Francis Guibernau, Senior Adversary Research Engineer at AttackIQ – Interview Series

Francis Guibernau is a Senior Adversary Research Engineer and member of the Adversary Research Team (ART) at AttackIQ. Francis conducts in-depth threat research and analysis to design and create highly sophisticated and realistic adversary emulations. He also coordinates the Cyber Threat Intelligence (CTI) project, which focuses on researching, analyzing, tracking, and documenting adversaries, malware families, and cybersecurity incidents. Francis has extensive experience in adversary intelligence, encompassing both Nation-State and eCrime threats, as well as in vulnerability assessment and management, having previously worked at Deloitte and BNP Paribas.

AttackIQ is a cybersecurity firm that empowers organizations to move beyond mere assumptions about their defenses to continuous, data-driven validation. By emulating adversary tactics using the MITRE ATT&CK® model and offering automated, production-safe testing across cloud, hybrid and on-premises environments, the company helps surface security gaps in controls, processes and people — enabling leaders to prioritize remediation, justify investments, and shift from reactive cyber-response to proactive resilience.

How did you become part of the cybersecurity field, and why did you choose to specialize in Cyber Threat Intelligence? How has CTI shaped your understanding of how threats evolve across both nation-state and criminal ecosystems?

My path into cybersecurity wasn’t planned; it happened by opportunity rather than design. It began when I joined a mature cybersecurity organization, where I worked across two key areas: Vulnerability Assessment and Management, and Cyber Threat Intelligence (CTI). Through Vulnerability Management, I gained a defender’s perspective — ensuring systems were properly maintained, patched, and resilient against attacks. Within CTI, I adopted the attacker’s mindset, analyzing their motivations, objectives, and capabilities. This is where I became deeply familiar with the MITRE ATT&CK Framework, which I used to document adversary Tactics, Techniques, and Procedures (TTPs) and define their operational playbooks.

This dual experience gave me a comprehensive understanding of how defenders and attackers interact within a constantly evolving ecosystem. CTI quickly became a personal passion. Its strategic purpose of understanding how adversaries operate, evolve, and influence one another felt almost predestined. I’m grateful to continue working within this discipline, observing and analyzing the growing complexity of the global threat landscape, where state-sponsored and eCrime adversaries, despite their distinct motivations, increasingly intersect and shape each other’s operations.

Looking back, what particular project or experience marked a turning point in your career and shaped your perspective in cybersecurity? 

A pivotal moment came when I began researching and documenting the TTPs adversaries and malware employ to detect and evade controlled environments. This effort became the foundation for “Environment Awareness,” a research project I conducted with my colleague and friend Ayelen Torello, with whom I now have the opportunity to work alongside at AttackIQ. Our research focused on cataloging the different methods adversaries employ to recognize and avoid sandboxed or virtualized environments, allowing them to remain undetected during automated analysis. The resulting whitepaper was later adopted as the foundation for technique “T1497 – Virtualization/Sandbox Evasion” in the MITRE ATT&CK Framework.

During this investigation, I witnessed the continuous evolution of adversaries, with their payloads becoming increasingly sophisticated and their ability to evade automated detection systems improving, enhancing their chances of successfully compromising real targets. This experience fundamentally shaped my understanding of adversary adaptability and the constant innovation cycle that defines modern threats.

Since joining AttackIQ in 2021 as an Adversary Research Engineer and leading the establishment of the Cyber Threat Intelligence initiative, how have your responsibilities evolved, and how do you balance the coordination of the CTI project, strategic threat research, and the development of adversary emulations? 

Building the Cyber Threat Intelligence (CTI) program at AttackIQ was a complex task. We needed to achieve visibility across a broad spectrum of threats quickly. As a service provider, our focus couldn’t be limited to a single sector, region, or nation. Instead, we required a knowledge base encompassing both adversaries, from state-sponsored to eCrime groups, and malware, from commodity to custom-built families. Once the foundation was established, we began focusing on what I refer to as “Heavyweights”: highly active and impactful entities that influence multiple sectors, regions, and nations. This approach allows us to prioritize threats most relevant to our customer base.

Given the fast-moving threat landscape, balancing intelligence collection, threat analysis, and adversary emulation is inherently complex. Each emulation type presents distinct challenges. On one hand, nation-state emulations are typically highly sophisticated, tailored to specific objectives, characterized by extended dwell times and driven by political motivations. Reproducing their behavior requires deep analysis, patience, and precision, making them intellectually challenging and rewarding to emulate. On the other hand, eCrime emulations are fast-paced and opportunistic. These adversaries introduce novel techniques, operate with shorter dwell times, and often impact multiple sectors and regions. Their use of shared, off-the-shelf tools and commodity malware, with overlapping TTPs across groups, makes their playbooks dynamic and fascinating to reproduce.

Striking the right balance is a strategic process. We align research and emulation priorities with customer requirements and global developments, including geopolitical tensions, newly disclosed critical vulnerabilities, and advisories from international organizations such as the Cybersecurity and Infrastructure Security Agency (CISA) and the National Cyber Security Centre (NCSC). Ultimately, this work is a team effort. The Adversary Research Team (ART) is composed of incredibly talented individuals whose contributions make realistic and safe emulations possible. CTI is just one piece of the process; transforming intelligence into authentic, controlled emulations is a complex challenge that requires collaboration, precision, and shared commitment.

Within AttackIQ’s Adversary Research Team, how is research structured and prioritized, and what have been the most significant challenges in translating threat intelligence insights into actionable adversary emulations?

Several factors influence how we prioritize research within AttackIQ’s Adversary Research Team. Our primary focus is on emulating adversaries that pose the most significant risk to the largest segment of our customers, ensuring resources are optimized and concentrated toward broad-impact threats before addressing highly specific ones.

This scope includes both adversaries and malware families observed in the wild. We continuously track a wide range of entities, with prioritization driven by operational need rather than prescriptive directives. Emerging threats frequently prompt rapid reprioritization. Escalating geopolitical tensions, increased reporting on a specific and critical vulnerability, or concentrated CERT advisories quickly elevates topics to the top of the queue.

One of our primary challenges is maintaining consistent prioritization and balancing resources to deliver realistic and sophisticated emulations while ensuring efficiency and scalability across development cycles. We place strong emphasis on developing broad, reusable behaviors. By identifying commonalities across adversaries and malware families, we focus on replicating techniques and procedures that consistently appear consistently across multiple playbooks. These can then be adapted and integrated into other emulations, enabling greater flexibility and scalability. This approach allows us to prioritize behaviors with high reusability and operational relevance rather than investing heavily in narrow, one-off implementations. steady production cadence, delivering flexible, targeted, and meaningful emulations.

In your recent RomCom research, what were the key inflection points that influenced its transformation from a basic backdoor into a versatile platform supporting both espionage and financial extortion, and under what circumstances does malware transition from a standalone payload into a fully-fledged platform? 

The case of RomCom is particularly fascinating because it first appeared in May 2022 as a relatively simple backdoor designed primarily for remote access and basic data exfiltration. The first major inflection point occurred just a month later with the release of RomCom 2.0, which introduced substantial enhancements that reflected a more mature, stealth-oriented toolset optimized for espionage operations and long-term persistence. These updates significantly improved data collection and exfiltration capabilities, signaling a clear shift toward a more strategic use case.

The following inflection point came with the introduction of RomCom 3.0 in February 2023, which adopted a modular architecture structured into three core components. It represented a substantial leap in flexibility and functionality, supporting 42 distinct commands, many of which were subtle variations of one another, highlighting the operator’s focus on adaptability and operational refinement.

Subsequent versions continued to focus on refining capabilities and enhancing operational resilience. Over time, RomCom evolved from a purpose-built backdoor into a commodity malware leveraged by eCrime groups, which integrated it into their playbooks to enable and facilitate diverse criminal operations. This evolution was evidenced by RomCom’s integration with the Cuba, Industrial Spy, and Underground ransomware operations, clearly indicating that it had become embedded within a broader adversarial ecosystem as shared infrastructure. This widespread adoption inevitably attracted the attention of state-aligned adversaries, particularly those aligned with Russian interests, who began leveraging RomCom as a polyvalent platform supporting espionage and strategic influence operations against their geopolitical objectives.

This convergence confirmed our assessment that the boundaries between eCrime and nation-state adversaries are increasingly blurred. The transition from standalone payload to fully fledged platform occurs precisely at this intersection, when it begins to be leveraged for sophisticated, strategic, and intangible objectives that extend beyond opportunism or financial gain. At that stage, it ceases to serve a single tactical purpose and instead enables multiple, sometimes contradictory, operational objectives. This suggests that the operators view the payload as a reusable infrastructure rather than a purpose-built weapon.

You’ve observed increasingly blurred boundaries between nation-state activity and eCrime adversaries. From your perspective, what are the primary drivers behind this convergence, and how should defenders think differently when assessing attribution and motivation in these cases? 

The convergence between nation-state and eCrime operations is primarily driven by pragmatic factors on both sides. For state-sponsored adversaries, the goal is to rapidly acquire capabilities already validated and proven on the battleground. Leveraging existing tooling or infrastructure allows them to acquire operational flexibility without dedicating extensive resources to developing custom tools from scratch. If a payload is resilient, effective, and available, why reinvent it? Conversely, for eCrime operators, access to nation-state-level resources and infrastructure, including intelligence, targeting data, and protected distribution channels, enables rapid scaling of capabilities while receiving guaranteed financial backing with minimal risk.

RomCom exemplifies this convergence. Initially a commodity malware designed to facilitate ransomware operations, it was later adopted in activities aligned with Russian strategic interests, targeting Ukrainian government institutions, NATO-aligned entities, and humanitarian organizations. Our assessment indicates that RomCom transitioned from a purely profit-driven tool to a utility leveraged in nation-state operations, supporting both espionage and disruption objectives.

This evolution highlights a key principle: regardless of whether the adversary is financially or politically motivated, the impact on the victim remains the same. In this context, threat-informed defense becomes essential. Organizations should prioritize validating defenses and resilience against realistic, observed behaviors rather than focusing exclusively on attribution or presumed motivation.

What does RomCom reveal about the convergence of financial and geopolitical motivations among adversaries? Specifically, how do you interpret the growing trend of state-aligned groups leveraging eCrime infrastructures as instruments of influence or plausible deniability? 

RomCom demonstrates the evolution of a cybercriminal group that has maintained long-term operational consistency while steadily expanding its network of affiliations. Throughout its activity, it established clear connections with multiple ransomware families, specifically Cuba, Industrial Spy, and Underground, reflecting deep integration within the eCrime ecosystem. Over time, it transitioned from a facilitator of disruptive, extortion-based activities to a polyvalent platform capable of supporting geopolitical influence operations. Its sustained focus on Ukrainian government institutions, military personnel, humanitarian organizations assisting refugees, and NATO-aligned countries demonstrates operational alignment with Russian strategic interests surrounding the war in Ukraine. This is not opportunistic crime; it represents deliberate intelligence collection and long-term access operations. The same malware, delivery mechanisms, and operational tradecraft now supports both espionage and ransomware activities.

RomCom also highlights a broader pattern of state-aligned adversaries adopting or repurposing eCrime tooling. These tools are proven, effective, and serve as convenient enablers for broader strategic objectives. Russia remains a prime example: extensive reporting details Russian-linked criminal groups operating as de facto extensions of state operations or being directly leveraged to support them. This enables states to outsource deniable operations, particularly those of disruptive or destructive nature, to criminal actors, or to absorb their tooling and infrastructure. Ultimately, this dynamic reveals a mutually beneficial relationship: RomCom operators and their affiliates gain influence and financial rewards, while states obtain access to capable, deniable assets. In the eCrime landscape, allegiance is transactional, rooted in influence and profit.

This model offers clear strategic advantages, which is why it’s becoming increasingly common. Crime partnerships provide states with access and capability without direct attribution, and the resulting operational ambiguity complicates diplomatic and legal responses. Malware families have effectively become instruments of statecraft, augmenting rather than replacing traditional espionage through criminal infrastructure that is deniable, scalable, and self-sustaining.

Modern malware oftendoesn’tstay confined to one industry or region. What does this suggest about attacker priorities or constraints, and are there sectors or geographies you believe are “next” for cross-domain expansion? 

While some adversaries may self-impose constraints, many treat urgency and crises as additional infection vectors, accelerating intrusions and exploiting distracted or strained defenses. Motivation influences targeting but rarely limits it. Financially motivated groups prioritize objectives with high potential payoffs or operational dependencies, such as finance, payment processors, and large enterprises with strict uptime requirements. In contrast, state-aligned groups concentrate on sectors that advance geopolitical objectives, including government, defense, and critical infrastructure. Yet, overlap between these motivations is increasingly common.

“Spray-and-pray” tactics and commoditization will persist. Ransomware-as-a-Service (RaaS) models, commodity tooling, and automated scanning enable financially motivated adversaries to broaden their target sets aggressively. Any exposed, weakly defended service is potentially in scope. Geographic expansion follows both opportunity and maturity gaps. Regions undergoing rapid digital transformation but with limited cyber maturity or incident response capacity are attractive for initial compromise and scaling operations. Conversely, high-value targets in well-defended regions are often impacted through supply-chain compromise or outsourced access. Looking ahead, expansion is likely in regions adjacent to active geopolitical conflicts where intelligence collection supports strategic interests and defensive maturity still trails adversary sophistication.

When creating realistic adversary emulations, what are the toughest technical challenges you encounter? How do you validate that those emulations are sufficiently representative of real-world threats, and are there behaviors that remain especially difficult to simulate reliably?

One of the toughest technical challenges is achieving behavior fidelity without introducing operational risk. Emulations must replicate real-world behaviors precisely enough to validate detection and prevention controls, while remaining safe enough to run in production environments. That trade-off is constant. Overly aggressive implementations risk destabilizing systems or producing dangerous false positives/negatives, while overly cautious ones lose fidelity and utility. We prioritize emulating the adversary’s “chokepoints”, the critical behaviors that determine whether an intrusion succeeds or fails, and where defensive visibility and response matter most. By focusing fidelity on these decisive behaviors, emulations deliver the highest value for both detection coverage and resilience validation.

Some techniques are intentionally limited or omitted because they pose unacceptable risk or cannot be faithfully emulated without damaging the environment. Get an implementation slightly wrong, and you’re either testing something the adversary never actually does or destabilizing the system you’re trying to protect. Other challenges arise from behaviors that depend on environmental context or require authenticated access. Networked behaviors are also constrained: for example, we reproduce protocol patterns and beaconing behaviors for C2 without connecting to malicious infrastructure.

Creating realistic emulations is therefore an iterative engineering process: identify, document, implement, test, validate, and refine. Each iteration balances fidelity, safety, and operational relevance to ensure emulations are both realistic and deployable.

Looking three to five years ahead, what trends in malware sophistication, attacker methodology, or threat ecosystems do you find most concerning or intriguing, and what foundational steps would you recommend for organizations beginning their journey in threat-informed defense and adversary emulation?

One of the most intriguing and concerning trends is the increasing sophistication of cybercriminal ecosystems. Over the last decade, eCrime actors have expanded their influence dramatically.

In earlier years, the number of participants was limited, and their influence was comparatively marginal. Today, hundreds of interconnected entities coexist and collaborate, each fulfilling specialized roles. This interdependence forms a complex, business-oriented ecosystem that mirrors legitimate markets in structure and efficiency. The ransomware ecosystem exemplifies this perfectly: dozens of active families coexist, evolve, and succeed one another. This constant churn reveals a tangled web of relationships that is increasingly difficult to untangle.

Another defining trend is the convergence between state and criminal operations. Not only at the operational level but also in the development of shared infrastructure and malware platforms. RomCom exemplifies this evolution. It transitioned from a purely profit-driven commodity to a versatile utility leveraged in nation-state operations. Its targeting of government institutions, military personnel, humanitarian organizations, and NATO-aligned entities demonstrates a shift toward an instrument of statecraft, supporting Russian intelligence objectives while retaining its eCrime versatility.

For organizations newer to threat-informed defense, the foundational step is to adopt the MITRE ATT&CK Framework as the shared language for understanding and discussing adversary behavior. ATT&CK provides a behavioral taxonomy that enables defenders to map detections and controls directly to attacker techniques rather than static indicators. Prioritize behavioral detection over signature-based approaches. Indicators of compromise change constantly, but adversary techniques remain relatively stable, a principle captured in the Pyramid of Pain framework.

Thank you for the detailed responses, readers who wish to learn more should visit AttackIQ.