Q4 2025 closed with a clear pattern: state-linked actors moved from opportunistic espionage toward strategic pre-positioning and supply-chain leverage. Two canonical incidents defined the quarter. First, multiple U.S. and Canadian agencies published a joint advisory describing a sophisticated backdoor, tracked as BRICKSTORM, used to maintain long-term persistence in government and IT networks and to enable credential theft and VM snapshot exfiltration. The advisory warned that the malware targeted VMware vSphere and vCenter infrastructure and that compromises dated back as early as April 2024 in at least one victim.
Second, a nation-state compromise of a major edge vendor materialized into a practical weapon for future exploitation. F5 disclosed unauthorized long-term access to its development environment and the exfiltration of portions of BIG-IP source code and vulnerability tracking data. Governments treated the breach as an imminent risk and pushed emergency remediation guidance for agencies to inventory, isolate, and patch exposed management interfaces. The combination of stolen engineering data and ubiquitous edge appliances created a uniquely dangerous opportunity for rapid weaponization of zero-day and N-day vulnerabilities.
Those two stories are linked. BRICKSTORM tradecraft and the vendor compromise both illustrate a growing emphasis by state actors on pre-positioning and stealthy persistence inside third party infrastructure. When a vendor that controls traffic flows, load balancing, and SSL termination is breached, defenders lose an important chokepoint for visibility and control. The operational lesson is simple and uncomfortable: assume your perimeter appliances may be under adversary control and plan detection and containment accordingly.
Beyond high-value supply chain and vendor breaches, Q4 data shows the wider ecosystem also shifted. Ransomware volume spiked entering the fourth quarter, with notable increases in October and evidence that financially motivated actors remain the dominant immediate threat to most organizations. At the same time Microsoft and other observers documented increased use of generative AI by rival states and their proxies to scale reconnaissance, craft targeted lures, and automate influence operations. These two trends converge: cheaper, faster target discovery and tailored social engineering increase the speed at which an adversary can exploit newly discovered or privately held vulnerabilities.
The tactical picture I saw across incident reports and vendor advisories in Q4 is these practical priorities by state actors: long term persistence for intelligence and future sabotage, compromise of edge and management plane suppliers to amplify reach, and the use of AI to make human-focused attack stages more scalable. That mix increases both the probability and potential impact of attacks against critical infrastructure and government supply chains.
What to do now, in practical terms. First, treat vendor incidents as hostile pre-breaches. Immediately inventory and segregate management interfaces for edge appliances (load balancers, ADCs, VPN concentrators), apply vendor patches, and remove or block exposed administrative endpoints. Where emergency directives or advisories exist follow them precisely and document compliance.
Second, harden virtualization management. The BRICKSTORM analysis shows attackers will target vCenter and ESXi to harvest VM snapshots and credentials. Apply principle of least privilege to service accounts, rotate and replace exposed cryptographic keys if ADFS or identity providers may have been accessed, and monitor for unusual snapshot exports or VSOCK-based inter-VM activity. Increase logging fidelity for hypervisor management planes and integrate those logs into your SIEM and EDR for cross-correlation.
Third, accept AI as force multiplier for attackers and defenders alike. Train detection models to flag AI-augmented social engineering patterns, expand phishing-resistant authentication for high-value roles, and augment human threat hunters with generative tools that can triage and synthesize IOC context. Do not rely on any single control. Layer identity, network segregation, endpoint detection, and active threat hunting.
Finally, this quarter reinforced a policy point we have been emphasizing: supply-chain security and vendor transparency are national security issues. Rapid, coordinated public-private response and mandatory baseline security requirements for vendors that supply critical network infrastructure are necessary to reduce asymmetric advantage for state actors. Defense in depth remains necessary, but it must be paired with forward-looking vendor governance, stronger incident reporting mandates, and sustained investment in operational readiness. The adversary is buying scale and time. Defenders must buy resilience.