At least two out of ten Leonardo employees are now also shareholders of the Group. The percentage increases in the United Kingdom, where the take-up rate in the first step of the Employee Share Ownership Plan promoted by Chief Executive Officer Roberto Cingolani reached 35%. On average, considering other geographies such as Poland and the United States, approximately 11,000 employees subscribed to Leonardo shares, representing 22% of the workforce.
As explained by Antonio Liotti, Chief People and Organisation Officer of Leonardo, “The objective was to reach 15%, so we went beyond expectations.” The plan was supported by an internal communication campaign that highlighted the incentive mechanisms, such as the free allocation of shares, additional bonuses and flexible subscription methods.
In support of participants, a digital simulator was also developed to assess different scenarios over time, with the aim of encouraging stable participation. Take-up was higher among employees under 40. A result which, as Antonio Liotti points out, “stems from having a large number of young people among our workforce, thanks to a strong recruitment plan that has led to 20,000 hires over three years.”
Looking towards the future, Liotti explains how “with the next tranches of the plan we aim to involve a greater number of shop-floor workers. This is also part of a growth path that we are supporting through a broad digitalisation process.”
The plan includes three allocation cycles (2025, 2026, 2027), with the next window scheduled between June and September 2026.
A dozen red roses may say “I love you”, but many conventional bouquets carry an environmental price, having been imported by air, dipped in chemicals and wrapped in plastic.
Valentine’s Day is second only to Mother’s Day for sales of cut flowers, a popular choice for the millions of Australians planning to buy gifts for that special someone.
About 13m rose stems were imported into Australia for Valentine’s Day last year, according to the agriculture department.
But many are now seeking alternatives: blooms for a romantic gesture without the thorn of environmental impacts.
“We’ve seen a continuing trend since 2020 of people wanting to choose more sustainable bunches and more locally grown flowers,” says Anna Jabour, chief executive of Flower Industry Australia.
Imported blooms bring environmental baggage
About half of the fresh flowers sold in Australia are imported, Jabour says, which means they arrive at supermarkets and florists with a larger chemical and carbon footprints than locally grown bouquets.
Approximately 262m stems of fresh-cut flowers and foliage were imported into Australia in 2025, according to government data. Most are air-freighted from Kenya, Malaysia, Ecuador, Vietnam and China.
The chemicals used to grow them are mostly unknown, Jabour says. There’s no chemical manifest required, she says, which means those handling them – wholesalers, florists and customers – don’t know what pesticide or herbicide residues they’re being exposed to.
“I know quite a few florists who have stopped using imports because they develop skin issues or they develop headaches,” she says.
Australia’s biosecurity rules also stipulate that most imported flowers are dipped in the herbicide glyphosate and fumigated with the pesticide methyl bromide. The federal government is reviewing these conditions.
The transport and chemicals make it “a much more harmful road into Australia”, she says.
Shop local and seasonal
The huge demand for conventional red roses on Valentine’s Day amplifies the problem, says Michael Pavlou, who owns Bush Flowers in Melbourne.
“That basically creates the need to bring them from overseas, because the local growers can’t produce enough of that one thing, for just one day. It’s not how growing works.”
Pavlou suggests choosing something different that’s still “bright and happy and beautiful”. It could be as simple as choosing a different-coloured rose, he says, or something locally grown and in season, like hydrangeas or dahlias.
Lisianthus, sunflowers, zinnias and cosmos are other options likely to be in season in Australia around Valentine’s Day.
Pavlou’s business is dedicated to celebrating the diversity of Australian native flowers, with bunches featuring unique and seasonal varieties, including many lesser-known species. It’s a counterpoint to commercial bunches of “natives”, often containing South African varieties such as proteas and leucadendrons.
Most locally grown flowers come from Victoria, followed by Western Australia and Queensland, according to government data.
Sourcing locally can be weather-dependent, Pavlou says, but he hopes to bring colour and warmth to Valentine’s bouquets with varieties such as flowering gum, paper daisies, or a feathery pink flower called mulla mulla.
But with no country-of-origin labelling for cut flowers, it can be hard for consumers to tell where they’ve been grown. Pavlou says one solution is to buy directly from local growers at the farmers’ market or from roadside stalls. Another is to ask your local florist.
Flowers are a bit like fruit, Pavlou says. “You can bring in fruit out-of-season from other places, but it never tastes as good as what’s in season.
“When they’re in season, they’re vibrant, they last.”
The connection to seasonal changes in the environment is an aspect that’s lost when importing flowers. “It’s catering to our desire to have everything where we want it, instead of just enjoying the subtle changes in the seasons.”
If your sweetheart has a garden, why not give them something to plant? Australian native seed bombs, for example, are a simple way to share the gift of wildflowers. These are usually small balls or air-dried potting mix and seeds that can be thrown on to soil without digging.
Wear your heart on your sleeve
Plastic is widely used in the cut flower industry. A lot of bouquets come wrapped in plastic sleeves, or are stuck in green floral foam.
Sleeves help protect flowers when they are being transported, stored and displayed, but the Sustainable Floristry Network estimates they contribute to 500 tonnes of plastic waste sent to landfill in Australia each year.
For Valentine’s Day, the network recommends buying local and in-season flowers where possible, and requesting simple packaging such as a hand-tied bouquet, paper wrapping or an upcycled vessel.
Generative AI (GenAI) has become a focal point in debates on productivity and the future of work. Yet systematic firm-level evidence remains scarce, reflecting the technology’s novelty and the speed of its diffusion. Task-based studies document sizeable performance gains in specific activities (Noy and Zhang 2023, Brynjolfsson et al. 2025, Maršál and Perkowski 2025). However, translating micro evidence into estimates of aggregate productivity gains remains challenging (Brynjolfsson et al. 2021, Bergeaud 2024, Acemoglu 2025, OECD 2025).
In this column, we draw on the Bundesbank Online Panel – Firms (BOP-F), a representative survey of the German corporate sector. Using the Q2 2025 wave, covering more than 7,000 firms in manufacturing and services, we document firms’ past, current, and planned GenAI adoption on both the extensive and intensive margins, associated costs, and firms’ perceived effects on key economic outcomes, including productivity, employment by skill group, and wages (Falck and Nagengast 2026).
Two-speed diffusion: Fast take-up, gradual deepening
On the extensive margin, the survey results point to a rapid expansion of GenAI adoption from 2024 to 2026 in the German corporate sector. The share of firms reporting that they use – or expect to use – generative AI increased from 26% in 2024 to 44% in 2025, reaching 56% in 2026 (Figure 1, left panel).
Figure 1 GenAI adoption in German firms
Notes: Firms reported GenAI intensity in intervals (0%; 1–5%; 6–10%; 11–20%; 21–40%; 41–60%; and >60% of working hours). To compute the average intensity, we assign each firm the midpoint of its selected interval (0%, 3%, 8%, 15.5%, 30.5%, 50.5%, and 60% for the open-ended top bin). The lower and upper bounds shown in the figure are computed analogously by assigning the lower and upper endpoints of each interval. For the open-ended top category (>60%), we use 60% as an upper cap. All statistics are computed using firm weights to obtain representative estimates.
A key advantage of our survey is that it goes beyond a binary yes/no adoption measure and directly quantifies usage intensity, defined as the share of total working hours during which employees use generative AI. The right panel of Figure 1 shows that among firms reporting GenAI use throughout 2024–2026 (‘early adopters’), the average share of working time involving GenAI rises from about 7.5% in 2024 to 10.2% in 2025 and is expected to increase to 12.6% in 2026. Over the same period, the average across all GenAI-using firms increases more gradually, from about 7.5% in 2024 to around 8.9% by 2026, because entrants typically start with comparatively low intensity (around 6–7% in their first year of adoption) and scale up only over time. Put differently, much of the growth in effective exposure to GenAI comes from deepening use within incumbent adopters, while compositional change, with new adopters starting small, mechanically dampens the rise in average intensity as diffusion continues.
Less prompt for the buck: Sizeable GenAI spending, diminishing marginal gains
A natural question is how the rapid diffusion documented above affects AI-related expenditures, an aspect on which there is still very little information. To capture this, we asked firms to estimate their total GenAI-related expenditure as a share of annual sales, covering both one-off and recurring outlays, such as external service providers, hardware and software, internal and external personnel costs, training, and licensing and maintenance fees (Figure 2, left panel). Among firms actually using or planning to use the technology, average spending increases from roughly 1.0% of sales in 2024 to 1.2% in 2025 and 1.5% in 2026. For the German economy as a whole, a back-of-the-envelope calculation suggests that AI-related expenditures rise from 0.3% of aggregate sales in 2024 to 0.5% in 2025 and reach 0.8% in 2026. This is economically non-negligible, likely putting GenAI spending in the same ballpark as some ‘classic’ digital investment categories in macro data.
Figure 2 GenAI spending by German firms
Notes: Right panel: The very high-expenditure tail is difficult to characterise because the top category is open-ended (i.e., right-censored at ≥10% of sales). Hence, we disregard this category in the figure.
Spending and use intensity are closely related, but over the observed range, the cost-intensity schedule is concave (Figure 2, right panel). Firms in the lowest cost brackets (including zero-cost users) already report non-trivial GenAI use, consistent with trial adoption based on free tools or low-tier subscriptions. As expenditure rises through the mid-range, intensity increases but at a declining marginal rate, suggesting diminishing returns once easily scalable applications have been implemented and organisational complements become binding (Bresnahan et al. 2002, Brynjolfsson et al. 2021). Early adopters and information/communication firms lie systematically above the aggregate relationship, consistent with stronger complementary capabilities and a task mix that is more amenable to GenAI.
The composition of GenAI spending is striking. For most users, one-off implementation costs – such as external consulting and hardware – account for less than 25% of total expenditure, with only a modest increase expected over time (Figure 3, left panel). One notable exception is larger firms, which tend to report a higher fixed-cost share, consistent with a more setup-heavy implementation model (Figure 3, right panel). Overall, this pattern indicates that GenAI is integrated primarily through an ‘operating expense’ model, such as recurring subscriptions and permanent IT staff. This shift also has implications for measurement and cyclicality: because many AI-related outlays are recorded as intermediate consumption rather than capital (Highfill et al. 2025), investment-based measures may understate technology deepening and mechanically overstate the productivity residual, while a service-flow model can make usage more responsive to cash-flow conditions than sunk IT investment (DeStefano et al. 2025).
Figure 3 Share of fixed costs for GenAI
Great expectations: Productivity up, stronger high-skill demand, rising wages
Two findings stand out in firms’ assessments of GenAI’s economic effects (Figure 4). First, among adopters (and near-term adopters), productivity expectations are decisively positive. The share of (current or prospective) GenAI users expecting labour productivity to increase by at least 2% rises from 46% (2024) to 51% (2025) and 54% (2026); around one-quarter even expect gains of 5% or more, while only about 4–5% foresee productivity losses.
These magnitudes are not economy-wide forecasts, but they echo the macro literature’s generally optimistic view of AI’s growth potential (Bergeaud 2024, Acemoglu 2025, OECD 2025).
Figure 4 Expected effects of GenAI use in German firms
Second, firms’ labour-market expectations are modestly positive overall with net gains in high-skill jobs and a gradual upward drift in wages. For high-skill employment, about two-thirds expect changes within ±1%, but the tails are asymmetric: in 2026, 28% anticipate growth of at least 2%, versus 8% expecting a decline of at least 2%, consistent with GenAI being perceived as complementary to high-skill work. Low-skill employment expectations are close to balanced on average and concentrated on ‘no change’.
Wages are mostly expected to be stable, yet tilt upward over time: the share of firms expecting wage growth of ≥2% rises from 19% in 2024 to 26% in 2026. In Acemoglu’s (2025) task-based framework, this pattern suggests that adopters expect displacement to be more than offset by task complementarities and the expansion of human tasks – an interpretation worth flagging, given exposure-based measures that emphasise sizeable potential impacts in white-collar tasks (Eloundou et al. 2023).
Authors’ note: This column represents the authors’ personal opinions and does not necessarily reflect the views of the Deutsche Bundesbank or the Eurosystem.
References
Acemoglu, D (2025), “The simple macroeconomics of AI”, Economic Policy 40(121): 13–58.
Bencivelli, L, L De Masi, E Falck, A Fernández Cerezo, S Formai, I H Bricio, E Mattevi, and A Nagengast (2026), “Embracing AI in Europe: New evidence from harmonized central bank business surveys”, VoxEU.org, 6 January.
Bergeaud, A (2024), “The past, present and future of European productivity”, paper prepared for ECB Forum on Central Banking.
Bresnahan, T F, E Brynjolfsson. and L M Hitt (2002), “Information technology, workplace organization, and the demand for skilled labor: Firm-level evidence”, Quarterly Journal of Economics 117(1): 339–76.
Brynjolfsson, E, D Li, and L Raymond (2025), “Generative AI at work”, The Quarterly Journal of Economics 140(2): 889–942.
Brynjolfsson, E, D Rock, and C Syverson (2021), “The productivity J-curve: How intangibles complement general purpose technologies”, American Economic Journal: Macroeconomics 13(1): 333–72.
DeStefano, T, R Kneller, and J Timmis (2025), “Cloud computing and firm growth”, Review of Economics and Statistics 107(6): 1638–51.
Eloundou, T, S Manning, P Mishkin, and D Rock (2023), “GPTs are GPTs: An early look at the labor market impact potential of large language models”, arXiv:2303.10130.
Falck, E, and A Nagengast (2026), “Scaling generative AI: Diminishing marginal returns and firm-level outcomes”, SSRN.
Highfill, T, D Wasshausen, and G Prunchak (2025), “Concepts and challenges of measuring production of artificial intelligence in the US economy”, BEA Working Paper Series WP2025-1.
Maršál, A, and P Perkowski (2025), “Task-based returns to generative AI: Evidence from a central bank”, VoxEU.org, 31 July.
Noy, S, and W Zhang (2023), “The productivity effects of generative artificial intelligence”, VoxEU.org, 7 June.
OECD (2025), “Macroeconomic productivity gains from artificial intelligence in G7 economies”, OECD Artificial Intelligence Papers No. 41.
Irvine, CA – February 6, 2026 – Johnson & Johnson today announced 12-month pilot-phase data from the OMNY-AF study, evaluating the investigational OMNYPULSE Platform for the treatment of symptomatic paroxysmal atrial fibrillation (AFib), during the 31st Annual AF Symposium in Boston. Initial results for 12-month outcomes across the 30-patient pilot cohort show investigators achieved 100% acute procedural success with no procedure-associated adverse events, while 56.7% of cases were performed with zero fluoroscopy and 90% of patients achieved primary effectiveness at 12 months.i
OMNY-AF is a prospective, single-arm, multi-center clinical trial conducted across more than 40 sites in the U.S. and Australia.i The study pairs the OMNYPULSE Catheter, a 12 mm large-tip focal catheter featuring contact-force sensing and bipolar, biphasic pulse delivery with the TRUPULSE Generator. This integrated design combines precise mapping, controlled energy delivery and live feedback through the PF index on the CARTO 3 System.ii The OMNYPULSE Platform is not currently approved in any region of the world.
“The 12-month data provide encouraging early evidence on the OMNY-AF study with promising safety outcomes – no procedure-related adverse events or MRI-detected cerebral lesions – across eight centers in the pilot phase i. In my cases during the ongoing OMNY-AF trial, the seamless integration of advanced mapping, ultrasound, and PF Index with contact force were valuable for precise and efficient pulsed field energy delivery,” said Dinesh Sharma, M.D.1, Section Head of Cardiac Electrophysiology at the Naples Heart Institute, the study presenting author.
Alongside the OMNY-AF data, Johnson & Johnson is highlighting new findings related to the VARIPULSE Platform. Data presented by Andrea Natale, M.D.2, and simultaneously published in JACC Clinical Electrophysiology, by Moussa Mansour, M.D.3 examined the incidence of neurovascular events following the workflow enhancements and the introduction of an optimized irrigation flow rate. Notably, the platform sustained a low neurovascular event rate of 0.22% in 6,811 patients after implementation of both workflow enhancements and the updated irrigation rate.ii
Additional VARIPULSE Platform data presented at AF Symposium adds to the growing body of evidence underscoring the platform’s consistent and favorable safety profile across a range of clinical and real-world settings, including:
VARISURE Safety survey data presented by Christopher Porterfield, M.D.4: Early results from this physician survey on 850 procedures indicated low complication rates with a 1.9% rate of primary adverse events, a 0.2% incidence of neurovascular events and no reported cases of coronary spasm or death. Same-day discharge was achieved in 87.9% of patients.iii
REAL AF registry analysis presented by Mohammad-Ali Jazayeri, M.D.5: Results from the REAL AF registry showed excellent acute safety outcomes of the VARIPULSE Catheter, with a low overall acute safety event rate of 0.5% with no neurovascular events, high rates of same-day discharge and no observed differences in safety outcomes across AFib classifications.iv
Irrigation Flow Optimization research presented by Fengwei Zou, M.D.6: Preclinical data demonstrated parity between the 4 mL/min and 30 mL/min irrigation rates in microbubble generation, hemolysis and lesion depth when using the VARIPULSE Catheter, while confirming that higher irrigation significantly reduced electrode surface heating.v
“These data reinforce confidence in the consistency of safety outcomes observed across Johnson & Johnson’s electrophysiology portfolio. As a relatively new energy modality, pulse field ablation technologies should be individually evaluated for safety and reproducibility in atrial fibrillation ablation,” said Gregory Michaud, M.D., Chief Medical and Scientific Officer, Electrophysiology, MedTech, Johnson & Johnson. “As pulsed field ablation continues to evolve, rigorous evidence generation and transparent data sharing will be essential to advancing the science and enabling the next wave of innovation with this technology.”
Johnson & Johnson remains committed to evidence-driven innovation that advances patient care and informs clinical decision-making across its electrophysiology portfolio. These efforts are supported by the CARTO 3 System, the world’s leading cardiac mapping system7.
About The OMNY-AF Study The OMNY-AF study is a prospective, single-arm, multi-center study evaluating the clinical safety and effectiveness of the OMNYPULSE Catheter for the treatment of symptomatic paroxysmal AFib. Up to 440 enrolled subjects will undergo an ablation procedure with the OMNYPULSE Platform. The primary safety endpoint in the study is the occurrence of Primary Adverse Events within seven days of the ablation procedure. The primary effectiveness endpoint is freedom from documented (symptomatic and asymptomatic) atrial tachyarrhythmia episodes based on electrocardiographic data and additional failure modes during the effectiveness evaluation period over a 12-month period.
About the VARIPULSE Platform The VARIPULSE Platform is Johnson & Johnson MedTech’s Pulsed Field ablation system. The fully integrated platform includes the VARIPULSE Catheter, TRUPULSE Generator, and CARTO 3 Mapping System VARIPULSE Software. The Platform is now approved for use in the United States, Europe, Asia Pacific, Canada, and Latin America.
Cardiovascular Solutions from Johnson & Johnson MedTech Across Johnson & Johnson, we are tackling the world’s most complex and pervasive health challenges. Through a cardiovascular portfolio that provides healthcare professionals with advanced mapping and navigation, miniaturized tech, and precise ablation we are addressing conditions with significant unmet needs such as heart failure, coronary artery disease, stroke, and atrial fibrillation. We are the global leaders in heart recovery, circulatory restoration, and the treatment of heart rhythm disorders, as well as an emerging leader in neurovascular care, committed to taking on two of the leading causes of death worldwide in heart failure and stroke. For more, visit biosensewebster.com.
About Johnson & Johnson At Johnson & Johnson, we believe health is everything. Our strength in healthcare innovation empowers us to build a world where complex diseases are prevented, treated, and cured, where treatments are smarter and less invasive, and solutions are personal. Through our expertise in Innovative Medicine and MedTech, we are uniquely positioned to innovate across the full spectrum of healthcare solutions today to deliver the breakthroughs of tomorrow and profoundly impact health for humanity. Learn more about our MedTech sector’s global scale and deep expertise in surgery, orthopaedics, vision, and cardiovascular solutions at https://thenext.jnjmedtech.com. Follow us at @JNJMedTech and on LinkedIn.
Cautions Concerning Forward-Looking Statements This press release contains “forward-looking statements” as defined in the Private Securities Litigation Reform Act of 1995 related to Collaborative Outcomes Registry for Evidence in Ventricular Arrhythmias. The reader is cautioned not to rely on these forward-looking statements. These statements are based on current expectations of future events. If underlying assumptions prove inaccurate or known or unknown risks or uncertainties materialize, actual results could vary materially from the expectations and projections of Johnson & Johnson. Risks and uncertainties include, but are not limited to: competition, including technological advances, new products and patents attained by competitors; uncertainty of commercial success for new products; the ability of the company to successfully execute strategic plans; impact of business combinations and divestitures; challenges to patents; changes in behavior and spending patterns or financial distress of purchasers of health care products and services; and global health care reforms and trends toward health care cost containment. A further list and descriptions of these risks, uncertainties and other factors can be found in Johnson & Johnson’s most recent Annual Report on Form 10-K, including in the sections captioned “Cautionary Note Regarding Forward-Looking Statements” and “Item 1A. Risk Factors,” and in Johnson & Johnson’s subsequent Quarterly Reports on Form 10-Q and other filings with the Securities and Exchange Commission. Copies of these filings are available online at www.sec.gov, www.jnj.com, www.investor.jnj.com or on request from Johnson & Johnson. Johnson & Johnson does not undertake to update any forward-looking statement as a result of new information or future events or developments.
1 Dr. Sharma served as a study investigator and as a consultant for Johnson & Johnson. Dr. Sharma was not compensated for this authorship contribution. 2 Dr. Natale served as a study investigator and as a consultant for Johnson & Johnson. Dr. Natale was not compensated for this authorship contribution. 3 Dr. Mansour served as a study investigator and as a consultant for Johnson & Johnson. Dr. Mansour was not compensated for this authorship contribution. 4 Dr. Porterfield served as a study investigator and as a consultant for Johnson & Johnson. Dr. Porterfield was not compensated for this authorship contribution. 5 Dr. Jazayeri served as a study investigator and as a consultant for Johnson & Johnson. Dr. Jazayeri was not compensated for this authorship contribution. 6 Dr. Zou served as a study investigator and as a consultant for Johnson & Johnson. Dr. Zou was not compensated for this authorship contribution. 7 J&J MedTech US EP Market Dynamics. Source: DRG Clarivate. Data Latency: 8 weeks. Market Coverage: ~35% US Hospitals.
Footnotes i Weisman D, Khanna R, Maccioni S, Rong Y, Al-Azizi KM. Pulsed field ablation using a large-tip focal catheter with 3D mapping integration: early outcomes from the OMNY-AF single-arm pilot study. Presented at: AFib Symposium; February 6, 2026; Boston, MA. ii Mansour M, Michaud G, Di Biase L, Zei P, Sauer W, Heist K, Nair D, Reddy V, Natale A. Reduced neurovascular events following workflow and irrigation adjustments with a variable loop circular catheter for pulse field ablation. Presented at: AFib Symposium; February 5–7, 2026; Boston, MA. iii Porterfield C, Munjal J, Hushion M, Varley A, Haas P, Quin EM, Rouse C, Krishnan K, Marrouche N. The variable loop circular catheter safety survey (VARISURE): early results. Presented at: AFib Symposium; February 5-7, 2026; Boston, MA. iv Jazayeri M, Khaykin Y, Morales G, Joshi N, Silva J, Hughey A, Steckman D, Osorio J, Zei P, Koplan B, Silverstein J, Ebinger M, Greenberg J, Dominic P, Conti S, Quadros K, Saleem M, Smith M, Gampa A, Porterfield C, Krishnan K. Acute safety profile of variable loop circular catheter pulsed field ablation for paroxysmal and persistent atrial fibrillation in the REAL AF registry. Presented at: AFib Symposium; February 5-7, 2026; Boston, MA. v Zou F, Zhang X, Gomez T, Byun E, Chen Q, Marazzato J, Schiavone M, Mohanty S, La Fazia VM, Motta J, Zamora C, Pandey S, Safren L, Safren Y, Grupposo V, Ynoa D, Lin A, Natale A, Guttenplan N, Di Biase L.Irrigation flow optimization during pulsed field ablation: preclinical insights with a variable loop circular catheter (VLCC). Presented at: AFib Symposium; February 5-7, 2026; Boston, MA. viA Study of Assessment on Safety and Effectiveness of BWI Pulsed Field Ablation With OMNYPULSE Catheter for the Treatment of Paroxysmal Atrial Fibrillation (PAF) (OMNY-AF). Clinicaltrials.gov. Accessed January 30, 2026. vii Jnjmedtech. OMNYPULSETM Bi-Directional Catheter IFU.
Cloud-based alerting systems often struggle to distinguish between normal cloud activity and targeted malicious operations by known threat actors. The difficulty doesn’t lie in an inability to identify complex alerting operations across thousands of cloud resources or in a failure to follow identity resources, the problem lies in the accurate detection of known persistent threat actor group techniques specifically within cloud environments.
In this research, we hypothesize how a new method of alert analysis could be used to improve detection. Specifically, we look at cloud-based alerting events and their mapping to the MITRE ATT&CK® tactics and techniques they represent. We believe that we can show a correlation between threat actors and the types of techniques they use, which will trigger specific types of alerting events within victim environments. This distinct, detectable pattern could be used to identify when a known threat actor group compromises an organization.
To prove this method of alert analysis, Unit 42 researchers focused on two known threat actor groups that use two fundamentally different types of operational techniques to compromise their victims’ cloud environments. These groups are the cybercrime group Muddled Libra and the nation-state group Silk Typhoon. Both threat actor groups are known to target cloud operations.
We analyzed cloud alerting events across 22 industries between June 2024 and June 2025.
The research was conducted by pairing the cloud-related MITRE ATT&CK techniques known to be used by Muddled Libra and Silk Typhoon with the specific security alerts they are known to trigger in cloud environments.
The test confirmed, as you will see within the remainder of this article, that security teams can successfully distinguish unique alerting patterns between Muddled Libra and Silk Typhoon based solely on the types of alerts observed.
Additionally, the results show a clear link between threat actors’ cloud-focused operations and the industries those groups target. Therefore, at times when one of the groups was known to be attacking certain industries, we can see those patterns appear in our data.
The confirmation that our detection method works as expected opens the door to the possibility of automated prevention capabilities for complex cloud architectures.
Cortex Cloud is designed to detect and prevent the malicious operations, configuration alterations and exploitations discussed in this article, by associating events with MITRE tactics and techniques. These capabilities help organizations to maintain runtime detection of events.
Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.
If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.
Another Lens on Cloud Alert Trends
Following our previous article on cloud alert trends, we conducted another analysis of cloud alert statistics.
As part of the effort to determine whether we could identify threat groups, this time we analyzed the data in terms of the industries in which cloud alerts were triggered. Adding industry telemetry to the analysis allowed us to focus our efforts on identifying the techniques, and thus the resulting alerts, used by these threat actors as a control parameter. Using alert data pulled between June 2024 and June 2025, we identified the industries that saw the highest number of unique alert types as well as the highest average number of daily alerts. We then correlated these trends with the activities and targets of two threat groups: Muddled Libra and Silk Typhoon.
This article presents our analysis of Muddled Libra and Silk Typhoon operational techniques and the associated alert analysis.
Glossary: Mapping Techniques to Alerts
The research was conducted by analyzing cloud-related MITRE ATT&CK techniques known to be used by Muddled Libra and Silk Typhoon and pairing them with the specific security alerts they are known to trigger in cloud environments. The following glossary will assist readers in understanding the results we present.
Mapping MITRE Techniques to Alerts: A single MITRE technique can potentially trigger multiple unique security alerts, and conversely, a single alert can map to one or more MITRE techniques and tactics. For example, the alert Remote command line usage of serverless function’s token in the Cortex Cloud platform correlates to the MITRE tactic Credential Access, and the MITRE techniques Steal Application Access Token and Unsecured Credentials.
Unique Alert Count: We counted each alert rule only once for the basis of this research. For example, we identified nearly 70 different unique alerting rules that could be attributed to at least one of the 11 different cloud-related MITRE techniques known to be used by Muddled Libra. For Silk Typhoon, we found just over 50 unique alerting rules that could be attributed to at least one of their 12 known cloud-related MITRE techniques. Additionally, we found that only three unique alert rules were present in both Muddled Libra and Silk Typhoon alert rule sets. In some cases, these alerting rules triggered multiple times within our data across multiple organizations, but when we refer to unique alerts within an industry, we are only considering whether an alert triggered at all during the specified period.
Average Daily Occurrences: If a threat actor used the MITRE technique Data from Cloud Storage (T1530), one of the resulting unique Cortex alert rules might be Suspicious identity downloaded multiple objects from a bucket. If this alert is triggered 1,000 times in a single day, it counts as a single unique alert, but the 1,000 occurrences of that alert in that day will be calculated in the average daily occurrences. When we report average alerts per day by industry in the article below, we take the average for each organization within that industry vertical.
To use a metaphor to help explain how we considered alerts, if each alert rule was a type of fruit, we would see that Muddled Libra holds a very different basket of fruit than Silk Typhoon does. In fact, the baskets are so diverse, that out of the nearly 70 different types of fruit Muddled Libra has, and the more than 50 different types of fruit Silk Typhoon has, they only have 3 types of fruit in common.
When we look at alerts triggered within an industry, we might see a variety of fruit scattered about — maybe 10 oranges, 14 lemons and so on. When we analyze the fruit trail in terms of the types of fruit found within a particular industry, compared with the types of fruit found in the baskets we know Muddled Libra or Silk Typhoon to be holding, we can make a reasonable determination of which threat actor was involved.
Methodology
We collected alerts between June 2024 and June 2025 that were triggered on a combination of platforms, including:
Cloud service providers
Container environments
Cloud-hosted applications
SaaS platforms
We then analyzed the alerts based on their unique naming, originating platform, alert date and metadata such as:
Industry
Region
Frequency of occurrence
Average number of occurrences in each organization
As described above, we integrated the correlation of the MITRE ATT&CK framework, by pairing each alert with its corresponding MITRE technique.
We also analyzed the correlation between the targeted organization’s industry and region and the severity level of the alerts they experienced. This helped to identify the types of alerts that are more likely to occur, based on these factors.
Threat Actor Profiles
Muddled Libra
Background
Muddled Libra (also known as Scattered Spider, or UNC3944) is a cybercrime group that has been active since 2021.
Known for its use of social engineering, including making calls to organizations’ help desks, Muddled Libra has also been known to partner with ransomware-as-a-service (RaaS) programs. By continually updating its approach, the group has successfully used social engineering techniques, including smishing (SMS phishing), vishing (voice phishing) and spear phishing (directly targeting an employee).
Upon successfully compromising an organization, the group uses several tools, including ransomware variants such as DragonForce – a subscription-based RaaS framework created by a group of the same name, tracked by Unit 42 as Slippery Scorpius. The group also uses cloud enumeration tools such as ADRecon, an open source Active Directory reconnaissance tool.
Targeted Industries and Techniques
While Muddled Libra’s targeted industries have evolved since 2022, the following sectors have been consistently reported:
Aerospace and defense
Financial services
High technology
Hospitality
Media and entertainment
Professional and legal services
Telecommunications
Transportation and logistics
Wholesale and retail
Muddled Libra employs multiple offensive techniques to compromise and maintain access within a victim’s environment. We analyzed the group’s known techniques, and extracted those techniques that specifically focus on cloud infrastructure, as Table 1 shows. Together, these form a sort of “fingerprint” that we can use to identify the group within cloud alert data.
Table 1. Known Muddled Libra cloud tactics and techniques.
Methodology Walkthrough
Even though each MITRE Technique is relatively granular in terms of scope of operation, there can be multiple types of computational events from a cloud platform or software-as-a-service (SaaS) application which can fall under the purview or scope of a single MITRE technique.
For example, the MITRE technique T1078.004 – Valid Accounts: Cloud Accounts is focused on the operational event of a valid cloud account. This can have a wide scope in the types of event which can be counted, such as:
Unusual resource modification from a newly seen IAM user
Deletion of multiple cloud resources by a newly created IAM role
A suspicious identity created or updated password for an IAM user
Each of these can be linked to a valid cloud account but each one could have vastly different root causes.
Additionally, when looking specifically at an individual alert type, such as Unusual resource modification from a newly created IAM role, this event could be considered to align not only with the MITRE tactic Initial Access, but it could also align with the MITRE tactics Defense Evasion or even Persistence.
When we expanded our scope to include potential alerting events that could be triggered by any of the MITRE techniques known to be used by Muddled Libra, we found nearly 70 alerting events that could be attributed to at least one of these MITRE techniques.
We collected all of these alerts, which were associated with each of the MITRE techniques known to be used by Muddled Libra. We then distilled those alerts to identify the number of unique alerts that were present within each industry. We also tracked the number of average daily occurrences for each organization within those industries. To use our fruit analogy, we identified the number of unique fruit that the threat actors left at each respective industry (unique alerts), then we also counted how many of each fruit type were present at each organization within that industry (average alert count).
As explained in the Glossary section, we were able to use these numbers to build patterns.
Industry and Technique Analysis
Comparing the triggered alerts and their associated MITRE techniques with the targeted industries shows a correlation between the industries targeted according to public reports and the alerts triggered by Muddled Libra operations. Figure 1 shows this correlation by ranking industries from the highest to the lowest based on the number of unique alerts related to the MITRE techniques listed within Table 1, between June 2024 and July 2025. Industries that were publicly reported as targeted are shown in red.
Figure 1. Count of unique alerts by industry from June 2024-June 2025. Red bars indicate the industries publicly reported as targeted by Muddled Libra.
Figure 2 shows the average daily number of alerts that occurred during the same timeframe.
Figure 2. Count of the average daily alerts by industry from June 2024-June 2025. Red bars indicate the industries publicly reported as targeted by Muddled Libra.
Figure 2. Count of the average daily alerts by industry from June 2024-June 2025. Red bars indicate the industries publicly reported as targeted by Muddled Libra.
While the highest volume of unique alerts (shown in Figure 1) aligns perfectly with Muddled Libra’s most-reported targets — specifically high technology, wholesale and retail, financial, and professional and legal services—the presence of a number of signature alerts in other sectors shouldn’t be ignored. When an industry like manufacturing or pharma and life sciences or state and local government shows a significant subset of Muddled Libra’s “fingerprint” (for instance, 16 or more unique alert types), it suggests the group could have an active interest in these environments even if we haven’t seen headlines about it. Security teams in these “middle-tier” industries should treat these clusters of unique alerts as early warning signs that these industries are witnessing a significant number of the group’s known operational techniques.
The unique alert data (Figure 1) should be considered alongside average daily alert data (Figure 2) to distinguish between a threat actor’s strategic breadth and their operational persistence. For instance, transportation and logistics serves as a primary example of high-intensity targeting; it ranks sixth in unique alert variety but first in average daily volume, showing a 25% spike in unique alerts in June 2025 alone. This combination indicates that Muddled Libra is not only using a wide array of its signature techniques in this sector but is doing so with higher frequency. We will take a deeper dive into transportation and logistics in the next section.
In contrast, telecommunications and media and entertainment were some of the first and most frequent targets of Muddled Libra in 2022 and 2023, but their standings as the last two positions for average daily alerts in 2024-2025 suggest that these two industries in particular have experienced a saturation effect. Namely, the targeting of these groups may be aging off. They no longer appear to be the key focus of the Muddled Libra actors. The other industries that could also fall into this category are hospitality and aerospace and defense.
For a defender, this data provides a threshold for proactive investigation. A high count of unique alerts (the “variety” of the fruit basket) typically signals a sophisticated, multi-stage intrusion attempt, whereas a high daily average (the “quantity” of fruit) may point to automated scanning or persistent credential stuffing. If your organization sees more than 10 unique Muddled Libra-associated alerts within a 30-day window, it is time to look deeper, regardless of whether your specific industry is currently “trending” in threat intelligence circles. The goal is to move from reactive patching to proactive defense by identifying these actor-specific patterns before they escalate to data exfiltration.
Focused Analysis: Aviation
Reports that Muddled Libra was targeting the aviation industry initially surfaced in June 2025. Unit 42 does not track aviation as a singular category. Instead, aviation organizations appear under our transportation and logistics category.
When looking at the transportation and logistics industry alerts, we found an increase in the number of unique alerts based on the MITRE techniques used by Muddled Libra during this same timeframe.
It is important to note that here we are looking at the number of unique alert rules for this analysis and breaking this out by month, as opposed to the whole year view shown in Figure 1. We arrive at “unique alerts” for the industry by taking the average number of unique alerts seen for each organization tracked in that category over a monthly timeframe.
Figure 3 shows that the average number of unique alerts per organization in the transportation industry increased by 25% from May-June 2025. What makes this finding important is that Muddled Libra made several headlines during June 2025 for its operations targeting airline organizations.
Figure 3. Unique alerts by month for the transportation industry. The bar for June is red because it is the period publicly reported to have the highest targeting of the aviation industry.
As illustrated in Figure 3, June 2025 saw the highest number of unique alerts for the transportation industry, with 15 unique alerts.
The Verdict on the Fingerprinting Effort
Looking at the correlation, there does appear to be a fingerprint capability that could be used as a detection pattern. This pattern could help organizations identify if they are potentially targeted and take mitigative steps. Additionally, this could also assist organizations in developing an early warning detection trigger. For example, if defenders witness an increase in the number of daily average occurrences alerts from known Muddled Libra techniques, this could indicate reconnaissance or discovery activity occurring against their infrastructure. This then provides an opportunity to proactively prepare for future operations.
Top 10 Alerts from Muddled Libra Techniques
Table 2 lists the top 10 alerts that we observed in association with Muddled Libra’s MITRE techniques.
Alert Names
MITRE Techniques
Tactics
Azure sensitive resources enumeration activity using Microsoft Graph API
T1526
Discovery
Microsoft 365 storage services exfiltration activity
T1530
Collection, Exfiltration
Multi region enumeration activity
T1580
T1535
T1526
Discovery
Storage enumeration activity
T1619
T1530
T1526
Discovery, Collection
Cloud Identity Queried Cost or Usage Information
T1087.004
T1580
Discovery
A cloud identity invoked IAM related persistence operations
Table 2. The top 10 alerts associated with Muddled Libra’s MITRE techniques.
As outlined in Table 2, Muddled Libra has an extensive history of targeting Microsoft Azure environments using Graph API, a RESTful API that enables access to Azure cloud resources. This type of activity correlates with the MITRE techniques used by Muddled Libra and the alerts triggered by their operations. The most frequent alert between June 2024 and June 2025, in relation to the MITRE techniques used by Muddled Libra, was resource enumeration using Microsoft Graph API. The next most common alert was for exfiltration activity from Microsoft 365 storage services. While discovery operations represented the bulk of the remaining alert types, collection and exfiltration operations were the second most frequent alert type.
Silk Typhoon
Background
Silk Typhoon (also known as HAFNIUM) is a China-nexus threat actor group that has been in operation since at least 2021. This group has historically exploited multiple vulnerabilities on Microsoft Exchange Servers. In recent years, the group appears to be shifting targets towards cloud environments, using compromised credentials obtained via vulnerable public-facing VPN endpoints to move laterally through cloud environments. The group relies on remote monitoring and management (RMM) tools to maintain persistent access and leverages Microsoft’s Graph API to enumerate cloud resources.
Targeted Industries and Techniques
Cybersecurity researchers have identified that the industries most commonly targeted, primarily located within the U.S., include:
Education
High technology
Federal governments
Financial services
Nongovernmental organizations (NGOs)
Professional and legal services
State and local governments
Utilities and energy
Silk Typhoon has employed several offensive techniques to compromise and maintain access within a victim’s environment. Using the same methodology that was employed during the Muddled Libra analysis above, we analyzed the techniques and identified those that focus on cloud infrastructure, as Table 3 shows. We found that between Silk Typhoon and Muddled Libra’s known employed technique usage, only three techniques were employed by both threat actor groups, T1530, T1078.004 and T1098.001. This provides a basis on which to compare and contrast the results between both groups’ operations and, more importantly, on the types of alerts witnessed by organizations in the industries they target.
MITRE Tactics
MITRE Techniques
MITRE Technique Name
Collection
T1119
Automated Collection
Collection
T1530
Data from Cloud Storage
Credential Access
T1555.006
Credentials from Password Stores: Cloud Secrets Management Stores
Defense Evasion,
Lateral Movement
T1550.001
Use Alternate Auth Material: Application Access Token
Defense Evasion,
Persistence,
Privilege Escalation,
Initial Access
T1078.004
Valid Accounts: Cloud Accounts
Discovery
T1619
Cloud Storage Object Discovery
Exfiltration
T1567.002
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Table 3. Known Silk Typhoon cloud tactics and techniques.
Methodology Walkthrough
As a brief recap to the methodology of our research, we analyzed the types of alerting events that could be associated with each of the MITRE Techniques known to be used by Silk Typhoon. When we included potential alerting events that could be triggered by any of the MITRE Techniques known to be used by Silk Typhoon, we found just over 50 alerting events that could be attributed to at least one of these MITRE Techniques.
We collected all of these alerts and distilled those alerts to identify the number of unique alerts that were present within each industry and the number of average daily occurrences of those alerts for each organization within those industries.
To use the same analogy as above, we wanted to identify what types of fruit Silk Typhoon brought to the party, and how many pieces of fruit they typically deploy when attacking.
Industry and Technique Analysis
We compared the total number of unique alerts for each month from June 2024 to June 2025 with the industries from which those alerts were triggered. This comparison confirmed that we were able to see the “fingerprints” of Silk Typhoon in the alerts triggered in industries that the group was known to be targeting.
As mentioned, Silk Typhoon had just over 50 unique alerts associated with their known technique usage, where Muddled Libra had nearly 70.
In contrast, we saw higher numbers of unique alerts within each industry when examining our Silk Typhoon data than we did in our Muddled Libra data.
In other words, Silk Typhoon may be holding a basket with fewer types of fruit (50) than in Muddled Libra’s (70), but the threat actor seems to use more types from the basket in its operations (i.e. as many as 27 unique alerts as opposed to 22).
The graph in Figure 4 shows our observations of alerts by industry over the period studied.
Figure 4. Count of unique alerts and average daily alerts by industry. Red bars indicate the industries public reported as targeted by Silk Typhoon.Figure 5. Count of the average daily alerts by industry. Red bars indicate the industries publicly reported as targeted by Silk Typhoon.
While the highest volume of unique alerts aligns with Silk Typhoon’s most-reported targets—specifically high technology, financial services, and professional and legal services—the presence of signature alerts in other sectors is equally telling. When an industry like wholesale and retail or manufacturing shows a significant subset of Silk Typhoon’s “fingerprint” (for instance, 18 or more unique alert types), it indicates that the group could be actively deploying their offensive techniques against these industry environments. This could be occurring even if public reporting is minimal or nonexistent at this date. Security teams in these “middle-tier” industries should treat these clusters of unique alerts as evidence that they are witnessing a broad spectrum of the group’s known operational techniques, rather than isolated incidents.
The unique alert data for Silk Typhoon (Figure 4) should be considered alongside average daily alert data (Figure 5) to distinguish between a threat actor’s strategic breadth and their operational persistence. To return to our metaphor, Silk Typhoon holds a “basket” with fewer types of fruit (50) than Muddled Libra (70), but they tend to use more of what is in their basket at any given time. For example, we witnessed as many as 27 unique alerts in a single sector compared to Muddled Libra’s 22.
The federal government serves as a primary example for high-intensity targeting. This industry ranks last in the number of unique alerts, or rather in variety, ie. the “types of fruit” in its basket, but first in average daily volume, peaking at 7.28 alerts per day (the “quantity of fruits witnessed”). This suggests that while Silk Typhoon may use a narrower set of techniques against government targets, it deploys those specific tactics with relentless frequency. Conversely, high technology shows a “worst-of-both-worlds” scenario, ranking first in unique tactical variety and near the top for daily volume. This indicates campaigns that are both sophisticated and persistent.
Similar to our comments on unique alerts, when we see a high level of activity possibly related to the threat group, it may be worth defenders’ threat hunting for other known alerts related to Silk Typhoon, out of an abundance of caution. High levels of average alert activity could signify threat groups trying to gain initial access, but not yet succeeding in deploying their full toolset.
For a defender, this data provides a threshold for proactive investigation: a high count of unique alerts (the “variety” of the fruit basket) typically signals a sophisticated, multi-stage intrusion attempt, whereas a high daily average (the “quantity” of fruit) may point to automated scanning or persistent exploitation of specific vulnerabilities. If an organization observes more than 10 unique Silk Typhoon-associated alerts within a month, it is time to look deeper, regardless of whether a specific sector is making headlines as a common target.
Top 10 Alerts from Silk Typhoon Techniques
Table 4 lists the alerts most commonly seen in relation to the MITRE techniques used by Silk Typhoon.
Alert Names
MITRE Techniques
Tactics
Microsoft O365 storage services exfiltration activity
T1530
Collection, Exfiltration
Process execution with a suspicious command line indicative of the Spring4Shell exploit
T1190
Initial Access
Storage enumeration activity
T1619
Discovery
A cloud identity invoked IAM related persistence operations
T1098
Persistence, Privilege Escalation
Suspicious identity downloaded multiple objects from a bucket
T1530
T1020
Collection, Exfiltration
Suspicious identity downloaded multiple objects from a backup storage bucket
T1530
T1020
Collection, Exfiltration
An identity performed a suspicious download of multiple cloud storage objects
T1530
T1020
Collection, Exfiltration
An identity performed a suspicious download of multiple cloud storage objects from multiple buckets
T1530
T1020
Collection, Exfiltration
Massive code file downloads from SaaS service
T1530
Collection
Deletion of multiple cloud resources
T1485
Impact
Table 4. The top 10 alerts associated with Silk Typhoon’s MITRE techniques.
As outlined in Table 4, collection and exfiltration techniques were the most common alerts associated with Silk Typhoon’s MITRE techniques. Microsoft 365 storage services exfiltration was the most frequently observed alert. Other alerts identified include cloud storage enumerations and suspicious downloads of cloud storage objects.
Industry Cloud Alert Trends
Perhaps the most striking result of our research came to light when we compared general cloud alerting trends with the trends we discovered while performing the fingerprinting analysis of Muddled Libra and Silk Typhoon.
The industry of high technology was consistently the top ranked industry when considering general cloud alerting trends, as well as the two threat actor groups’ alerting trends. However, the remaining industries we studied did not follow a uniform pattern. As shown in Figure 6, we found that the order of the most targeted industries shifted when we only counted alerts from Muddled Libra and Silk Typhoon operations.
Figure 6. Ranking of the top industries by unique alert counts for all alerts, Muddled Libra and Silk Typhoon.
As stated above, the high technology industry is in first place across both threat actor group findings, as well as the top ranking industry when looking at all cloud alerts by industry.
However, the remaining industry ranks do not mirror the same results. Looking at the wholesale retail industry illustrates a key finding. This industry is the second highest for Muddled Libra alerting events and third highest for Silk Typhoon, but is 14th on the industry list for all alerts.
This indicates that the fingerprinting analysis on these alerting operations does not reflect the same pattern as the general noise of all alerting trends. It appears that the distinct operations performed by the threat actors against the industries they target carry their own unique trends.
Conclusion
Our analysis confirms the capacity to leverage the alerts triggered as a fingerprint detection pattern for the malicious techniques used by Muddled Libra and Silk Typhoon. This distinct detection capacity offers a new pathway for organizations to implement predictive and proactive cloud defense strategies.
Our research successfully differentiated the MITRE tactic and technique operations used by Muddled Libra, notably the aviation industry’s 25% increase in the number of unique alerts compared to the previous month, and Silk Typhoon’s increased higher than average number of daily alerts within the Federal and State Government industry.
By identifying the alert patterns that each threat actor’s techniques have on the alerting events within cloud environments, threat researchers can identify the threat actors most likely to target certain industries using specific techniques. This can then help defenders to proactively prepare defenses against those types of threats. Through the analysis of threats based on the types of attack techniques they leverage, organizations can create a defense methodology built specifically for their industry vertical.
Proper implementation of these defense controls can be effective in defending against targeted threat actor scenarios through the creation of tailored defensive alerting. Additionally, these controls can provide the capability to detect early warning scenarios and techniques, such as initial access operations, enabling prevention operations to block malicious cloud operations before they escalate to execution, impact or exfiltration.
Palo Alto Networks customers are better protected from the threats discussed above through the following products:
Cortex Cloud customers can help secure and protect their cloud environments through compliance guardrails, application security monitoring and prevention techniques and through the proper placement of Cortex Cloud XDR endpoint agent and serverless agents within a cloud environment. Cortex Cloud is designed to identify cloud events witnessed on cloud platforms, to protect cloud posture and runtime operations. By associating events with MITRE tactics and techniques, Cortex Cloud helps detect and prevent the malicious operations, configuration alterations and exploitations discussed within this article.
Organizations can gain help assessing cloud security posture through the Unit 42 Cloud Security Assessment.
If you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:
North America: Toll Free: +1 (866) 486-4842 (866.4.UNIT42)
UK: +44.20.3743.3660
Europe and Middle East: +31.20.299.3130
Asia: +65.6983.8730
Japan: +81.50.1790.0200
Australia: +61.2.4062.7950
India: 000 800 050 45107
Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.
You don’t have permission to access “http://www.imf.org/en/publications/technical-assistance-reports/issues/2026/02/06/tonga-technical-assistance-report-liquidity-management-and-forecasting-573683” on this server.
A trader works as the Dow Jones Industrial Average surpasses the 50,000 mark on the floor at the New York Stock Exchange (NYSE) in New York City, U.S., Feb. 6, 2026.
Brendan McDermid | Reuters
Stocks surged on Friday as technology stocks recovered following several days of heavy selling in the sector and bitcoin rebounded following a rout that took the popular cryptocurrency down more than 50% at one point.
The Dow Jones Industrial Average advanced 1,206.95 points, or 2.47%, closing at 50,115.67. Friday marked the first time the Dow exceeded the 50,000 level. The S&P 500 jumped 1.97% and ended at 6,932.30, while the Nasdaq Composite advanced 2.18% to 23,031.21. With those moves, the S&P 500 climbed back into the green for 2026.
Even with Friday’s pop, the S&P 500 posted a 0.1% decline for the week, while the Nasdaq fell 1.8% on the week. The 30-stock Dow rose 2.5% week to date, benefiting from some rotation into some economically cyclical stocks even as the overall market was weighed down by tech selling.
Dow Jones Industrial average, 5 days
Nvidia and Broadcom were two of the key winners Friday, with the former increasing by nearly 8% and the latter growing 7% following big declines earlier in the week. Other stocks such as Oracle and Palantir Technologies also bounced back as investors reconsidered some of the names at cheaper levels. Oracle and Palantir each rose 4%. Some key software stocks like ServiceNow — which has been the epicenter of the tech sell-off because of an artificial intelligence disruption fear of software — remained weak on Friday, however.
“We’re in a gold rush right now with AI,” said Falcon Wealth Planning founder Gabriel Shahin.
“You have the investment that Google is making, Nvidia is making, that Meta is making, that Amazon is making. There is money that will be deployed,” he also said. “It’s just the carousel [of money movement] sometimes scares people.”
Shahin believes the market is in the midst of a “great recalibration,” where investors are going to move further out of growth stocks and into value. Over the coming months, his bet is on large-cap value names. That played out Friday, with investors buying up shares in areas such as industrials and financials. In those sectors, Caterpillar and Goldman Sachs were standouts, supporting the Dow’s outperformance with their rise of 7% and 4%, respectively. Small-cap stocks also saw a boost, with the Russell 2000 index rallying 3.6%.
Bitcoin recouped some losses Friday, adding 10% and touching a session high of $71,458.01 after briefly sinking below $61,000 overnight to its lowest level since October 2024 — more than 52% off from its record high of $126,000 hit in early October 2025. Friday’s move higher helped ease some of the risk-off concerns among investors that recently plagued the broader market. The cryptocurrency has lost 16% this week, however.
The week was bleak heading into Friday, with the S&P 500 on pace for its worst week since last October and the Nasdaq Composite on track for its worst week since the tariff-related market plunge of last April. Friday’s pop pared those declines significantly.
Amazon was an outlier Friday, as shares sank more than 5% after the e-commerce giant posted earnings per share slightly under analyst expectations and told investors to expect $200 billion in capital expenditures this year.
Albert Bourla, chairman and CEO of Pfizer, speaks at The Wall Street Journal’s Future of Everything Festival in New York City, U.S., May 22, 2024.
Andrew Kelly | Reuters
A version of this article first appeared in CNBC’s Healthy Returns newsletter, which brings the latest health-care news straight to your inbox. Subscribe here to receive future editions.
Pfizer made one thing clear this week: It’s officially back in the obesity race.
The drugmaker is laser-focused on bringing to market treatments from its $10 billion acquisition of the obesity biotech Metsera. On Tuesday, it released promising phase two trial data on one injection, called PF′3944, that’s furthest along in development.
The experimental drug drove solid weight loss when taken once a month in a mid-stage trial – offering early evidence that the injection can be administered less frequently than existing drugs without sacrificing efficacy. That could be a boon to Pfizer after it faced several setbacks in trying to win a slice of a market dominated by weekly injections from Eli Lilly and Novo Nordisk, along with Novo’s new daily pill.
Patients with obesity or who are overweight lost up to 12.3% of their weight compared with placebo at week 28 in the ongoing phase two study. The company said no plateau was observed after patients transitioned to monthly dosing, which suggests that continued weight loss is expected as the study continues through week 64.
But investors are still looking for the full data from that trial, which is slated to be presented at a medical conference in June. Pfizer also plans to start 10 phase three studies on the injection, with the goal of achieving the first of several potential approvals in 2028.
I talked to Pfizer CEO Albert Bourla and other top execs about the data this week and the company’s broader obesity strategy. Here’s what they had to say.
A potential “best-in-class” product
Bourla told CNBC that the data shows the monthly product has a “very competitive profile in tolerability and efficacy.”
Pfizer plans to use a higher dose of the drug in phase three trials, and Bourla said it will produce efficacy and tolerability data that is “maybe best in class, so better than anything else,” while being taken less frequently. The company’s modeling predicts that the higher dose could result in 16% weight loss at week 28.
In the phase two trial, patients started on weekly injections of the drug for 12 weeks before switching to once-monthly dosing.
Pfizer also plans to study people who are taking existing weekly GLP-1s and give them the option to switch to the company’s monthly shot, said Dr. Jim List, Pfizer’s chief internal medicine officer.
List said that’s one of the selling points of the company’s injection: it can serve as a more convenient maintenance treatment for patients to switch to.
“If you say, listen, I can give you one of these drugs. This one, you’ll take once a week for the rest of your life. But this other one, you’ll take once a week, and you could also switch it to once a month. Which one do you want?” List said. “It’s always going to be the one with more options.
He added that “weekly doesn’t work for everybody,” since some patients need to travel and can’t keep their injections refrigerated.
Bourla said people who have been taking weekly injections are also more likely to switch to another shot rather than an oral option.
“The oral will be for people, but they didn’t start with the needle,” he said. “So as a result, I think the monthly or longer products will probably become a standard, and we are the first and hopefully the best.”
Combination regimens
A key part of Pfizer’s strategy for the PF′3944 injection is to combine it with another drug targeting a gut hormone called amylin, List said.
“We’re expecting to get even more weight loss with that combination than we get with this GLP-1 alone,” he said.
Amylin is hormone co-secreted with insulin in the pancreas to suppress appetite and reduce food intake. Amylin treatments have a similar effect to GLP-1s like Lilly’s Zepbound and Mounjaro, but some analysts and researchers say it could be easier for patients to tolerate and help them preserve lean muscle mass.
Pfizer on Tuesday said early data showed that the two drugs together caused an additive weight loss of 5% when compared to placebo at day 8. Amylin alone also showed weight loss of 8.4% at day 36.
Both drugs are ultra-long-acting, meaning they are engineered to remain active in the body for longer than existing treatments like Novo’s Wegovy and can be taken once a month.
Pfizer plans to share more data on the amylin drug during the medical conference in June. List said the company is advancing the product into phase two trials in the first half of this year.
Quarterly dose GLP-1 injection
Pfizer on Tuesday also teased a potential GLP-1 injection that is dosed quarterly – once every three months – rather than monthly or weekly.
List said the injection will be “ultra-ultra-long-acting,” so Pfizer will be finding a way for the drug to have “slower degradation in the human body so that it can certainly last longer” than PF′3944.
Chief Scientific Officer Chris Boshoff told CNBC that the vast majority of patients will prefer an injection, and “obviously, being monthly will be preferable over weekly, and likely three-monthly maybe better than monthly.”
But List said it’s still early days for that drug.
Feel free to send any tips, suggestions, story ideas and data to Annika at a new email: annika.constantino@versantmedia.com.
Earn‑outs are a familiar tool in M&A transactions, often helping bridge valuation gaps by tying part of the purchase price to the future performance of the business. But they also generate some of the most common post‑closing disputes, especially around whether certain buyer actions trigger early payment of the remaining earn‑out.
The Ontario Superior Court of Justice’s 2025 decision1 and the Court of Appeal’s 2025 confirmation in Project Freeway Inc. v. ABC Technologies Inc.2 provide practical guidance on how courts may interpret earn‑out acceleration clauses and the extent to which pre‑closing documents, such as letters of intent (LOIs), can influence that interpretation. See our summary of the case and its key takeaways below.
The dispute
Project Freeway Inc. sold its business to ABC Technologies Inc. under a share purchase agreement (SPA) that included a potential US$26.4 million earn‑out and an acceleration clause requiring immediate payment of any remaining earn‑out if ABC sold a “material portion” of the business’s assets to a non‑affiliate without the seller’s consent. Project Freeway and ABC had, prior to entering into the SPA, entered into a non-binding LOI in respect of the transaction.
After closing, ABC completed two transactions without Project Freeway’s consent: (a) a sale‑leaseback of major operating real estate, and (b) an accounts receivable factoring arrangement. Project Freeway asserted that each transaction triggered automatic acceleration. The trial judge disagreed with Project Freeway, and the Court of Appeal affirmed the trial judge’s decision.
What the court decided
The key issue was the interpretation of “a material portion” of the assets. The courts found the phrase ambiguous and applied a contextual and purpose-based approach, focusing on the economic function of the earn‑out rather than a formal, size‑only trigger.
Because the earn‑out was calculated using contribution‑margin metrics, the courts examined whether the post‑closing transactions impaired the business’s ability to meet those targets. They concluded the transactions did not harm the earn‑out regime, and therefore, acceleration was not engaged in the absence of actual economic prejudice to the seller.
Why the LOI still mattered
Although the SPA contained an entire agreement clause, the court considered the LOI and other surrounding circumstances in interpreting the ambiguous term “material,” serving as a reminder that early deal documents can inform the meaning of later provisions in definitive contracts, particularly where the drafting of definitive contracts is ambiguous.
What this means for M&A transactions
Earn‑outs are grounded in economic purpose, not formal triggers; acceleration should not be expected as a windfall.
Vague terms like “material” invite disputes. Courts may interpret “material” in earn out provisions by reference to economic impact on the earn out, not simply quantitative thresholds. If the parties intend size alone to govern, that intention must be explicit.
Early deal documents influence later interpretation despite standard “entire agreement” clauses. Any intention to deviate from those early documents should be made clear in the SPA.
Contracts, both preliminary and final, should be drafted precisely. If specific events (such as sale‑leasebacks and receivables factoring) are meant to trigger the earn-out, this should be expressly stated.
Final thoughts
The Project Freeway decisions underscore that earn‑outs function best when the parties share a clear understanding of their economic purpose and draft the mechanics with precision. In practice, this calls for alignment between preliminary documents (such as letters of intent or term sheets) and the definitive agreement, and where the parties intend to deviate from those preliminary documents, an express indication of that departure in the definitive agreement.
Thoughtful drafting at each stage of the negotiation process remains the most effective way to avoid disputes and preserve the intended economic balance of the deal. The NRF team is available to assist you in this regard.
