![[FORECAST] CoPhish: The Microsoft Copilot Link That Hands Over Your OAuth Tokens](/content/images/size/w600/2026/01/z-1.png)
forecasts
[FORECAST] CoPhish: The Microsoft Copilot Link That Hands Over Your OAuth Tokens
Will at least one publicly disclosed enterprise breach be confirmed where attackers used a Microsoft Copilot Studio..
forecasts
forecasts
Will UNC5221 pop a fresh zero-day before Dec 31? Final Forecast!
BRICKSTORM intel just landed: PRC actors camping in vCenter/ESXi + Windows. 🧱🕵️♂️ F5 source-code drama raises the long-run 0-day odds, but the calendar + attribution lag are savage. Our final call: 11% UNC5221 gets publicly tied to a new 0-day before Dec 31. 🎯
forecasts
How Close Are We to a Cyber-Driven Citywide Water Outage?
Will hackers actually turn off a city’s water, or is that just conference-slide horror fiction? 💧🤔 We put a number on it...
ai
Dark LLMs: When Your AI Traffic Is C2
Your “normal” AI traffic can be stealth C2 now. Dark LLMs are writing per-host pwsh one-liners, self-rewriting droppers, and hiding in model APIs you approved. If you’re not policing AI egress, you’re not doing detection. 😬🤖
forecasts
AI Agents as Regulated C2: Will Anyone Be Forced to Act?
AI just ran most of an espionage op, and regulators are still in “interesting case study” mode. 😏 We’re forecasting: 55% odds that by 2026, someone will force signed AI connectors + agent logs by default.
forecasts
Will Akira trigger a week-long hospital disruption by end of 2026?
20% odds Akira triggers a 7-day ambulance diversion at a 10+ hospital system by end of 2026. 🚑 Still feeling “low risk”?
cl0p
After LockBit and BlackCat, Is Cl0p Really Next in Line?
LockBit got the Operation Cronos takedown. BlackCat imploded. Cl0p just logged a record leak month—and shows no sign of slowing. By 2026, do we really keep Cl0p dark for 90+ days… or just get Cl0p v2 with a fresh logo?
unc6485
Triofox Exploitation Cluster (UNC6485): Six-Month Outlook, Copycat Risk, and What to Watch
UNC6485 is farming Triofox: Host: localhost → setup → mint admin → AV path = your script → SYSTEM → RMM + reverse RDP/443. Patch to 16.7.10368.56560 now. Copycats next. 🔥🛡️
china
Typhoon by Consent: Quiet, Durable, Everywhere
One “Allow” → tenant-wide weather event. 🌀 AI agent phish wraps the consent flow, device-code keeps churning, and Typhoon rides “good” U.S. infra. Kill list: user consent, device-code, or EWS app perms—what’s first?
forecasts
Will RedNovember be publicly reported to exploit at least one zero-day vulnerability in 2026? Updated 2025-11-06
We’re at 29% that RedNovember will be publicly reported exploiting at least one zero‑day in 2026 under strict timing and attribution rules. The hinge is whether the group escalates beyond PoC‑driven N‑day edge exploits and whether attribution survives rebranding.
unc5221
Will UNC5221 pop a fresh zero-day before Dec 31? Updated!
UNC5221 is an edge-focused PRC espionage actor repeatedly tied to zero-days (Ivanti 2023–2025; prior NetScaler). Edge products remained a major zero-day target in 2024. But public attributions typically lag exploitation by weeks, and the window is short...
cl0p
Cl0p’s Leak Sites: 20% Chance They Go Dark by Apr 22, 2026
Forecast: 20% chance Cl0p’s leak sites go dark by Apr 22, 2026. Needs a seizure banner or ≥14 days down w/ LE attribution. Cronos showed it’s doable; mirrors make it brutal.