Patient Operators

The quieter Google/Mandiant publication window after 2017 is not the same thing as operational dormancy: Talos was documenting MuddyWater-associated BlackWater tradecraft refinement in 2019, which is better read as evidence of active iteration during a reporting lull than as a pause in activity. Talos BlackWater By 2022 the documented program changes in kind, not just scale. APT42 reporting shifts attention toward the human layer, with social engineering and surveillance aimed at government officials, policy researchers, journalists, and NGO workers, while the Telegram malware case shows the same logic reaching beyond institutional networks: operators did not need a corporate foothold if the person they wanted could be followed onto a consumer-facing platform instead. APT42 source Telegram case

After no new seed publications in 2023, the record reopens in 2024 on a different layer. By late 2023, Talos had already identified HTTPSnoop as "being deployed against telecommunications providers in the Middle East," which makes the telecom layer feel less like a one-off anomaly and more like a sustained Iran-linked priority target. Talos telecom case The 2024 UNC1860 reporting then introduces a qualitatively different layer: passive backdoors in Middle Eastern telecommunications and government networks, designed to persist without operational noise and to "gain persistent access to high-priority networks." UNC1860 source The access exists; the question is when and for what it will be used.

UNC1549's November 2025 reporting closes the arc. Aerospace and defense targeting under a sustained, technically sophisticated campaign extends the operational surface into the strategic industry layer, with Mandiant documenting operators "exploiting trusted connections with third-party suppliers and partners." UNC1549 source Taken with the telecom footholds of 2024, the endpoint of the dataset suggests an ecosystem that spans infrastructure access, communications penetration, and defense-industrial presence simultaneously. By the end of the record, access is not a hypothesis but a condition, which makes the mechanics of entry, escalation, and persistence the more urgent question.

An employee opens a file. Nothing obvious breaks. Read left to right, the figure works as a handoff chain. The opening foothold begins with malicious file execution, and the pattern becomes harder to see once access shifts from endpoint activity to the identity layer. Talos's 2022 MuddyWater reporting makes the first move explicit, with malicious documents used "to serve as the initial infection vector." Talos initial access UNC1549 shows the same ecosystem leaning on operators who "used valid compromised accounts to gain initial access." Valid accounts However the handoff occurs, the effect is the same: the activity is recast as ordinary user behavior. Application-layer command and control then carries that access inside ordinary web traffic and avoids the louder beaconing patterns that attract attention. Talos HTTPSnoop

The back half of the figure works by reducing noise. Privilege escalation expands what the operator can touch; cleanup and defense evasion shrink what defenders can see; tunneled communications shape the route so the session looks routine. The APT39 reporting describes privilege escalation with commodity tools, and APT42 is explicit that operators "deployed multiple defense evasion techniques to minimize their intrusion footprint." By the time communications shift into tunneled protocols, the intrusion has become an environment adjusted to tolerate the intruder. APT39 source Uncharmed Azure C2 masking

That is why the sequence matters more than any single technique. Nothing here is especially novel; the force of the playbook is in how each stage hands the operator into the next while remaining "difficult to discern ... from legitimate network traffic." UNC1549 source For a CISO, the diagnostic question is where the chain stops looking like ordinary business activity and starts triggering investigation; a single malicious file or odd login rarely answers that on its own. For organizations without a dedicated SOC, the same pattern becomes a procurement and vendor-access question: which third-party relationships would turn one employee click into durable, low-noise access? The same access logic recurs across actors with very different end goals, which turns the next question toward the operators putting it to work.

Read together, the operator cards describe a division of labor across the ecosystem. The surveillance lane is the clearest example: APT42 treats people as collection infrastructure as much as organizations. Mandiant's observation that the group "consistently targeted Western think tanks, researchers, journalists" makes that plain, while APT39 gives the lane a different texture by prioritizing telecommunications and travel-related data, where identity, movement, and personal records become routes into larger political questions. APT42 source APT39 source

The access maintenance lane does a different kind of work. APT34 and UNC1860 function as custodians of access, keeping quiet footholds alive in government and telecommunications environments that other parts of the ecosystem can use later. That is where Talos's description of MuddyWater as "a conglomerate of multiple teams operating independently rather than a single threat actor group" becomes useful: it gives the grid an ecosystem logic built around segmented roles. UNC1860's passive backdoor work is the clearest expression of this role in the seed corpus, because it matters precisely when nothing visible is happening. Talos MuddyWater UNC1860 source

The strategic pressure lane is where access turns into leverage. UNC3890's Israel-focused targeting and UNC1549's later aerospace and defense campaign point at sectors where collection, interference, and contingency positioning sit close together. These actors operate where disruption would radiate outward into state capacity, supply chains, and allied relationships. In this lane, geopolitical pressure and technical access are effectively the same instrument viewed from different stages of use. UNC3890 source UNC1549 source

The disruption lane sits at the visible edge of the same ecosystem. UNC788 / HomeLand Justice appears once, in the Albania ROADSWEEP case, and that sparsity is part of the point: when the objective shifts from quiet access to public effect, the operation becomes narrower and louder. Mandiant's description of a "politically motivated disruptive operation" marks the exception clearly. Most of the record is about patient access; this lane shows what happens when that patience is abandoned in favor of coercive signaling. For most potential targets, the practical question is which lane they are most likely to encounter first. ROADSWEEP source

Valid account abuse is documented more consistently than any access mechanism in this corpus after malicious file execution, appearing in five of the eleven seed reports. For organizations whose sector and geography place them inside the documented target set, identity governance is the highest-priority defensive investment the data supports: MFA without privileged-account carveouts, third-party access review, and behavioral baselining that flags accounts operating outside established scope. Talos's 2022 Turkey case shows how quickly the sequence can begin, documenting malicious PDFs and Office documents "to serve as the initial infection vector" into Turkish government targeting before the intrusion moves deeper into the environment. Talos Turkey

Sector and geography are exposure signals, not backdrop. The map here is selective: no actor in the DB-backed seed corpus is documented against more than five named countries, and most appear against one or two. That is the opposite of spray-and-pray targeting. It means geography functions as a political exposure map: organizations in the recurring country-sector combinations should model themselves against the specific actor lanes most likely to matter to their environment, rather than rely on a generic enterprise threat model.

Cleanup activity is part of the operating pattern. Indicator removal appears in three of the eleven seed reports, and APT42 reporting is explicit that operators "deployed multiple defense evasion techniques to minimize their intrusion footprint," which means operators expect to have time to clean up after themselves and plan for it. Uncharmed The defensive implication is not faster signature detection of initial access; it is forensic resilience: tamper-resistant logging that preserves evidence of cleanup attempts as its own indicator class, and retrospective visibility that does not depend on real-time alerting to reconstruct the intrusion timeline.