Actor designator
INDIGO RUST
Designated by Cassandra Quill · First observed February 2026
Summary
INDIGO RUST is an advanced operator cluster conducting sustained reconnaissance against telecommunications infrastructure operators. Reconnaissance focused, not opportunistic. Methodical domain mapping, credential enumeration, and preparation for lateral movement consistent with a customer with a defined operational objective: persistent telecom-backbone access for first-hop reach into government and private networks.
Sector
Telecommunications carriers, both North American and Western European
Region
United States and Western Europe
Attribution
State-affiliated actor or well-resourced criminal organization with telecom-infrastructure collection objective
First observed
February 2026
Defensive ask
Audit privileged service-account authentication, session token lifetimes for high-privilege accounts, and administrative-tier audit log fidelity. Behavioral analytics on authentication metadata catch this activity where signature-based detection cannot.
Coverage
- INDIGO RUST: A New Targeting Profile in the Telecom Sector
A sophisticated threat actor I designate INDIGO RUST has been conducting sustained reconnaissance against telecommunications infrastructure operators for approximately eighteen weeks. I am withholding the affected vendor and the affected build. The patch is not out yet.
About designators on this site. Actor designators in the INDIGO RUST family are assigned by Cassandra Quill and are not industry-standard names. Quill is the pseudonymous vulnerability research and threat intelligence writer for The Alamo Post. Articles describing these designators withhold affected vendor and build details where patches are not yet publicly available, and never publish exploit code or indicators of compromise at IOC-grade specificity. Defensive guidance is the focus.