Flare – Weekly Recap

Flare is a private cybersecurity company focused on external threat intelligence, identity security, and digital risk protection, and this weekly recap summarizes its latest research and go-to-market activities. Over the past week, Flare emphasized advanced threat research, high-profile fraud investigations, and education initiatives aimed at enterprise security teams.

The company’s threat research team disclosed analysis of a Pastebin-hosted PowerShell script masquerading as a Windows telemetry update that ultimately functions as a Telegram session stealer. Flare detailed the execution chain, iterative version changes, and links between desktop and web-based infrastructure, while mapping techniques to MITRE ATT&CK and providing detection guidance for security operations.

Flare also spotlighted extensive research into infostealer malware trends and enterprise identity exposure based on 18.7 million stealer logs. While overall infections reportedly fell 20% in 2025, the share compromising enterprise single sign-on credentials nearly doubled, with about 2.05 million logs containing enterprise identities and 1.17 million including both credentials and session cookies.

Microsoft Entra ID appeared in 79% of enterprise identity logs, underscoring concentration risk around a small number of identity providers. Flare warned that if current patterns persist, as many as one in five infections could provide enterprise access by the third quarter of 2026, and promoted a live session on a “model validation gap” signaling more efficient attacker behavior.

The company continued to build its Flare Academy brand with Part II of an identity security education series focused on modern web protocols and high-profile incidents such as SolarWinds, Golden SAML, Midnight Blizzard’s OAuth abuse, and Scattered Spider tactics. The April 29 session, offering recordings, slides, a free eBook, and CPE-eligible credit, is designed to deepen practitioner engagement and position Flare as a thought leader.

In digital risk research, Flare highlighted investigations into fraud and phishing operations targeting the 2026 FIFA World Cup. Work by researcher Assaf Morag identified a coordinated network of 15 fraudulent ticket resale sites operating across secondary markets and Telegram, as well as more than 75 lookalike domains impersonating FIFA’s official site to harvest consumer data.

Flare also drew attention to emerging fraud risks in carbon markets and the planned rollout of EU digital identity wallets by late 2026. Research by Adrian Cheek outlined how a $250 million carbon credit fraud operated via legitimate registries and how more than 50,000 cybercrime-focused Telegram groups may be positioned to exploit digital identities as ESG-linked transactions scale.

A notable commercial use case came from a $2 billion-plus global manufacturer that ran a 30-day proof of concept on Flare’s platform to assess external exposure. The engagement uncovered leaked credentials, unmonitored login portals lacking multi-factor authentication, and sensitive data in a public GitHub repository, complementing the customer’s existing endpoint and firewall defenses.

Following full deployment, the manufacturer reportedly recovered its data after a third-party vendor ransomware incident even before official notification, illustrating a shift toward more proactive security operations. Flare is framing such case studies as evidence of traction with large enterprises and as validation of its value in external attack-surface and vendor-risk monitoring.

Collectively, the week’s developments point to a company deepening its technical research, expanding educational outreach, and demonstrating real-world impact for large customers. These activities reinforce Flare’s positioning in identity-centric threat intelligence and digital risk protection and could support future growth if research and thought leadership continue to translate into enterprise adoption.