TL;DR

Question

Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026?

This is the 3rd in our forecast series targeting "Red November":

• Oct 2025 Forecast

• Nov 2025 Forecast

Executive Forecast

We estimate 25% that RedNovember will be publicly reported exploiting at least one zero-day in 2026 under strict timing and lineage rules. The key hinge is whether RedNovember escalates from its documented weaponized-PoC/N-day edge approach into pre-disclosure exploitation (and whether investigators can still attribute it cleanly amid shared infrastructure and naming churn). Watch for corroborated reports that establish exploitation start dates before advisory/patch on VPN/firewall/email-security/virtualization appliances and explicitly map the operator to RedNovember (or a lineage-qualified alias).

AlphaHunt

Stop doomscrolling, start decisioning. We chewed through the muck so your team doesn’t have to. → Subscribe!

Like this? Forward this to a friend!

(Have feedback? Did something resonate with you? Did something annoy you? Just hit reply! :))

Forecast Card

• Question: Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026?
• Resolution Criteria: Yes if all are true:
  1. A report published in 2026 by one of: Google Threat Intelligence/Mandiant, Microsoft Threat Intelligence, Palo Alto Networks Unit 42, Cisco Talos, Broadcom Symantec, Volexity, CISA/NSA/UK NCSC
  2. attributes the exploitation to RedNovember or an alias/rebrand with evidenced lineage via ≥2 of: infrastructure overlap, ≥80% malware code similarity, or explicit cross-vendor mapping
  3. the exploitation occurred in 2026
  4. and exploitation was before both:
     • Public disclosure: earliest of vendor advisory/PSIRT post or CVE publish time; and
     • Patch availability: vendor’s first fix/patch release time (mitigations/workarounds excluded).
       No otherwise. Times adjudicated in America/New_York.
• Horizon: 2026-12-31 23:59 America/New_York
• Probability (Now): 25% | Log-odds: -1.10
• Confidence in Inputs: Medium
• Base Rate: 20% from a tighter, auditable actor-year reference class aligned to the question:
  Reference class definition: PRC-nexus clusters with documented, recurring edge/perimeter tradecraft and strong public tracking, drawn from primary gov/vendor reporting: {RedNovember, UNC5221, UNC4841, Volt Typhoon, BlackTech}.
  Window: calendar years 2023–2024 (2 years).
  Counting rule: an actor-year counts “1” if there is public reporting that the actor exploited ≥1 zero-day (as defined in this question: exploited before patch availability and before public disclosure) during that calendar year.
  Denominator: 5 actors × 2 years = 10 actor-years.
  Numerator: 2 actor-years:
  • UNC4841: zero-day exploitation of Barracuda ESG CVE-2023-2868 occurred through 2023 prior to May 23, 2023 disclosure/patch actions (Mandiant)
  • UNC5221: zero-day exploitation of Ivanti Connect Secure CVE-2025-0282 began mid-Dec 2024 (Mandiant)
    ⇒ 2/10 = 20%

AlphaHunt Converge - Plug in your Flight Crew

Get intelligence where it counts. No dashboards. No detours. AlphaHunt Converge teases out your intent, reviews the results and delivers actionable intel right inside Slack. We turn noise into signal and analysts into force multipliers.

Anticipate, Don’t Chase.

Plug it In!

Top Drivers, Scenarios, Signals, Detection Opportunities and References...