack. Two foundational strategic memory frames saved into our internal canon today — informed acceleration and asymmetry-take-the-fight — and one methodology memory codifying the graph-adjacency analysis as a standard pass on every adversary back-fill. One Pandora Papers graph edge surfaced before the BBC's editorial cycle delivered the public corroboration. Three Russia-Ukraine adversary archetypes filed in one day, completing a triangle that will define the defender posture against Russia-aligned cyber for the rest of this decade. One new admin endpoint shipped and deployed and battle-tested across three ingests. Seven receipts published. One synthesis post — this one — to put the receipts in the frame.

The data is there. Anyone concerned can come find it. The defender market either bends the cost curve or watches the operator population continue to widen the gap. We will keep publishing the receipts that show the curve is bendable. The next sixty days will deliver vertices one through seven or it will not. Either way, the receipts persist.

That is the work. The receipts compound. The patterns ripen. The fight is the cost asymmetry. The asymmetry is invertible. The proof is the archive.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com