Threat Intelligence Snapshot

Manufacturing organizations remain a high-priority target because attackers can create business impact without immediately touching production systems. Credential exposure, spoofed infrastructure, social impersonation, and third-party abuse can all support fraud, access brokering, vendor compromise, or disruption that eventually affects plant operations, logistics, customer trust, or supplier continuity.

Doppel telemetry from January through May 2026 shows that industrial and manufacturing threat activity is heavily shaped by credential exposure and external infrastructure abuse. After reaching its lowest point in March, threat activity surged sharply in April and remains elevated in May.

The broader manufacturing threat landscape supports this pattern. IBM X-Force reported that manufacturing remained the most targeted sector for the fifth consecutive year in its 2026 Threat Intelligence Index, reinforcing that attackers continue to view manufacturers as high-leverage targets because of operational downtime sensitivity, supply chain dependency, and complex hybrid IT/OT environments.

Across Doppel telemetry, the most important signal is the dominance of credential leak activity. Credential leak sources accounted for more than 90% of top-source activity in February and April, and more than 85% in May. Leaked credentials may provide attackers with lower-friction paths into supplier portals, VPNs, cloud services, email accounts, and remote access tools.

At the same time, attackers continue to use trusted and rapidly deployable platforms, including Gitbook, Webflow, Blogspot, Netlify, and Cloudflare Pages. These services can be used to host convincing impersonation pages, phishing flows, fake documentation, and campaign infrastructure with low setup cost and fast replacement after takedown.

Taken together, Doppel’s view of manufacturing risk is identity-led, platform-enabled, and supply chain exposed. The threat activity observed is primarily external-facing, but it carries downstream risk because manufacturing environments depend on connected business systems, distributed plants, contractors, suppliers, and third-party support relationships.

Total verified threat activity by month (Indexed)

Industrial and manufacturing activity eased through the first quarter, falling by roughly 42% from January to February and another 32% from February to March, before reversing sharply in April. April activity rose by about 224% compared to March, marking the clearest surge in the dataset. May is projected to remain elevated, tracking about 15% below April but still approximately 175% above March, indicating that threat pressure has cooled from the April peak but has not returned to the earlier baseline.

This pattern suggests that April was not an isolated anomaly. Even after normalizing May from partial-month activity, the vertical continues to show sustained pressure. The current May projection indicates that attacker interest remains elevated, though the composition of activity matters more than volume alone.

The source mix shows a clear pivot toward credential exposure as the dominant driver of observed threat activity.

Top Sources of threat activity

In January, threat activity was more distributed across dark web sources and free or low-friction hosting platforms. Gitbook, Blogspot, Webflow, and Netlify all appeared among the top sources, suggesting attackers used trusted hosting environments to create lightweight impersonation or phishing infrastructure.

February marked a major shift. Credential leaks accounted for more than 90% of top-source activity, overwhelming all other surfaces. This points to a threat model where exposed accounts and leaked identity material are the primary signals of risk.

March saw a more diverse mix of threat sources. Credential leaks remained the largest category, but Cloudflare Pages, Facebook, and Gitbook became more visible. This suggests a broader blend of identity exposure, hosted infrastructure abuse, and social engineering. The presence of Cloudflare Pages and Gitbook is notable because these platforms can help attackers stand up credible pages quickly while benefiting from trusted platform reputation.

April showed the sharpest concentration in credential leaks, accounting for 92.84% of top-source activity. Facebook also remained visible, indicating that social engineering and brand impersonation continued alongside credential exposure.

May remains heavily credential-driven. Credential leaks on the dark web account for 85.46% of activity, while brand impersonation on Facebook rises to 14.21%. This suggests that manufacturing targeting is not just an access problem, but also a brand and social engineering problem. Attackers may use leaked credentials, fake pages, and impersonation together to support fraud, account takeover, vendor abuse, or follow-on intrusion.

Domain activity follows a different pattern than total threat activity. It peaked in April, then dropped sharply in May.

Domain threat activity by Month

The divergence between total threat activity and domain threat activity is important. Overall activity remains elevated in May, but confirmed malicious domain activity is projected to be the lowest point in the dataset. This indicates that the current threat pressure is not primarily domain-led.

Instead, the broader threat activity appears to be driven by identity exposure, social channels, dark web sources, and platform-hosted infrastructure. Domains remain important because they often serve as conversion infrastructure, but they are not the only or dominant signal in this reporting period.

For manufacturing organizations, this means defenders should avoid treating domain monitoring as the full measure of external risk. Credential leaks, supplier impersonation, fake social profiles, hosted pages, and dark web activity may provide earlier indicators of attacker preparation or campaign development.

The most consistent finding in the broader dataset is the concentration of activity in credential leak sources. Credential leaks dominated February, April, and May, and remained the top source in March.

This matters because leaked credentials can support several manufacturing-specific risk paths:

• Access to supplier portals and customer portals
• VPN, SSO, cloud, and remote access attempts
• Business email compromise and invoice redirection
• Abuse of contractor, maintenance, or logistics partner accounts
• Follow-on targeting of operational support systems

For manufacturers, this risk is amplified by distributed plants, legacy access patterns, shared third-party workflows, and a large population of vendors and contractors that may not be governed consistently.

Doppel observed a massive spike in mid-April. The week of April 13 generated a 47x increase in dark web alerts from the prior week.

This pattern is consistent with a major credential dump, breach-related exposure, or concentrated dark web release. Even when the spike is tied to one week, it is still important for the vertical-level report because it shows how quickly manufacturing and industrial exposure can concentrate around a single high-volume event.

The dataset shows repeated use of free or trusted hosting platforms, including Gitbook, Webflow, Blogspot, Netlify, and Cloudflare Pages. These platforms are attractive to attackers because they are easy to deploy, inexpensive, trusted by users, and resilient to quick replacement.

For manufacturing brands, hosted platform abuse may appear as:

• Fake support or supplier pages
• Spoofed documentation portals
• Phishing pages disguised as business forms
• Fake procurement or recruiting pages
• Brand impersonation pages that redirect to credential capture or payment flows

This is an actionable trend because defenders can build repeatable detection, reporting, and takedown workflows around platform abuse patterns rather than treating each page as an isolated event.

Facebook appears as a meaningful source in March, April, and May, with May showing Facebook at 12.01% of top-source activity. This suggests that attackers continue to use social platforms to reach customers, employees, partners, and job seekers.

For manufacturing brands, Facebook impersonation can support fake customer support, fake hiring, fake dealership or distributor pages, counterfeit product promotions, and redirection to phishing or payment collection pages. Social channels also allow attackers to establish trust before moving victims to messaging apps, hosted pages, or spoofed domains.

Doppel’s findings also align with broader third-party breach reporting. Black Kite reported that 136 major third-party breaches in 2025 affected 719 named companies and an estimated 26,000 additional downstream victims that were never publicly identified. The report also found that the average third-party breach affected 5.28 downstream victims, the highest level Black Kite has recorded.

This is highly relevant to manufacturing because the sector depends on interconnected suppliers, logistics providers, contract manufacturers, distributors, and field-service partners. A single compromised vendor, shared platform, or high-dependency service provider can create exposure across many downstream organizations.

The Black Kite findings also reinforce the importance of Doppel’s credential leak signal. Black Kite reported that 62% of the most critical vendors had corporate credentials appearing in stealer logs, making identity exposure a key supply chain risk indicator. For manufacturers, leaked vendor or partner credentials can create indirect paths into supplier portals, procurement workflows, remote access systems, and shared business applications.

Credential leaks are the strongest signal in the dataset. Leaked accounts can provide attackers with a lower-friction path into enterprise systems, supplier environments, cloud services, and email accounts.

Impact: Account takeover, supplier portal abuse, business email compromise, fraud, unauthorized access, resulting in sensitive IP and data exposure, and increased risk of downstream intrusion.

Attackers are using trusted hosted platforms to create convincing infrastructure quickly. Gitbook, Webflow, Blogspot, Netlify, and Cloudflare Pages can all be used to host pages that appear legitimate enough to support phishing, impersonation, or fraud.

Impact: Faster campaign deployment, improved victim trust, recurring takedown challenges, and reduced attacker cost.

Facebook and other social platforms remain important distribution and engagement channels. Attackers can impersonate manufacturers, distributors, recruiters, support teams, or executives to build trust and redirect victims into malicious workflows.

Impact: Partner fraud, fake hiring scams, and credential theft resulting in customer harm and reputational damage.

Dark web activity remains a recurring signal, especially in January and during the mid-April spike. These findings may include leaked credentials, exposed sensitive data, access listings, or actor discussions related to manufacturers and their brands.

Impact: Increased risk of account takeover, targeted phishing, access brokering, extortion, and follow-on compromise.

Manufacturing risk often extends beyond the manufacturer itself. Suppliers, distributors, logistics partners, contract manufacturers, and field-service providers can all become indirect paths into the organization or vehicles for impersonation.

Impact: Supplier fraud, invoice redirection, unauthorized access, business disruption, and loss of trust across the partner ecosystem.

The dataset suggests a shift from infrastructure-first threat activity toward identity-first threat activity.

In January, threat activity was more evenly distributed across dark web sources and hosting platforms. By February, credential leaks became the dominant source. March introduced a more mixed pattern, combining credential leaks on the dark web, Cloudflare Pages, Facebook, and Gitbook. April and May returned to a credential-heavy pattern, with Facebook remaining a meaningful secondary source.

This progression shows that attackers are not relying on a single channel. Instead, they appear to be combining exposed credentials, trusted hosting platforms, social channels, and dark web activity to support broader campaign workflows.

A likely attack flow is:

1. Exposed credentials or breached identity data become available through leaks or dark web sources.
2. Attackers test or enrich this data against business systems, portals, email accounts, or remote access services.
3. Social profiles, hosted pages, or spoofed infrastructure are used to impersonate the brand, vendors, or support workflows.
4. Victims are redirected into phishing, fraud, payment collection, or account recovery abuse.
5. Successful access or trust relationships can be monetized through fraud, data theft, extortion, or access resale.

This matters for manufacturing because operational disruption does not always begin inside OT. It can begin with business identity, supplier access, email compromise, or third-party impersonation that later creates production, logistics, financial, or reputational impact.

• Continuously monitor for leaked employee, vendor, and partner credentials.
• Prioritize resets and access reviews for accounts tied to VPN, SSO, email, supplier portals, remote access, and privileged systems.
• Enforce MFA and conditional access for high-risk access paths.

• Review third-party access into portals, shared systems, support tools, and remote maintenance environments.
• Establish clear processes for validating supplier payment changes, procurement requests, and account recovery attempts.
• Monitor for impersonation of distributors, contractors, field-service providers, and logistics partners.

• Track recurring abuse on Gitbook, Webflow, Blogspot, Netlify, and Cloudflare Pages. Correlate hosted pages with social profiles, redirects, domains, and credential collection workflows.

• Monitor major social platforms for fake brand, recruiter, support, distributor, and executive accounts.
• Pay particular attention to Facebook because it remains a visible source of manufacturing-related social engineering.
• Connect social takedowns to related domains, hosted infrastructure, and messaging pivots.

• Continue monitoring malicious domains, but treat them as one part of the attack chain rather than the full picture.
• Pivot from domains into hosting providers, redirects, social profiles, and credential collection pages.
• Use domain activity as a conversion-stage signal, especially when total activity is being driven by credential leaks or social sources.

Manufacturing threat pressure is increasingly shaped by identity exposure, external infrastructure abuse, and attacker interest in operational leverage.

The most important finding in this dataset is the dominance of credential leak activity. While domains and hosted infrastructure remain important, the broader field of view shows that attackers are likely using exposed credentials and dark web data as core inputs for fraud, impersonation, and access enablement.

May is projected to remain elevated, even though confirmed malicious domain activity is lower than in prior months. This suggests that the current risk is not primarily domain-led. It is identity-led and ecosystem-driven.

For manufacturing organizations, the defensive priority should be broader than brand takedown alone. Effective disruption requires connecting credential exposure, dark web signals, social impersonation, hosted platform abuse, supplier risk, and domain infrastructure into a single external threat view.