Hello! So, I just went through the latest cyber threat overview, and there’s really a lot of interesting stuff. It turns out that by 2026, we’re not just expecting more sophisticated attacks, but a complete overhaul of how cybercriminals operate. I’d like to share the main trends to keep in mind.

First, the line between mass and targeted cyberattacks has almost disappeared. It used to be simple: mass malware or phishing campaigns against thousands of people, while targeted attacks required serious reconnaissance and resources. Now? Automation, accessible AI models, and the commercialization of criminal infrastructure have enabled attackers to use advanced techniques even in mass campaigns. Phishing is becoming more convincing and realistic, with government agencies, industry, and IT companies as the main targets.

I’d also like to highlight trust as an attack vector. When we talk about supply chain attacks — that’s when an attacker injects malicious code into software, which is then downloaded by the victim. According to Cyble, in October 2025, the number of such supply chain attacks on software exceeded the previous record by 30%. But that’s not all. Companies are being compromised through partners, contractors, and suppliers. Instead of directly attacking a protected company, criminals go through the “back door” — hacking someone who has access. In six months, this vector was used in 28% of cyberattacks, a 15% increase.

Shadow AI is what really concerns me. In the first three months of 2025, platform usage of genAI grew by 50%, and more than half of that is shadow AI — meaning employees are using tools without IT department approval. Confidential information can easily leak into public services. Meanwhile, 63% of organizations do not assess the security of AI tools before deployment, and 86% of companies have faced AI-related security incidents in the past 12 months. Plus, 45% of code generated by neural networks contains vulnerabilities.

Ransomware operators are evolving. Double extortion — where data is first exfiltrated, then encrypted — remains the dominant tactic at 87% of cases. But triple and even quadruple extortion are emerging. An interesting tactic from the SecP0 group is demanding ransom not for encrypted data but for hidden vulnerabilities. Ransomers even offer legal consulting to partners to pressure victims more effectively. Operators like Anubis have added Wiper functionality to force victims to pay faster.

AI in attack services isn’t just about “vibe coding.” Large Language Models (LLMs) are used to create malware — although results are often immature and need refinement — generate scripts, and mask malware. But the most interesting part is malware that uses LLMs themselves. ESET’s PromptLock program uses a local GPT model to generate malicious Lua scripts in real time. It works on Windows, Linux, and macOS. Other examples include LameHug, which used LLMs to generate system shell commands.

Operating systems: Windows is no longer the sole king of cyber threats. Yes, in 2022, it accounted for 86% of incidents, but by 2025, that dropped to 84%. Meanwhile, macOS has gained attention — threats increased by 400% from 2023 to 2024. Linux is also trending, especially after the mass migration to Linux-based infrastructures. APT groups are already adapting Windows tools for other platforms. LockBit 5.0 targets Windows, Linux, and ESXi. There’s also growing concern about hypervisors like VMware ESXi — compromising one hypervisor could mean affecting all virtual machines.

Transformers viruses — hybrid malware that combines features of multiple types of malicious software — are a convenient tool for criminals: centralized C&C, adaptability to different environments, scalability. Usually based on RATs, they allow persistent access.

AV/EDR killers have become a staple. Popular technique: BYOVD — “Bring Your Own Vulnerable Driver” — where attackers install legitimate but vulnerable drivers, exploit known bugs to escalate privileges, and disable antivirus or EDR. On dark web forums, such tools are sold for around $1,500 per build for a single antivirus.

Phishing as a Service (PhaaS) is actively developing. New platforms like VoidProxy, Salty2FA, Whisper 2FA lower the entry barrier for less skilled criminals. Subscriptions cost about $250. These platforms include MFA bypass — Tycoon 2FA was used in 76% of PhaaS attacks — phishing templates, site cloning tools, CAPTCHA bypass, and anti-protection methods. For example, Darcula added generative AI support to adapt forms to language and region. Gabagool split a malicious QR code into two parts to bypass filters.

Deepfakes and deepvoices are truly alarming. According to Gartner, 62% of organizations experienced deepfake attacks in the past year. In Q1 2025 alone, there were 179 cases — a 19% increase over all of 2024. In Russia, deepfake incidents increased by a third since early 2025. Interestingly, the T1123 “Audio Capture” technique ranked first in usage — previously it wasn’t even in the top 10. Incidents involved Zoom video conferences with deepfaked top executives and voice messages from officials. Creating deepfakes is easy — deepfake as a service (DaaS) costs from $50 per video and $30 per voice.

AI as an amplifier of social engineering — that’s another story. Gartner reports that AI deployment reduces attack costs by over 95%. Hoxhunt found that AI agents created more effective phishing emails than top-tier red team specialists — 24% more effective in March 2025. Microsoft notes: normal emails are opened by 12% of recipients, AI-generated ones by 54%. AI can generate realistic content, automate campaigns en masse — IBM’s neural network created emails in 5 minutes with 5 prompts, while humans took 16 hours — produce deepfakes, personalize for specific victims. On dark web forums, SpamGPT is sold — a mass mailing service that bypasses spam filters and guarantees delivery to Outlook, Yahoo, Office 365, Gmail.

Voice phishing (Vishing) is gaining popularity. Its share increased by 2 percentage points in 2025. ShinyHunters organized a series of attacks on major companies (Adidas, Allianz Life, LVMH, Qantas) via vishing on Salesforce. The reason for its popularity: remote work — in the US, 52% of staff work hybrid, up from 32% in January 2019 — and the fact that employees often communicate with people they don’t know personally.

SVG files — an unexpected trend. In 2024, they were used in less than 1% of attacks, but by December 2025, nearly 5%. To users, they look like images, but SVGs are written in XML and can contain HTML and JavaScript. Microsoft detected a phishing campaign where a malicious attachment mimicked a PDF but was actually an SVG file with JavaScript code.

ClickFix — a technique where the user initiates infection themselves. According to ESET, in the first half of 2025, the share of ClickFix attacks increased by over 500% compared to the second half of 2024. It involves scenarios with CAPTCHA, instructions, fake updates. High-profile APT groups like MuddyWater, Kimsuky, Lazarus have adopted this. ClickFix has expanded beyond Windows — versions for Linux and macOS have appeared. Later, FileFix (via Explorer) and PromptFix (for AI systems) emerged.

Vulnerabilities are becoming catalysts for mass attacks. In the first half of 2025, over 23,600 vulnerabilities were disclosed — a 16% increase compared to the same period in 2024. The dark web’s vulnerability and exploit market is growing — nearly 30% of listings are for buying exploits, prices range from $1,000 to $20,000, sometimes reaching millions. There was advertising for a PoC exploit for a zero-day JavaScript vulnerability — present on 99% of websites — costing $800,000. Exploit-as-a-Service (EaaS) models enable one-click attacks, lowering the entry threshold. The Earth Minotaur group used the MOONSHINE exploit kit — by 2024, this infrastructure included over 55 servers.

Exploits using AI in development are a reality. Google’s Big Sleep found a zero-day vulnerability in SQLite before exploitation. GreyNoise used LLMs to detect vulnerabilities in internet cameras. PwnGPT framework uses LLMs to analyze vulnerabilities, generate exploits, and test concepts. For OpenAI’s o1-preview, the success rate of disclosure increased from 26.3% to 57.9%, and for GPT-4o — from 21.1% to 36.8%. HexStrike AI was developed as a testing tool but was already used within hours of release to exploit vulnerabilities in Citrix NetScaler — reducing exploitation time from days to 10 minutes.

Peripherals are a new front. In H1-2025, vulnerabilities were most often found in Cisco, Citrix, Fortinet, SonicWall, Zyxel solutions. Peripheral devices accounted for 22% of incidents — nearly eight times more than last year. Hacking VPN gateways or firewalls provides direct access to internal networks. Google Mandiant highlighted CVE-2024-3400 in Palo Alto Networks as the most exploited in 2024.

RMM tools are a valuable target. The RMM market was valued at $918.51 million in 2023, projected to reach $1,548.94 million by 2030 with a CAGR of 9%. Hacking RMM isn’t just about compromising one node — it’s about gaining access to entire infrastructures. Microsoft Defender Experts observed zero-day exploits in BeyondTrust Remote Support, and other RMM solutions.

Initial Access Brokers (IABs) are a separate segment of the dark market. Over two years (Q1 2023 – Q1 2025), the number of listings for access sales increased by over 100%. IABs focus on bypassing perimeter defenses via vulnerable services, stolen credentials, and unsecured remote access. Most access is based on data from info stealers. After gaining access, they establish persistence through hidden admin accounts or web shells. The average price for access is $500–$3,000, with full domain control often costing over $10,000. This approach benefits everyone: RaaS operators can focus on development, while IABs earn steady income with minimal risk of detection.

That’s the threat landscape for 2026. The main takeaway is that organizations must understand that cyber threats are evolving faster than ever, and investing in strengthening IT infrastructure, employee training, and vulnerability management is not optional — it’s essential.