Netskope named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge. Get the report

  • Why Netskope chevron

    Changing the way networking and security work together.

  • Our Customers chevron

    Netskope serves more than 3,000 customers worldwide including more than 25 of the Fortune 100

  • Our Partners chevron

    We partner with security leaders to help you secure your journey to the cloud.

Still Highest in Execution.
Still Furthest in Vision.

Learn why 2024 Gartner® Magic Quadrant™ named Netskope a Leader for Security Service Edge the third consecutive year.

Get the report
Netskope Named a Leader in the 2024 Gartner® Magic Quadrant™ for Security Service Edge graphic for menu
We help our customers to be Ready for Anything

See our customers
Woman smiling with glasses looking out window
Netskope’s partner-centric go-to-market strategy enables our partners to maximize their growth and profitability while transforming enterprise security.

Learn about Netskope Partners
Group of diverse young professionals smiling
Your Network of Tomorrow

Plan your path toward a faster, more secure, and more resilient network designed for the applications and users that you support.

Get the white paper
Your Network of Tomorrow
Introducing the Netskope One Platform

Netskope One is a cloud-native platform that offers converged security and networking services to enable your SASE and zero trust transformation.

Learn about Netskope One
Abstract with blue lighting
Embrace a Secure Access Service Edge (SASE) architecture

Netskope NewEdge is the world’s largest, highest-performing security private cloud and provides customers with unparalleled service coverage, performance and resilience.

Learn about NewEdge
Netskope Cloud Exchange

The Netskope Cloud Exchange (CE) provides customers with powerful integration tools to leverage investments across their security posture.

Learn about Cloud Exchange
Netskope video
The platform of the future is Netskope

Intelligent Security Service Edge (SSE), Cloud Access Security Broker (CASB), Cloud Firewall, Next Generation Secure Web Gateway (SWG), and Private Access for ZTNA built natively into a single solution to help every business on its journey to Secure Access Service Edge (SASE) architecture.

Go to Products Overview
Netskope video
Next Gen SASE Branch is hybrid — connected, secured, and automated

Netskope Next Gen SASE Branch converges Context-Aware SASE Fabric, Zero-Trust Hybrid Security, and SkopeAI-powered Cloud Orchestrator into a unified cloud offering, ushering in a fully modernized branch experience for the borderless enterprise.

Learn about Next Gen SASE Branch
People at the open space office
Designing a SASE Architecture For Dummies

Get your complimentary copy of the only guide to SASE design you’ll ever need.

Get the eBook
Make the move to market-leading cloud security services with minimal latency and high reliability.

Learn about NewEdge
Lighted highway through mountainside switchbacks
Safely enable the use of generative AI applications with application access control, real-time user coaching, and best-in-class data protection.

Learn how we secure generative AI use
Safely Enable ChatGPT and Generative AI
Zero trust solutions for SSE and SASE deployments

Learn about Zero Trust
Boat driving through open sea
Netskope achieves FedRAMP High Authorization

Choose Netskope GovCloud to accelerate your agency’s transformation.

Learn about Netskope GovCloud
Netskope GovCloud
  • Resources chevron

    Learn more about how Netskope can help you secure your journey to the cloud.

  • Blog chevron

    Learn how Netskope enables security and networking transformation through security service edge (SSE)

  • Events and Workshops chevron

    Stay ahead of the latest security trends and connect with your peers.

  • Security Defined chevron

    Everything you need to know in our cybersecurity encyclopedia.

Security Visionaries Podcast

The Intersection of Zero Trust and National Security
On the latest episode of Security Visionaries, co-hosts Max Havey and Emily Wearmouth sit down for a conversation with guest Chase Cunningham (AKA Dr. Zero Trust) about zero trust and national security.

Play the podcast
The Intersection of Zero Trust and National Security
Latest Blogs

Read how Netskope can enable the Zero Trust and SASE journey through security service edge (SSE) capabilities.

Read the blog
Sunrise and cloudy sky
SASE Week 2023: Your SASE journey starts now!

Replay sessions from the fourth annual SASE Week.

Explore sessions
SASE Week 2023
What is SASE?

Learn about the future convergence of networking and security tools in today’s cloud dominant business model.

Learn about SASE
  • Company chevron

    We help you stay ahead of cloud, data, and network security challenges.

  • Leadership chevron

    Our leadership team is fiercely committed to doing everything it takes to make our customers successful.

  • Customer Solutions chevron

    We are here for you and with you every step of the way, ensuring your success with Netskope.

  • Training and Certification chevron

    Netskope training will help you become a cloud security expert.

Supporting sustainability through data security

Netskope is proud to participate in Vision 2045: an initiative aimed to raise awareness on private industry’s role in sustainability.

Find out more
Supporting Sustainability Through Data Security
Thinkers, builders, dreamers, innovators. Together, we deliver cutting-edge cloud security solutions to help our customers protect their data and people.

Meet our team
Group of hikers scaling a snowy mountain
Netskope’s talented and experienced Professional Services team provides a prescriptive approach to your successful implementation.

Learn about Professional Services
Netskope Professional Services
Secure your digital transformation journey and make the most of your cloud, web, and private applications with Netskope training.

Learn about Training and Certifications
Group of young professionals working

Cloud and Threat Report 2024

light blue plus
This report explores the evolving enterprise cloud environments and threat landscape, spotlighting the predominant trends of 2023 and offering predictions of which ones will continue into 2024.
Dark cloud over the sunset
22 min read

Executive summary link link

test answer

The Netskope Cloud and Threat Report aims to provide strategic, actionable intelligence on the latest trends in cloud computing and cybersecurity threats affecting organizations throughout the world. In this edition, we take a look back at the major trends of 2023, paying special attention to those that we expect to continue into 2024 and beyond.

Throughout 2023, cloud and SaaS adoption continued to rise in enterprise environments, with users constantly adopting new apps and increasing their use of existing apps. App suites from Microsoft and Google continue to dominate in all industries and geographies worldwide as apps from these vendors become even more ingrained in critical business processes.

Adversaries, recognizing this trend, are abusing and targeting popular apps in their operations more frequently. Social engineering has become the most common method adversaries use to gain access into victims’ environments. Adversaries are increasingly successful in tricking victims into downloading Trojans by hosting them in popular SaaS apps and in tricking victims into clicking on phishing baits designed to steal SaaS app credentials.

The majority of adversary activity targeting Netskope customers in 2023 was financially motivated. When a financially motivated adversary gains initial access to a victim’s environment, they typically install an implant (usually Cobalt Strike) to maintain persistence. They ultimately try to extort the victim organization by deploying ransomware, infostealers, and wipers, threatening to expose sensitive data publicly or sabotage the victim’s environment if they do not pay. Even geopolitically motivated adversaries, whose primary objective has historically been cyber espionage, are also engaging in similar extortion activities.

This report spotlights these and other predominant trends of 2023 and offers predictions into which ones will continue into 2024.


Report highlights link link


Generative AI apps are an enterprise mainstay
Generative AI apps, virtually non-existent in the enterprise a year ago, are now a mainstay, with more than 10% users accessing cloud-based generative AI apps each month and with the top 25% of users exponentially increasing their use of these apps.

Most Trojans are downloaded from popular cloud apps
Attackers are most successful at tricking victims into downloading Trojans when they are hosted on popular cloud apps, with the most popular apps from Google and Microsoft among the top apps for malware downloads.

Criminal adversaries expand their extortion playbook
Criminal adversary activity dominated the threat landscape in 2023, with multiple adversary groups relying heavily on Cobalt Strike to maintain permanence and deploy ransomware, infostealers, wipers, and other malicious software to extort their victims.


About this report link link

Netskope Threat Labs publishes an annual Cloud and Threat Report to provide strategic, actionable intelligence on the latest trends in cloud computing and cybersecurity threats affecting organizations throughout the world. Information presented in this report is based on anonymized usage data collected by the Netskope Security Cloud platform relating to a subset of Netskope customers with prior authorization. Netskope provides threat and data protection to millions of users worldwide. This report contains information about detections raised by Netskope’s Next Generation Secure Web Gateway (SWG), not considering the significance of the impact of each individual threat. Stats presented in this report are a reflection of both adversary activity and user behavior. Stats in this report are based on the period starting December 1, 2021 through November 30, 2023.


Netskope Threat Labs link link

Staffed by the industry’s foremost cloud threat and malware researchers, Netskope Threat Labs discovers, analyzes, and designs defenses against the latest web, cloud, and data threats affecting enterprises. Our researchers are regular presenters and volunteers at top security conferences, including DEF CON, Black Hat, and RSAC.

Cloud and SaaS app use on the rise link link

The enterprise transition from traditional, on-prem applications to cloud and SaaS apps is far from over. Most organizations have already migrated to cloud-based productivity suites, and the migration has shifted to more niche applications. The number of apps used by the average user has increased from 14 to 20 over the past two years, an average 19% increase per year. Currently, half of all enterprise users interact with between 11 and 33 apps each month, with the top 1% of users interacting with more than 96 apps per month.

apps used by the average user

At the same time, people’s interactions with cloud and SaaS apps are increasing at an even faster rate–35% per year–from just over 1,000 activities per month two years ago to nearly 2,000 activities per month today. Half of all enterprise users generate between 600 and 5,000 activities per month, with the top 1% of users generating more than 50,000 activities per month. An activity is a core interaction between a user and an app, with the most common activities being:

  • Downloading or uploading a file
  • Editing a document
  • Posting a message
  • Viewing a file or a message

Median number of activities per user per month

The most popular apps in the enterprise have not changed significantly over the past year. Among the top 20 most popular apps, year-over-year popularity varied by single-digit percentage points, with a few standout themes.

Overall app popularity

Google and Microsoft reign supreme
The core components of the Microsoft 365 and Google Workspaces productivity suites were among the top apps in both 2022 and 2023. Microsoft products OneDrive, Sharepoint, Teams, Azure Blob Storage,, Forms, and GitHub along with Google products Google Drive, Google Cloud Storage, Gmail, and Calendar accounted for the majority of the top 10. Apps from these vendors have become mainstays of the enterprise ecosystem in all geographies and all industries and will continue to remain on the top for the foreseeable future.

Social media shifts
Although their relative popularity was largely unchanged year-over-year, there were some shifts in the popularity of various social media platforms among enterprise users. Facebook is still the most popular social media platform, despite its popularity decreasing by 6 points. Despite all the talk of an exodus from Twitter following the purchase by Elon Musk, enterprise users are still using it at roughly the same rate. The professional social networking platform LinkedIn gained 4 points, the largest gain of any of the social media platforms and the third-largest gain of all apps. TikTok and Instagram remained largely unchanged.

Outlook leapfrogs Gmail leapfrogged Google Gmail in 2023 as Outlook users continue to shift away from using the native Outlook app in favor of the web app. Adding more than 6 points of popularity, had the second-largest increase of any cloud or SaaS app in 2023.


Generative AI apps on the rise link link

2023 was the year of generative AI. It all started with the hype around OpenAI and their flagship product ChatGPT. Although it did not crack the top 20 most popular apps of 2023, ChatGPT added more users than any other app, with its popularity increasing from 0% to nearly 7% of all enterprise users by the end of the year. As ChatGPT grew in popularity, other companies began creating competing chatbots, and even more companies began creating niche products to leverage the power of these large language models (LLMs). The idea of an AI-powered assistant to help in tasks like writing, programming, and even security operations took off. At the same time, apps for generating images, videos, and audio were also released.

The enterprise cybersecurity community did what it typically does when a new technology with this much hype hits the market: Quickly determine whether these apps serve a legitimate business purpose and–for the cases where they do–figure out how to safely enable their use. For many organizations, this meant pumping the breaks, blocking the apps until they could go through proper security review. In general, this meant that these generative AI apps gained popularity in the enterprise more slowly than they did in the consumer market.

But their popularity did grow. The following graph shows an increase in AI app popularity resembling a sigmoid, increasing from just over 2% of all enterprise users accessing at least one AI app per month a year ago to more than 10% doing so today. Most of that growth occurred in the first half of 2023 and cooled off toward the end of the year.

Percentage of users interacting with AI

A plot of the growth of the top three generative AI apps provides more insight into the shape of the overall popularity graph above. ChatGPT was the most popular app by a large margin, with the writing assistant Grammarly coming in second, followed by the Google Bard chatbot in third. The following plot provides a detailed breakdown of the growth of these three apps. ChatGPT was the main driver of the sigmoidal growth pattern in the first half of the year, rising from nearly 0% to 7% of the enterprise user population very rapidly. Google Bard had a similar shape to its growth later in the year when it became generally available, but its adoption paled in comparison to ChatGPT. Grammarly started the year as the most popular AI app due to its pre-existing user base, and while it did not see as aggressive growth as ChatGPT, its popularity continues trending upward. In the next year, Netskope Threat Labs predicts that Grammarly will continue its rise in popularity and close the gap between it and ChatGPT, but will still lag behind the all-purpose chatbot.

Top 3 AI apps by percentage of users

Most users only interact with generative AI apps a few times per month. Over the course of the past year, the average user increased from 5 activities per month to 14 activities per month, where an activity is most commonly a prompt posted to a chatbot. The top quartile of AI app users showed a more significant increase, from 15 to 85 activities over the course of the year. This indicates that a quarter of the AI user population are power users who are increasingly rapidly increasing their use of generative AI apps. Netskope Threat Labs expects both of these trends to continue into 2024: the total number of users accessing AI apps in the enterprise will continue to increase only modestly, while the amount of activity from power users will increase significantly as the population of super users finds new ways to squeeze additional value from these technologies.

AI app activities by user

A closer look at the top ten generative AI apps as 2023 draws to a close reveals three noteworthy trends that we expect to see continue into 2024.

Top 10 AI apps by percentage of users per month

Chatbots reign supreme
ChatGPT, the first generative AI chatbot to rise to popularity, is still on top at the end of the year, with 6.7% of enterprise users interacting with the chatbot at least once per month. Google Bard, Google’s ChatGPT alternative, is the second most popular chatbot, but has just more than one-tenth of the user base. ChatGPT and Google Bard are general-purpose and can be used to support business functions, like helping with writing and programming tasks or information retrieval, or for entertainment. Their versatility is one of the primary reasons for their popularity. Other more niche customer engagement chatbots–ChatBase and Blip–also made the top ten but with even fewer users.

AI assistants are catching up
One of the most popular uses of generative AI technology in the enterprise so far is as a writing assistant. Grammarly, the second most popular generative AI app, is used by 3.1% of enterprise users, with alternatives QuillBot and Wordtune also making the top ten. Tabnine is a programming assistant that helps programmers write code more efficiently. Netskope Threat Labs expects that AI assistants, especially writing and programming assistants, will continue to grow in popularity in 2024. Their integration into commonly used tool sets for writing and programming and the fact that they are specifically designed and tuned for those tasks will fuel their popularity growth. The fact that they cannot be used for entertainment purposes will also likely remove barriers to their adoption in the enterprise, whereas other apps, like general purpose chatbots, may suffer.

AI art generators are moving into the enterprise
AI art generators, specifically those that can generate images, eked their way into the number 9 and 10 spots of the most popular generative AI apps in the enterprise. Like chatbots, AI art generators are all-purpose tools that can be used for entertainment or to support business functions, both of which factor into their popularity in the enterprise. Because of their entertainment uses, especially their ability to generate content that is not safe for work, they are likely to remain at the bottom of the popularity list in enterprise environments for the foreseeable future.


Social engineering link link

The most common method by which adversaries gained initial access to their victim’s systems in 2023 was via social engineering. Social engineering is typically the easiest way for adversaries to gain access to hardened enterprise systems where remote access is limited and patches against known security vulnerabilities are applied in a timely manner. Social engineering targets the people who have access to the systems, rather than the systems themselves. Among the various social engineering tactics and techniques used by adversaries to target enterprises in 2023, there were two standouts:

  • Tricking victims into downloading and executing Trojans
  • Using phishing to trick victims into sharing sensitive credentials

The remainder of this section provides a deeper dive into each of these techniques.



Enterprise users are constantly targeted with Trojans from many different angles. Adversaries are continuously crafting new Trojans with a variety of different baits to trick users into downloading and executing them. In 2023, an average of 8 out of every 10k users downloaded an average of 11 Trojans per month. Throughout the year, an organization with 10k users would have had an average of 132 Trojans downloaded by users on their network. Netskope Threat Labs expects both of these numbers to remain relatively constant throughout 2024.

One of the angles that adversaries increasingly use to trick users into downloading Trojans is to host the Trojans on popular SaaS apps. Over the past year, the percentage of HTTP and HTTPS malware downloads originating from SaaS apps has been consistently above 50%, a trend that Netskope Threat Labs expects to continue through 2024 as it pushes closer toward 60%.

Percentage of HTTP/HTTPs mlware downloads from cloud apps

The specific apps where adversaries have the most success in tricking their victims into downloading Trojans are unsurprisingly also some of the most popular apps in the enterprise. The following figure breaks down the top 20 apps, including a year-over-year comparison. We highlight four major themes of this plot below.

Top apps where malware downloads were detected

Microsoft OneDrive maintains its lead
As discussed earlier in this report, Microsoft OneDrive is ubiquitous in the enterprise. It is the most popular SaaS app by a large margin, with nearly two-thirds of all enterprise users accessing content in OneDrive every month. For that reason, it is unsurprising that it would also lead in terms of malware downloads. Adversaries can easily create their own OneDrive accounts to host malware, which they share with their victims. Furthermore, because two-thirds of users regularly use OneDrive, they are accustomed to clicking on OneDrive links and therefore more likely to do so when an adversary shares one.

Microsoft Sharepoint is nuanced
Microsoft leverages SharePoint in a variety of other services, including Microsoft Teams. The year-over-year increase in malware downloads originating from SharePoint is primarily due to an increase in Trojans being shared with victims over Microsoft Teams, which show up as Microsoft SharePoint downloads on the Netskope platform.

Apps providing free hosting are the leaders
The majority of the apps in the top 20 are apps that provide free file hosting services. This includes cloud storage apps (Microsoft OneDrive, Google Drive, Azure Blob Storage, Amazon S3, Box, Dropbox, Google Cloud Storage), free web hosting apps (Weebly, Squarespace), free file sharing services (DocPlayer, MediaFire, WeTransfer), and free source code hosting apps (GitHub, SourceForge). Because these apps all provide low-cost or no-cost file hosting, Netskope Threat Labs expects them and similar apps to continue to be abused for malware and phishing delivery for the foreseeable future.



Adversaries are generally more successful in tricking victims into clicking on phishing links than they are in tricking them into downloading malware. On average, 29 out of every 10k enterprise users clicked on a phishing link each month in 2023, more than three times the rate of users downloading Trojans. Throughout the year, an organization with 10k users would have had an average of 348 users clicking on phishing links.

Attackers phish for credentials and other sensitive information for a variety of different targets. The top 10 phishing targets in 2023 included popular cloud and SaaS applications, shopping sites, and banking portals. SaaS apps and shopping sites were among the top targets throughout the year, while banking portals, social media, and government targets saw a steady increase throughout the year. While some adversaries phish for credentials and data that they will themselves use, others serve as initial access brokers, selling the stolen credentials, banking information, and other data on the black market. Netskope Threat Labs predicts that cloud and SaaS apps, while they will continue to remain among the top phishing targets, will be displaced by banking portals as the top target in early 2024.

Top phishing targets by links clicked

Among the top phishing target categories, there were a few standouts:

The most common government target was the United States Internal Revenue Service, where attackers created phishing pages to steal financial data from their victims.

Social Media
Facebook, the most popular social media app in the enterprise, remains the most targeted social media platform by a large margin. Adversaries use compromised social media accounts to run scams, spread malware, spread misinformation, and other illicit activities.

The shopping giants Amazon and Ebay remain the top shopping targets.

The gaming platform Steam was the most targeted gaming platform by a large margin. Adversaries typically use the payment information attached to the account to make purchases and also try to use the account to compromise additional accounts.

The video streaming service Netflix maintained its lead as the most phished service in the consumer category in 2023. Here, the main objective is theft: The stolen accounts are sold on a black market to people looking for an inexpensive Netflix subscription.

Among the cloud and SaaS apps targeted by adversaries in phishing campaigns in 2023, one app ecosystem stands out above all the rest: Microsoft. Microsoft’s popularity among enterprise users means that Microsoft credentials are both a lucrative target for attackers and that users are going to be more accustomed to clicking on links for Microsoft services. As more users continue to use Microsoft services, Microsoft will continue to be a primary target of adversaries who can leverage access to their victim’s Microsoft account for business email compromise, to steal sensitive data, and to pivot to other connected applications. For these reasons, Netskope Threat Labs expects Microsoft to remain the top cloud phishing target in 2024, increasing its lead even further over other apps.

Top cloud phishing targets by links clicked

A less common but growing phishing strategy is to use phishing attachments instead of phishing links in emails. Phishing attachments are meant to bypass anti-phishing controls that only inspect links embedded directly in the email itself. The most common type of phishing attachment is a PDF document that appears to be an invoice, directing victims to call a phone number or visit a link if they need to correct anything on the invoice. Phishing attachments were quite rare in early 2022, spiked mid-year, subsided, and spiked again in late 2023. Despite the increase, an enterprise user downloading a phishing attachment is less common than a user clicking a phishing link or downloading a Trojan. Netskope Threat Labs expects phishing attachments to become even more common in 2024.

Users downloading phishing attachments per 10k users


Adversary profiles and objectives link link

So far in this report, we have highlighted that cloud and SaaS apps continue to grow in popularity in the enterprise, gaining more users and more interactions per user every year. We also highlighted that social engineering was the most common infiltration technique in 2023, with phishing and Trojans hosted on and targeting SaaS apps ranking among the top techniques. But who were the adversaries employing these techniques? What were their motivations and objectives? What risk did they present to the organizations they were targeting? This section explores the answers to all three of these questions.

Netskope Threat Labs tracks adversaries that are actively targeting Netskope customers to better understand their motivations, tactics, and techniques so that we can build better defenses against them. We generally categorize adversary motivations as either criminal or geopolitical.

Criminal adversaries
The primary objective of a criminal adversary group is financial gain, which recently has meant a heavy focus on extortion. Extortion has been an extremely profitable business for cybercriminals, with an estimated $457 million in ransom payments made in 2022. These days, criminal adversaries have expanded their portfolio of extortion techniques to help increase the likelihood of success. These techniques include:

  • Deploying ransomware. The objective is to grind the victim’s operations and systems to a halt by encrypting all of their data. The initial negotiation tactic is to promise to decrypt their data if they pay the ransom. Some adversaries even go as far as to claim to be helping the victim–the victim is so lucky that the benevolent adversary only wants money to decrypt the files and does not want to do any real harm. Imagine if someone with more nefarious intentions had gained access to the victim’s environment!
  • Deploying an infostealer. An infostealer steals sensitive data from the victim, usually compressing and exfiltrating the data over HTTP or HTTPS to blend in with other traffic. The stolen data is used as leverage to convince the victim to pay the ransom. For example, if the victim can easily restore from backups and resume normal operations, they would not be particularly motivated to pay. Perhaps the threat of exposing sensitive data publicly might change their mind.
  • Sabotaging systems. Wipers are being more commonly deployed by criminal organizations as a final tactic to help motivate payment. Adversaries will begin destroying data and knocking systems offline the longer the extortion negotiations continue, with the expectation that this might further motivate the victim to pay.

Although we attempt to label each criminal adversary group according to the country in which they operate, many groups work transnationally. Furthermore, many are now operating in an affiliate model, making their operations even more dispersed. As a result, we typically associate a group with the country or region from which its core members are believed to be located.

Geopolitical adversaries
Geopolitical adversary groups are typically either nation-states or their proxies, and their activities typically mirror broader political, economic, military, or social conflicts. Geopolitical groups typically engage in cyber operations against other nation-states as a modern international relations strategy. The lines between geopolitical and criminal adversaries can blur, with some geopolitical groups also engaging in financially motivated activities. The specific cyber-operations undertaken by geopolitical adversaries vary including:

  • Cyber espionage
  • Sabotaging critical infrastructure
  • Information warfare
  • Spreading propaganda
  • Manipulating public opinion
  • Influencing elections

Attributing activity to a specific adversary group can be challenging. Adversaries try to hide their true identities or even intentionally launch false-flag operations wherein they try to make their attacks appear as though they came from another group. Multiple groups often use the same tactics and techniques, some going as far as to use the same tooling or infrastructure. Even defining adversary groups can be challenging, as groups evolve or members move between groups. Adversary attributions are fuzzy and subject to change and evolve as new information comes to light.

The majority of adversary activity targeting Netskope customers in 2023 was criminally motivated, with geopolitical adversaries most active against users in Asia and Latin America. Within Asia, the highest concentration of geopolitical adversary activity targeted victims in India and Singapore, and in Latin America it targeted victims in Brazil.

Adversary motivations by target region

Overall, the majority of the adversary activity was attributed to criminal groups based in Russia (targeted throughout the world), followed by geopolitical groups in China (targeted primarily at victims in Asia, especially Singapore). Adversary groups located in other regions accounted for less than one-quarter of all adversary activity tracked by Netskope Threat Labs in 2023. In the remainder of this section, we provide an adversary profile for the five most active adversary groups in 2023, highlighting their motivations, tactics, techniques, and targeting strategies. This list includes three criminal groups based in Russia and two geopolitical groups based in China.

Adversary activity by location



Location: Russia
Motivation: Criminal
Aliases: GOLD CABIN, Shathak

The activity attributed to TA551 was primarily from banking Trojans, specifically variants of Pinkslipbot, Ursnif, and QakBot. TA551 targeted victims throughout the world and in multiple industry verticals, including manufacturing, financial services, technology, and healthcare. While many criminal organizations have pivoted to an extortion-centric strategy, TA551 appears to be content in sticking with their tried-and-true strategy of stealing banking information directly from their victims.


Wizard Spider

Location: Russia
Motivation: Criminal
Aliases: UNC1878, TEMP.MixMaster, Grim Spider, FIN12, GOLD BLACKBURN, ITG23, Periwinkle Tempest

Wizard Spider is perhaps most infamous for developing the TrickBot malware and has since pivoted to conducting ransomware operations. In 2023, Netskope tracked activity associated with Wizard Spider targeting victims throughout the world. In most of their operations, they used the popular red team tool Cobalt Strike to establish persistence in victim environments. The Cobalt Strike framework provides a lightweight executable that is implanted in the victim’s environment and communicates back to an attacker-controlled server. It is typically used to provide remote access and deploy additional malware payloads (in this case, primarily ransomware). Most of the Wizard Spider activity we tracked in 2023 followed a common pattern–avoiding DNS lookups by communicating directly with the attacker-controlled server via its IP address over HTTP.



Location: Russia
Motivation: Criminal
Aliases: Hive0065

TA505 is another Russian criminal ransomware group and is responsible for the Clop ransomware. Like Wizard Spider, they also heavily used Cobalt Strike for persistence and to deploy ransomware payloads. They also used the Amaday botnet to deploy ransomware and other malware payloads on infected systems. Similar to Wizard Spider, their Cobalt Strike and Amadey implants tended to communicate directly with their C2 infrastructure via IP addresses, bypassing DNS lookups. Unlike Wizard Spider, who targeted organizations worldwide, TA505’s activities were concentrated in Asia and Europe.



Location: China
Motivation: Geopolitical
Aliases: Wicked Panda

APT41 is a state-sponsored espionage group that also engages in financially-motivated ransomware attacks. Although their activities in the past have been spread throughout the world, their activities in 2023 were focused primarily in Asia and Europe, especially financial services organizations based in Singapore. Like other groups, they heavily relied on the Cobalt Strike framework for persistence and to deploy additional payloads. They also used the POISONPLUG backdoor, variants of which use social media platforms as command and control channels.


Earth Lusca

Location: China
Motivation: Geopolitical
Aliases: TAG-22

Earth Lusca is closely related to APT41 in that it uses very similar tooling. In 2023, they used Cobalt Strike and POISONPLUG against targets throughout the world spanning multiple industries including financial services, manufacturing, healthcare, technology, and SLED.


Recommendations link link

The complexity of an enterprise environment where users are constantly introducing new apps into the fold while existing apps become increasingly embedded in core business processes can make such environments challenging to secure. Netskope Threat Labs recommends limiting app access to only those apps that serve a legitimate business purpose and creating a review and approval process for new apps. For widely used and heavily integrated apps, Netskope recommends implementing a continuous posture management process to ensure that the apps are configured to reduce risk to the organization. We also recommend implementing a continuous monitoring process that will alert security operators when apps are being misused or have been compromised.

With generative AI apps having established a foothold in the enterprise, ensuring the safe enablement and adoption of AI apps should now be an urgent priority for most organizations. Safe enablement involves identifying permissible apps and implementing controls that empower users to use them to their fullest potential while safeguarding the organization from risks. For more detailed information about how Netskope can help, please refer to the ChatGPT and Generative AI Data Protection solution brief.

In light of the continuing increase of social engineering for initial access, Netskope Threat Labs recommends continuing investments into reducing the risk of social engineering, including security awareness training and anti-phishing technology. Because of increasing adversary focus on targeting and abusing cloud and SaaS apps, organizations should ensure that their security solutions thoroughly inspect all network traffic (including traffic to and from popular cloud and SaaS apps) and are actively monitoring managed apps for signs of abuse and compromise.

There are many commonalities among the active adversary groups, including the installation of implants such as Cobalt Strike to enable clandestine remote access; the deployment of ransomware, infostealers, and wipers; and the subsequent extortion attempts. Locking down remote access, patching systems against known exploits, and reducing the risks of social engineering can help prevent initial access and therefore also the more significant and costly attacker activity. However, additional layers of controls should also be deployed to catch determined adversaries that manage to find their way past the initial layers. These extra layers include deploying network and endpoint security that can block intrusion attempts, command and control communications, and malicious data exfiltration. They also include deploying network and endpoint security tools that can detect the unusual activity that typically occurs when an adversary has infiltrated a system but has yet to deploy ransomware or exfiltrate data. Detecting and disrupting an adversary at this stage can still prevent an attack from becoming damaging or costly.

A multi-layered cybersecurity strategy focused on risk reduction, blocking adversary activities, and continuous monitoring can help protect organizations from the staggering losses caused by a successful cyberattack.


light blue plus

Cloud and Threat Reports

The Netskope Cloud and Threat Report delivers unique insights into the adoption of cloud applications, changes in the cloud-enabled threat landscape, and the risks to enterprise data.

Storm with lightning over the city at night

Accelerate your security program with the SASE Leader