Full Report
Our bulletin covering coordinated influence operation campaigns terminated on our platforms in Q3 2025.
Analysis Summary
This summary aggregates information on multiple coordinated influence operations reported in the TAG Bulletin for Q3 2025. Since the article discusses several distinct operations attributed to various state and non-state actors, the structure below outlines the common threat actors identified in the summary: Russia, Turkey, Iran, Poland, Philippines, Azerbaijan, People's Republic of China (PRC), Indonesia, Romania, and unnamed actors linked to specific regional activities (Cambodia/Thailand, Chile).
# Threat Actor: Various Coordinated Influence Operations (Q3 2025)
## Attribution & Identity
This report covers numerous distinct, state-linked, or state-aligned cyber-influence actors identified across Q3 2025. Key attributing nations include: **Russia, Turkey, Iran, Poland, Philippines, Azerbaijan, People's Republic of China (PRC), Indonesia, and Romania.**
## Activity Summary
The report details the termination of numerous coordinated inauthentic behavior (CIB) campaigns across YouTube, Blogger, and potentially Google News/Discover surfaces throughout July, August, and September 2025. The activities primarily involved disseminating supportive or critical political narratives tailored to specific linguistic and geographic audiences.
**Notable Major Network Terminations:**
* **Russia-linked operations:** Multiple networks terminated, distributing content supportive of Russia and critical of Ukraine, NATO, and the West across various languages (Ukrainian, Russian, Romanian, Polish, French, German, Arabic, Turkish).
* **Turkey-linked operations:** Networks promoting content supportive of the Turkish government or critical of Israel (in content supportive of Iran).
* **Azerbaijan-linked operations:** Large-scale networks opposing Armenia and domestic critics of the Azerbaijani government.
* **PRC-linked operations:** A large network posting content in Chinese and English concerning China and US foreign affairs.
* **Indonesia-linked operations:** Networks promoting the Indonesian government or specific political figures, and others critical of regional governments (e.g., West Java).
## Tactics, Techniques & Procedures
The specific TTPs mentioned focus on platform abuse for influence operations, rather than technical cyber espionage techniques.
- **Content Dissemination:** Sharing political messaging across multiple linguistic groups.
- **Platform Abuse:** Mass termination of coordinated networks primarily involving YouTube channels, Blogger blogs, and the blocking of specific domains from Google surfaces.
## Targeting
| Actor Group | Sectors | Geography/Language Focus | Victims/Narrative Targets |
| :--- | :--- | :--- | :--- |
| **Russia-linked** | General Public Opinion | Ukraine, West (NATO), Moldova | Ukrainian government, Western policies |
| **Turkey-linked** | General Public Opinion | Turkey (Turkish language) | Israel (in one subset); Turkish government support |
| **Azerbaijan-linked** | General Public Opinion | Azerbaijan, Armenia (Azerbaijani language) | Armenian government, Azerbaijani critics |
| **PRC-linked** | Diplomatic/Foreign Affairs Observers | US, China (Chinese, English) | US foreign policy |
| **Indonesia-linked** | Domestic Politics | Indonesia (Bahasa) | Indonesian Government, West Java government, specific political figures |
| **Iran-linked** | Regional Geopolitics | Azerbaijan (Azerbaijani), Arabic-speaking regions | Azerbaijan, Iranian government support |
| **Romania-linked**| Domestic/Regional Politics | Moldova, EU (Romanian) | Moldovan government, local political parties |
| **Philippines-linked**| Domestic Politics | Philippines (Tagalog) | Government of the Philippines |
## Tools & Infrastructure
The primary indicators cited are platform account types and domain blocks, not traditional malware or specific C2 infrastructure.
- **Platform Assets Terminated:** Thousands of YouTube channels, multiple Blogger blogs, Ads accounts.
- **Infrastructure Disruption:** Domains blocked from appearing on Google News surfaces and Discover. (Specific domains were not provided in defanged format in the source text).
## Implications
The Q3 2025 data indicates sustained, high-volume use of influence operations globally by state actors, especially Russia and Azerbaijan, alongside significant activity from Turkey, Iran, and the PRC. The operations covered a wide spectrum, including active kinetic conflict support (Russia/Ukraine, Azerbaijan/Armenia) and domestic political alignment (Turkey, Indonesia, Philippines). The scale of network termination, especially the 6,484 PRC-linked channels, highlights continued reliance on coordinated inauthentic behavior on video platforms.
## Mitigations
* **Continuous Network Monitoring:** Maintain vigilance for large-scale channel terminations and domain blocks across high-volume platforms like YouTube.
* **Linguistic Contextual Analysis:** Monitor cross-border messaging campaigns that shift languages rapidly (e.g., Russia targeting Polish, German, French speakers).
* **Geopolitical Focus:** Intensified defense against state-aligned narratives concerning ongoing regional conflicts (e.g., Ukraine, Armenia/Azerbaijan).
* **Trust Signals Enforcement:** Proactive blocking of known associated domains from surfacing in news aggregation products.