Constellations is pleased to have Space ISAC as a regular contributor sharing information about real-world cybersecurity and other threats to space systems around the world. Learn more about ISACs including Space ISAC.

Space ISAC logo Space ISAC logo
Joel Francis
Joel Francis
Space ISAC Intelligence Coordinator
Space ISAC logo
Joel Francis
Joel Francis
Space ISAC Intelligence Coordinator
Threat Briefing

Helping the space industry stay aware of
incidents, threats & vulnerabilities

Helping the space industry stay aware of incidents, threats & vulnerabilities

Briefing 47: Study Reveals Sources Behind Persistent GNSS Disruptions

6/30/2026 Link icon

A stylized digital globe showing illuminated city lights across Europe and North America overlaid with dense, glowing lines of streaming data code to represent global satellite signals or electronic interference.

Overview

A recent study from researchers at the University of Texas at Austin, Chasing Lightning: Detecting, Characterizing, and Identifying a Powerful Space-Based GNSS Interference Source, examined seven years of Global Navigation Satellite System (GNSS) interference activity and identified evidence suggesting persistent disruptions in portions of the GPS signal environment may be linked to Russian early-warning satellites operating in Molniya orbits. While the evidence does not conclusively indicate malicious intent, the findings reveal a pattern of coordinated and highly controlled interference activity occurring across large geographic areas between 2019 and 2026.

Researchers identified widespread impacts across Europe, Greenland and Canada, with disruptions occurring nearly simultaneously and overwhelmingly affecting GPS L1 frequencies. Analysis attributed at least one source of the activity with high confidence to Cosmos 2546, a Russian satellite associated with the Edinaya Kosmicheskaya Sistema (EKS) early warning architecture. The broader significance extends beyond attribution. The activity illustrates how modern electronic warfare can introduce ambiguity into critical systems without requiring continuous or overt denial operations.

About the Study

GNSS interference is often viewed through the lens of localized jamming incidents or isolated electronic warfare activity surrounding conflict zones; however, the events observed in this study indicate a different phenomenon. Researchers analyzed seven years of data from 165 terrestrial reference stations operated by the International GNSS Service and identified repeated wide-area interference events occurring between 2019 and early 2026. These events were concentrated on the GPS L1 frequency band and simultaneously affected receivers across large portions of Europe, Greenland and Canada.

Several characteristics distinguished these incidents from expected environmental or technical anomalies. The disruptions did not originate from known GNSS satellite failures, exhibited synchronized timing across geographically separated systems and consistently avoided broader global impacts during the same periods. The synchronization itself proved notable; many events aligned to within one-second sampling resolution, suggesting a common source rather than multiple independent causes.

Researchers note that no comparable transient events were observed on GPS L2 or L5 bands. Such selectivity suggests a controlled operational pattern rather than random signal contamination. The result is a picture of interference activity that appears deliberate in execution even if its purpose remains uncertain.

Characteristics of GNSS Disruption

The technical characteristics of the observed activity provide insight into how interference functions operationally. Most interference events lasted fewer than ten seconds, but their effects were significant. Additional analysis showed that the interference did not affect GPS alone. Galileo and BeiDou signals operating in similar frequency ranges experienced corresponding degradation.

Researchers examining stronger events from 2024 through 2025 also observed a consistent signal profile. The interference peak appeared near 1577.5 MHz, approximately 2 MHz above GPS L1’s center frequency, with an approximate bandwidth of 5 MHz. The consistency of this spectral signature across multiple events suggests a repeatable and controlled transmission source rather than incidental emissions. Researchers further assessed whether natural phenomena such as space weather or unintended signal leakage could explain the activity. The observed patterns made those explanations increasingly difficult to support.

Many events occurred during business hours and standard workdays in Coordinated Universal Time. Natural processes typically produce temporally random distributions; these events did not. Their timing, consistency and strength collectively suggest human-directed activity. This observation alone does not establish hostile intent. Researchers involved in the study suggested the possibility that the activity reflects testing of electronic warfare or jamming capabilities rather than operational deployment. Other experts have expressed skepticism that Russia would routinely use limited early-warning assets for secondary GPS disruption missions. However, whether the activity represents testing, experimentation or operational use, the technical effect remains unchanged.

Strategic Significance

The larger issue is not simply identifying a satellite involved in interference activity. It is understanding what such activity demonstrates about modern electronic warfare. Traditional assumptions often frame jamming as continuous signal denial across a battlespace. In practice, that approach creates problems for the actor conducting the operation because persistent emissions increase the likelihood of identification and targeting.

While many recent reports highlight sustained interference in concentrated areas, this study shows a pattern that favors intermittent and controlled disruption. As geopolitically contested areas continue to be hit with more prolonged levels of interference, insights into repeated interference activity become critical in understanding the threat. Brief disruptions can delay actions, create uncertainty and undermine confidence without generating the visibility associated with sustained denial operations. Even temporary degradation can force operators to question sensor outputs, navigation accuracy and system reliability. The cumulative effect becomes less about denying capability outright and more about influencing decision timelines.

Impact on Space Systems

The implications for the space industry extend far beyond navigation systems themselves. Space-enabled services increasingly depend on resilient PNT capabilities that support communications networks, financial systems, transportation infrastructure, satellite operations and autonomous technologies. Disruptions affecting signal integrity can create cascading effects throughout these dependent systems.

The findings also reinforce that space-based interference is no longer solely a terrestrial concern. Space operators have historically focused defensive efforts around cyber threats, kinetic anti-satellite capabilities and conventional electronic warfare systems. Emerging evidence suggests that dual-use or non-traditional platforms may also contribute to signal disruption activity.

As commercial and government space ecosystems continue expanding, resilience will increasingly depend on redundancy rather than reliance on single navigation architectures. Multi-frequency receivers, alternative PNT methods, interference monitoring and greater awareness of signal anomalies will likely become foundational operational requirements rather than optional capabilities.


Briefing 46: Analysis of Data Extortion Actors and Initial Access Brokers on the Commercial Space Industry

6/2/2026 Link icon

A futuristic, illuminated data center filled with server racks, with vibrant neon orange and cyan digital light trails representing data paths weaving through the hardware.

Overview

Over the last several years, financially motivated cybercriminal activity has increasingly converged with the operational realities of the space sector. Space organizations are attractive targets because they support mission-critical operations, maintain high public visibility and rely heavily on interconnected third-party providers, cloud infrastructure, SaaS platforms and remote access technologies. Recent activities have demonstrated a shift away from purely disruptive attacks toward campaigns focused on identity compromise, credential theft and access monetization. In many cases, threat actors are no longer breaching organizations simply to steal data themselves. Instead, they sell access to ransomware groups, extortion crews or even nation-state actors.

Recent Activity

In April 2026, Europe experienced renewed aviation-related cyber disruptions that highlighted the growing momentum of ransomware operators and access brokers targeting transportation and aerospace ecosystems. This is highlighted by the 2025 attack on Collins Aerospace, demonstrating how interconnected aviation and satellite-dependent infrastructure has become.

Groups such as Scattered Lapsus$ Hunters (a.k.a. SLSH) and similar actors have increasingly targeted aerospace and telecommunications organizations since 2025. These groups rely heavily on social engineering, identity compromise and cloud-focused intrusion techniques rather than sophisticated malware. Officials have warned that these tactics, techniques and procedures (TTPs) are especially relevant for organizations in critical and technical sectors, where outsourced IT services are frequently employed.

Recent reporting has also revealed increased threat actor interest in GIS, GNSS and geospatial systems. In May 2026, researchers identified an espionage campaign targeting aerospace and drone operators to exfiltrate valuable geospatial data to gain a clearer picture of their targets’ view. These environments present valuable opportunities for counterintelligence collection, operational disruption and downstream targeting of defense or critical infrastructure partners.

Another important example involved the confirmed attack against Instructure, which demonstrated how extortion operations targeting SaaS providers can create downstream impacts for mission-critical environments. This is particularly relevant for commercial space organizations that rely heavily on externally hosted collaboration, engineering and operational platforms. Meanwhile, underground criminal marketplaces such as BreachForums and Leak Bazaar continue to facilitate the sale of compromised credentials, VPN access, SaaS sessions and victim intelligence at scale. These marketplaces have effectively industrialized access brokerage.

Threat Actor Tradecraft

From a tradecraft perspective, many of these intrusions begin with relatively simple identity-focused attack methods. Common TTPs include phishing, credential stuffing, infostealer malware, OAuth abuse, malvertising and session-token theft. In many cases, attackers are not exploiting zero-day vulnerabilities but rather exploiting weak authentication practices, exposed remote access systems and poor SaaS visibility. Many of these TTPs bridge the gap between fully financially motivated intrusions and enable follow on actions via leaked credentials. Metrics from Verizon’s 2026 Data Breach Investigations Report show that post compromise activities are diversifying to include backdoor deployment, credential harvesting and vulnerability exploitation in addition to ransomware. This further underscores the prevalence of double extortion tactics.

Threat actors are also incorporating new TTPs into existing tradecraft. One example is voice phishing, or vishing, where actors impersonate help desks or trusted personnel to socially engineer MFA resets or credential disclosure. Threat actors are also increasingly leveraging virtual personas and AI-assisted social engineering to establish credibility during targeting operations. MFA bypass techniques continue evolving as well, particularly through session hijacking and adversary-in-the-middle phishing kits that steal authentication tokens after login.

SaaS environments remain a particularly important blind spot for many organizations. Traditional security monitoring often focuses heavily on on-premises infrastructure while cloud collaboration environments, identity providers and externally hosted engineering platforms receive comparatively less scrutiny. For CTI and security teams, another challenge is that underground marketplaces frequently exaggerate or fabricate access claims. Validation and cross-referencing become essential before escalating or responding to reported exposures. However, even low-confidence posts can provide valuable early warning indicators.

One statistic that stands out is the operational timeline between access brokerage and ransomware deployment. In 2025, the average time between an IAB advertising access and a victim later appearing on a ransomware leak site was approximately 19 days. That provides a relatively small window for defenders to detect and respond before extortion activity escalates. The ransomware groups most commonly associated with access vendors during that timeframe included Play, RansomHub, Everest, Medusa and Sarcoma.

Impact and Mitigations

For the commercial space sector specifically, the implications of escalating data extortion operations are significant. External supply chain risk continues to grow as threat actors increasingly target downstream vendors, subcontractors and managed service providers connected to larger aerospace and satellite organizations. In many cases, smaller suppliers have weaker security controls but maintain trusted access into sensitive environments. So far in 2026, Space ISAC has identified just under 70 claimed attacks against space and aerospace organizations. Of those alleged victims, over 50% were identified as manufacturers, contractors, integrators and external suppliers.

Another important trend is that credential leaks often appear on criminal forums before organizations become aware of the compromise themselves. That creates an intelligence gap where adversaries may already possess valid access while defenders remain unaware. Access to cloud-hosted systems, SaaS platforms, engineering repositories, mission support environments and operational collaboration platforms creates elevated strategic risk for the broader space ecosystem.

Conclusion

Initial access brokers and data extortion groups are increasingly shaping the threat landscape facing the commercial space sector. While ransomware often represents the most visible outcome, the broader ecosystem of identity compromise, access brokerage and cloud-focused intrusion activity presents the more significant strategic concern. For space organizations, the challenge is no longer limited to protecting traditional networks. Defenders must secure identities, SaaS ecosystems, supply chain relationships and cloud-hosted operational environments against increasingly agile and financially motivated threat actors.

As these threats continue to evolve, timely information sharing and collective defense will remain critical to improving sector-wide resilience. Through its mission, Space ISAC helps facilitate the exchange of threat intelligence, incident reporting, vulnerability information and mitigation guidance to strengthen the security and resilience of the global space community.


Briefing 45: Analyzing the Software Supply Chain Risk to the Space Sector

4/7/2026 Link icon

A woman wearing glasses looks intently at multiple computer monitors displaying lines of code in a dimly lit professional setting.

Overview

As the cyber threat landscape continues to evolve, software supply chain compromise has emerged as one of the most consequential risks facing the space sector. Modern space operations spanning satellite command and control systems, ground infrastructure and mission support environments are increasingly dependent on complex software ecosystems built on continuous integration and continuous delivery (CI/CD) pipelines. While these environments enable operational agility, they also introduce an expanded attack surface defined by third-party dependencies, open-source libraries and deeply integrated cloud services.

Significance

Threat actors have adapted accordingly, increasingly shifting away from direct exploitation of hardened perimeter defenses to instead target implicit trust within the software supply chain. Campaigns leveraging compromised maintainer accounts, malicious package distribution and abuse of third-party integrations enable adversaries to gain initial access through trusted pathways, operate within legitimate environments and scale downstream compromise with limited detection.

This evolution is reflected in broader reporting, with IBM X-Force noting that supply chain attacks have increased more than fourfold over the past five years, driven by a transition toward targeting identity layers, application dependencies and developer workflows rather than traditional infrastructure. Space ISAC observations further reinforce this trend, highlighting a sustained increase in cyber activity targeting IT/Technology and Manufacturing organizations, which represent key components of the space supply chain, including software providers, integrators and component manufacturers.

Analysis of recent high-profile incidents highlights three primary vectors driving software supply chain compromise: exploitation of trusted third-party relationships, insertion of malicious code into software libraries and abuse of trusted development and security tools.

Third-Party Compromise

The first major vector involves the compromise of trusted third-party providers and integrations. MITRE ATT&CK categorizes this as Trusted Relationship (T1199), where adversaries leverage established business or technical relationships to gain indirect access to a target environment.

The Salesloft Drift incident exemplifies this approach. In this campaign, attackers compromised a third-party AI chatbot integration used within Salesforce environments, leveraging OAuth tokens and federated identity access to bypass traditional authentication controls. This enabled access to sensitive data across hundreds of organizations. The initial breach of Salesloft’s development environment ultimately cascaded into widespread downstream exposure.

This vector is particularly relevant to the space sector, where organizations depend on specialized vendors for telemetry processing, analytics and ground system operations. These integrations often require persistent connectivity and elevated permissions, making them high-value targets. Once compromised, adversaries can move laterally across environments, harvest credentials and access mission-relevant data within trusted channels.

Malicious Library Execution

A second key vector involves the distribution and execution of malicious software libraries, particularly within open-source ecosystems. MITRE ATT&CK defines this as User Execution: Malicious Library (T1204.005), where users or systems unknowingly execute compromised code embedded within trusted dependencies.

The Axios supply chain compromise illustrates the scale of this threat. Following the takeover of a maintainer account, attackers published malicious versions of the library containing a hidden dependency that executed upon installation. This payload enabled remote access, system reconnaissance and credential harvesting. Given Axios’ widespread use, the compromise had the potential to impact thousands of applications and development pipelines.

Campaigns such as Shai-Hulud further demonstrate the evolution of this vector. By compromising hundreds of npm packages and injecting malicious workflows into repositories, attackers automated credential harvesting, persistence and propagation across development environments. These operations specifically target CI/CD pipelines, where implicit trust in dependencies allows malicious code to execute with minimal scrutiny.

For space sector organizations, this vector presents a persistent challenge. The reliance on open-source software, combined with complex and often opaque dependency chains, limits visibility into what code is being executed within mission and ground systems. This increases the likelihood that malicious components remain undetected until after deployment.

Abuse of Trusted Tools

A third and increasingly impactful vector involves the compromise of trusted development and security tools themselves. MITRE ATT&CK categorizes this broadly under Supply Chain Compromise (T1195), where adversaries manipulate software or tools that are inherently trusted within an environment.

The compromise of the Trivy vulnerability scanner highlights this risk. In this case, attackers embedded infostealer malware into components associated with the tool, targeting environments where it was integrated into CI/CD pipelines. Because such tools operate with elevated privileges and are widely trusted, they provide an effective mechanism for harvesting credentials and accessing sensitive configuration data.

This vector is particularly dangerous because it undermines security controls from within. Tools designed to identify vulnerabilities or enforce policy can instead become conduits for compromise, effectively inverting their intended function. In environments where automated scanning and DevSecOps practices are deeply embedded, this creates a high-impact avenue for persistent access.

More broadly, this trend reflects an increasing focus on developer environments as primary targets. By compromising the tools that underpin the software development lifecycle, threat actors can gain both immediate access and long-term influence over software integrity.

Outlook and Impact on the Space Sector

The convergence of these three vectors—trusted third-party compromise, malicious libraries and abuse of trusted tools—defines the modern software supply chain threat landscape. Each exploits a different layer of trust, but collectively they enable adversaries to achieve scalable, persistent access across interconnected systems.

Industry feedback reinforces the growing significance of this risk. Organizations report increased exposure to supply chain-related threats originating from open-source software, with downstream compromise emerging as a primary intrusion pathway. At the same time, many continue to face challenges in tracking dependencies, identifying malicious packages and enforcing controls within DevSecOps pipelines.

Improving visibility into software ecosystems is critical to addressing this challenge. Software Bills of Materials (SBOMs) provide a mechanism for cataloging dependencies and understanding exposure, enabling more rapid identification and remediation of affected systems. However, adoption remains uneven, particularly in specialized environments where legacy systems and vendor dependencies complicate implementation.

In response, Space ISAC continues to work with its SBOM Task Force and member community to evaluate practical approaches to supply chain risk management. As threat actors continue to refine their ability to exploit trust within software ecosystems, space sector organizations must treat supply chain security as a core component of mission assurance.

Mitigating this risk will require strengthened developer practices, rigorous dependency validation, improved credential security and enhanced monitoring across CI/CD and cloud environments. Equally important is sustained collaboration across the space community to share threat intelligence and operational insights, ensuring a coordinated and informed defense against an increasingly prevalent threat.


Briefing 44: Cyber Implications of the U.S./Israel/Iran Conflict for the Commercial Space Sector

3/10/2026 Link icon

Silhouettes of four missiles against a sunset sky with the flag of Iran subtly overlaid in the background.

Overview

On 28 February 2026, U.S. and Israeli forces initiated strikes against Iranian nuclear, missile and IRGC-linked facilities. Iran responded with missile and drone attacks targeting U.S. and allied bases across Qatar, Bahrain, the UAE, Kuwait and Jordan, alongside reported maritime disruptions near the Strait of Hormuz. Physical impacts have extended to commercial infrastructure, including reported damage to regional facilities and disruptions to shipping traffic, underscoring the widening operational footprint of the conflict.

As expected, the conflict has also expanded into cyberspace. U.S. officials have confirmed offensive cyber operations targeting IRGC capabilities, while Iranian officials have threatened large-scale retaliation against U.S. and Israeli interests. Early cyber activity has largely followed patterns observed in previous regional escalations, including distributed denial-of-service (DDoS) attacks, website defacements, wiper activity and coordinated information operations.

Security researchers have identified more than 60 threat groups participating in cyber activity linked to the conflict. While much of this activity appears to originate from hacktivist collectives making exaggerated or unverified claims, cybersecurity firms have also reported activity from several Iran-nexus threat groups coinciding with the start of the conflict. These actors possess more advanced capabilities, including ransomware operations, destructive wipers, hack-and-leak campaigns, exploitation of pre-positioned access and potential targeting of operational technology (OT) and industrial control systems.

Cyber Impacts

The United States is reportedly leveraging offensive cyber operations to disrupt IRGC capabilities and apply pressure on Iranian leadership. In response, Iranian officials and IRGC-linked entities have threatened large-scale cyber retaliation against U.S. and Israeli critical infrastructure.

Observed retaliatory activity to date has largely taken the form of disruptive but low-impact operations, including DDoS attacks, website defacements, and unverified claims of infrastructure compromise. The U.S. Department of Homeland Security assesses that near-term cyber impacts are likely to remain limited to low-level disruptive activity targeting U.S. and allied networks.

Nevertheless, security firms including CrowdStrike, CyberKnow, Flashpoint, Sophos X-Ops and Anomali report measurable increases in activity across the threat landscape. Analysts caution that while early campaigns appear overstated or opportunistic, the presence of sophisticated Iranian advanced persistent threat (APT) groups introduces credible escalation risks. Actors such as MuddyWater have historically demonstrated capabilities including wiper malware deployment, ransomware operations, credential harvesting and exploitation of previously established network access.

Threats to Critical Infrastructure and Cross-Sector Impacts

For commercial space operators, the cyber dimension of this conflict introduces new operational risks. Iranian-aligned actors have demonstrated interest in satellite terminals, ground station networks and supporting telecommunications infrastructure, reinforcing that commercial space assets may be viable targets during regional cyber campaigns.

Hacktivist proxies and opportunistic actors further amplify exposure, particularly where pre-positioned access exists in cloud environments or OT systems supporting aerospace operations. Space ISAC monitoring has already identified 13 alleged cyber incidents targeting U.S. and Israeli organizations in the aerospace, defense and telecommunications sectors since the start of the conflict, highlighting the immediate cross-sector implications.

In addition, reporting suggests that Iranian threat actors are leveraging satellite communications services, including Starlink, to support command-and-control infrastructure and maintain connectivity amid regional internet disruptions. This development illustrates how commercial space services can become both targets and operational enablers in modern cyber conflict.

Threat Actors and Relevant Campaigns

Iran-nexus APT groups have a well-documented history of targeting critical infrastructure sectors including energy, government, telecommunications, water utilities and industrial environments. Several of these actors possess demonstrated capabilities relevant to the aerospace ecosystem.

Among them, APT33 (Peach Sandstorm) has previously targeted aerospace and defense organizations, deploying custom backdoors and destructive wiper malware to disrupt operations and collect intelligence. Other Iranian actors such as MuddyWater have conducted extensive espionage campaigns and demonstrated proficiency in exploiting enterprise networks and cloud infrastructure.

The presence of hacktivist operations alongside more capable threat actors also complicates analysis. While many attacks appear to have low impact, they may provide insight into reconnaissance activity, sector prioritization and potential credential harvesting. In some cases, such activity may also serve as operational cover for more sophisticated campaigns conducted by state-aligned groups.

Outlook

To date, the cyber dimension of the conflict remains largely disruptive and opportunistic. However, the participation of over 60 threat groups, the confirmed activity of several Iran-linked APT actors, and the targeting of aerospace, defense and telecommunications entities highlight the potential for escalation as the conflict evolves.

For commercial space organizations, the current environment underscores the importance of monitoring supply chain exposure, protecting satellite ground infrastructure and maintaining resilience across interconnected IT and OT systems. As geopolitical tensions increasingly intersect with cyber and space domains, commercial operators are likely to remain within the expanding threat surface of modern conflict.


Briefing 43: Adversary use of AI: 2026 Outlook and Impacts on the Space Sector

2/10/2026 Link icon

Glowing red warning triangle on a digital circuit background symbolizing AI-driven cyber threats.

Overview

In February 2026, the Department of Science, Innovation & Technology (DSIT) and the AI Security Institute (AISI) released their International AI Safety Report 2026. This report assesses that general-purpose AI systems are increasingly capable of supporting complex, multi-step tasks across technical domains. While much of the report focuses on safety, governance and misuse prevention, its findings are directly relevant to the cyber threat landscape. The report reinforces the notion that cybercriminals and sophisticated adversaries are no longer just experimenting with AI tools but are beginning to operationalize them across meaningful portions of the cyber kill chain.

Recent reporting from government agencies, private-sector researchers and incident responders indicates that artificial intelligence is becoming a persistent force multiplier in cybercrime and state-sponsored cyber operations. Rather than enabling fully autonomous attacks, observed activity reflects a more pragmatic evolution: AI is being used to accelerate development cycles, scale social engineering and reduce technical friction across attack workflows, with greater autonomy emerging as a longer-term trajectory rather than an immediate capability. These shifts carry direct implications for the commercial space sector, which relies heavily on agile software development, distributed engineering teams and cloud-based ground systems that introduce numerous non-traditional entry points. AI-assisted tradecraft enables adversaries to rapidly adapt and iterate on attack flows tailored to these environments, increasing the likelihood of successful initial access and facilitating lateral movement from enterprise IT networks into mission-critical operational systems.

Evolution of AI-Enabled Threats

Early discussions of adversarial AI usage often centered on theoretical risks of isolated proofs of concept. By contrast, activity observed throughout 2025 and into early 2026 shows a gradual but meaningful transition toward operational use. Threat actors continue to demonstrate integration of AI into discrete tasks where it provides immediate value: code generation, vulnerability research, phishing content creation and workflow automation.

Trend Micro’s State of Criminal AI report from January 2026 underscores this shift, noting that most cybercriminals currently rely on jailbroken commercial large language models (LLMs) such as ChatGPT, Claude and Gemini rather than bespoke models. While this dependence introduces constraints, such as API monitoring and key revocation, it has not prevented adoption. Instead, actors are adapting their tooling and operational security to account for these limitations.

Critically, AI systems are not currently conducting end-to-end cyberattacks autonomously. Human operators remain responsible for target selection, campaign timing and key decision points. However, AI is increasingly embedded within attack workflows, enabling faster iteration and improved scalability. Additionally, the growing prevalence of Agentic AI is lowering the technical barrier for malware development.

The Rise of AI-Assisted Malware Development

The most consequential development observed so far in 2026 is the emergence of AI-assisted and, in some cases, AI-authored malware frameworks. In January, researchers disclosed VoidLink, an advanced Linux-focused malware platform reportedly developed almost entirely by Chinese AI agents. VoidLink features a modular, cloud-aware architecture designed to maintain persistent access across Linux environments, with capabilities tailored for long-term operations. This focus on Linux is particularly relevant to the space sector, where operational systems frequently rely on Linux-based servers, embedded systems and containerized workloads to support command-and-control and data processing functions. As commercial space evolves with cloud-native and hybrid operational models, malware optimized for Linux environments aligns closely with the technical realities of space system operations.

While VoidLink does not represent autonomous malware evolution, its significance lies in how AI was used during development. Tasks traditionally requiring experienced malware engineers were largely automated or accelerated through agent-based AI workflows. This suggests that advanced tooling may no longer be constrained by the availability of elite human developers, particularly for well-resourced state-sponsored actors. For space-sector targets, this lowers the barrier for adversaries to tailor malware to specialized operational environments, increasing the likelihood that custom payloads can be adapted to mission-specific configurations, legacy systems or air-gapped support networks.

VoidLink builds on a trajectory observed throughout 2025. Malware families such as MalTerminal, LameHug, and PROMPTLOCK demonstrated earlier approaches to embedding or querying LLMs during execution, often using static prompts or external API calls to generate code, enumerate systems or assist with payload development. Later variants, including PROMPTFLUX and PROMPTSTEAL, showed more dynamic interaction with language models during runtime, signaling a shift toward adaptive malware behavior.

Augmenting the Cyber Kill Chain

Beyond malware development, AI is increasingly supporting multiple phases of the cyber kill chain. Researchers have demonstrated how AI-assisted tools can expedite vulnerability discovery, a finding reinforced when Microsoft used Copilot to identify previously unknown flaws in open-source bootloaders. Adversaries are likely to apply similar techniques, particularly against widely deployed software and cloud-native components.

Social engineering remains one of the most immediately impacted domains. Deepfake technology is already reshaping phishing, business email compromise (BEC) and vishing campaigns. These tools enable threat actors to produce convincing, tailored lures at scale, while rapidly adapting messaging based on victim responses.

AI is also being leveraged to automate operational overhead. Reporting highlights the use of AI agents to create and manage user accounts, rotate infrastructure and assist with reconnaissance. While these capabilities may appear incremental, they collectively reduce friction and allow actors to sustain higher operational tempo with fewer resources.

Conclusion

Observed activity through early 2026 indicates that AI will continue to reshape cyber operations in subtle but consequential ways. Rather than replacing human operators, AI is amplifying their effectiveness by compressing development timelines, enabling rapid experimentation and lowering the barrier to advanced tradecraft benefiting well-resourced actors while gradually diffusing sophisticated capabilities across broader criminal ecosystems.

For the space sector, AI’s integration across the cyber kill chain increases risk to the interconnected systems that support satellite operations, as adversaries become more capable of rapidly tailoring malware to specialized environments and pivoting from enterprise and development networks into mission-critical operational domains. The most significant implication is not the advent of fully autonomous attacks, but the steady erosion of the time, complexity and specialization advantages that once constrained adversary activity, narrowing the gap between cyber intrusion and operational impact on space missions.


Briefing 42: Infostealers, Credential Abuse, and the Weaponization of File Transfer Infrastructure in the Satellite Sector

1/13/2026 Link icon

A close-up of a hand pressing a key on a laptop keyboard, overlaid with glowing blue binary code, programming scripts, and digital warning triangle icons.

Overview:

Recent reporting by HudsonRock highlights a growing and relatively underappreciated cyber risk to the aerospace and satellite industries: the exploitation of corporate file transfer and collaboration platforms using credentials harvested by infostealer malware. These incidents demonstrate how financially motivated threat actors can translate seemingly low-level credential theft into high-impact compromises involving sensitive satellite and defense-related data. The campaign attributed to the Sentap-affiliated actor “Zestix” illustrates how weaknesses in identity security, rather than advanced exploitation, continue to enable serious operational exposure.

About the Threat:

On January 5, 2026, cybersecurity firm HudsonRock reported that dozens of global organizations had been compromised through cloud credentials originating from infostealer infections. These compromises were attributed to a threat actor tracked as Zestix, assessed to be affiliated with the financially motivated cybercriminal group Sentap, which operates as an initial access broker (IAB). Open-source reporting links Sentap to approximately 50 high-profile data breaches spanning late 2024 through 2026.

HudsonRock specializes in tracking infostealer malware ecosystems and has previously documented widespread infections affecting high-security environments, including the U.S. Government and the Defense Industrial Base (DIB). In a February 2025 publication, HudsonRock characterized infostealers as a “cybersecurity disaster in the making,” particularly for defense contractors and space-sector organizations that rely heavily on cloud-based collaboration platforms. The January 2026 reporting builds on this assessment by demonstrating how stolen credentials are operationalized in real-world attacks.

Campaign Overview:

According to HudsonRock, Zestix was observed selling data exfiltrated from corporate file sharing portals belonging to approximately 50 major global organizations. Notably, victims included a Turkish aerospace manufacturer and an Indonesian satellite operator. The compromised data sets reportedly contained sensitive military intellectual property and confidential satellite program documentation, including technical materials associated with prominent defense primes.

The intrusions did not rely on zero-day vulnerabilities or advanced exploitation techniques. Instead, attackers leveraged valid credentials obtained from infostealer malware infections to authenticate directly to corporate file sharing platforms such as ShareFile, OwnCloud and Nextcloud. These platforms are widely adopted across the aerospace, satellite and defense supply chain due to their support for large file transfers, external partner access and distributed engineering workflows.

Once authenticated, threat actors were able to enumerate repositories, download sensitive documentation and package the data for resale. In effect, trusted enterprise infrastructure was transformed into an exfiltration mechanism—without triggering many traditional security controls.

Infostealers as an Enabling Capability:

Infostealers are a class of malware designed specifically to harvest credentials, browser session tokens, cookies and stored authentication data from infected systems. Common families such as RedLine, Lumma and Vidar infect both personal and corporate devices, often through phishing, malicious downloads or trojanized software.

The scale of this threat is significant. According to Flashpoint’s 2025 Global Threat Intelligence Report, infostealer malware infected more than 23 million devices and facilitated the theft of over 2.1 billion credentials in 2024 alone. These credentials are frequently aggregated into underground marketplaces and data dumps, where they may remain unused for extended periods. In 2025 so far, Infostealers.com reports over 17,000 compromised machines and 4,000 compromised users.

A key finding from the HudsonRock investigation is the temporal persistence of risk: While some credentials used by Zestix originated from recent infections, others had been exposed years earlier and were only later weaponized. This highlights that credential compromise is not a point-in-time event, but a long-lived vulnerability that can be exploited opportunistically as access needs arise.

Operational and Sector-Specific Impact:

For the satellite industry, these incidents demonstrate how cyber risks extend beyond traditional IT concerns and into operational, programmatic and strategic domains. File transfer platforms may often be used to host satellite design documentation, information about system architectures, ground segment configurations, interface specifications, supplier and partner deliverables and other test data and planning artifacts.

Unauthorized access to this information can enable intellectual property theft, competitive intelligence collection or downstream targeting of satellite networks and supply chains. Importantly, these risks are not confined to nation-state actors as financially motivated groups have increasingly demonstrated the capability and intent to monetize sensitive aerospace data.


Learn More About Space ISAC

Are you interested in learning more about threats to space systems? Visit our website at spaceisac.org to learn more about security for space and how to become a member.

What is Space ISAC?

Space ISAC logoISACs are a special category of non-profit organizations identified by the U.S. government focused on sharing cybersecurity threat information within critical infrastructure industries. ISACs are sector-specific, member-driven organizations that serve to foster information sharing and collaboration between public and private sectors. There are 26 sector-based ISACs (short for Information Sharing and Analysis Center) in industries such as Financial Services and Information Technology.

Space ISAC was conceived by the Science and Technology Partnership Forum in response to increased reports of gaps in information sharing within the cybersecurity and space communities. Officially launched in 2019, Space ISAC’s mission is to enhance the space community’s ability to prepare for and respond to vulnerabilities, incidents, and threats; disseminate timely information, and serve as the primary communications channel for the commercial space sector.

Space ISAC is in the process of standing up its Watch Center to monitor incidents, threats, and vulnerabilities of specific interest to space organizations. In the meantime, Space ISAC is tracking and reporting a variety of cybersecurity events and emerging threats that impact its members. Every two weeks, we will provide a briefing on a specific threat that will be of interest to the broader space community beyond our membership. Our thanks to Constellations for providing this channel for information sharing and communication.

To learn more about Space ISAC, its work and about becoming a member, visit spaceisac.org.

Subscribe to Email

Sign-up to receive email alerts when new webinars, podcasts and articles are available.

Subscribe to the Podcast

Stay up to date with the latest episodes delivered straight to your device!

Listen on Apple Podcasts Listen on Spotify Listen on Audible Subscribe to Podcast RSS

Podcast use is subject to Kratos Terms.