Prevalent Threats in the 2026

When people think of hackers and cybersecurity threats, their minds go to foreign state actors. Although those are the most serious type of situations, they aren't the most popular. It's important to know what situations you face so you can reduce their security risks.

Prevalent Threats in the 2026

Prevalent Cybersecurity Threats in the Great Year of 2026


When people think of hackers and cybersecurity threats, their minds go to foreign state actors. Although those are the most serious type of situations, they aren't the most popular. It's important to know what situations you face so you can reduce their security risks. You must understand that if the number of vulnerabilities exploited increases, it is our responsibility to ensure that remediation is keeping pace.


The term "threat intelligence" is ambiguous but is coined with the term "IoC" (Indicator of Compromise). Websites take incredibly large datasets of IoCs and present them to the world. These IoC datasets contain verifiable evidence of past cybersecurity attacks. IoC datasets are sizeable and include threat-related information. They mostly come in STIX format. STIX is a standardized, machine-readable language used by cybersecurity professionals to describe, store, and exchange cyber threat intelligence.


The causes of these intrusions remain the same; weak configurations, unpatched systems, social engineering, and exposed ports/services continue to account for the majority of them. AI has revolutionized the landscape. It used to be that organizations could use their speed to mitigate a lot of the risks. But automation and AI have compressed the time between the moment of exposure and the moment of impact. We are still able to defend against these threats. All that is implied is that we have to take a more preemptive approach. Preemptive security in computer science is an anticipatory approach that neutralizes and disrupts cyberattacks before they can execute or cause damage. Prioritizing action based on material risk, not alert volume.


The Collapse of the Predictive Window


According to this year's Rapid7 Threat Landscape Report 2026, in 2025, the buffer between disclosure and exploitation narrowed:

  • "Within newly disclosed CVSS 7–10 vulnerabilities, confirmed exploitation increased 105% year over year, rising from 71 in 2024 to 146 in 2025."
  • Median time from publication to CISA KEV inclusion dropped from 8.5 days to 5.0 days, while mean time dropped from 61.0 days to 28.5 days."
  • "The dramatic decline in the number of "high-risk but not yet exploited" vulnerabilities (EPSS ≥ 0.7 without confirmed exploitation) indicates that we are operationalizing high-probability vulnerabilities almost immediately."


These findings indicate that security professionals have less time to react and also an increased number of dormant exploits. The good news is CISA has been doing a wonderful job giving us defenders warnings. Disclosures that were on the top were CWE-79 (Cross-Site Scripting) and CWE-89 (SQL Injection). That has always been the case. The important part is that the structure changed. CWEs such as CWE-119 (Memory Corruption), CWE-98 (Improper Control of Filename), and CWE-3452 (Cross-Site Request Forgery) re-emerged as prominent disclosures. Because it's important to understand that there is a delicate relationship between what is being disclosed and if attackers take advantage of it. We must introduce EPSS (Exploit Prediction Scoring System). This is a data-driven machine-learning model that estimates the probability that a published CVE will be exploited in the wild in the next 30 days. According to Rapid7's report, in 2025, average EPSS scores have declined. To the average-witted person, the model may be found well-received. A lower EPSS score indicates a reduced likelihood of vulnerability exploitation. Pause; remember when we talked about confirmed exploitations having risen 105% year-over-year? That means the probability of an exploit is going down, while realized exploits are going up. This forces CISA to update the KEV list in matter of days, rather than months. So what do you do? Well, the best thing to do is to adopt an exposure management model to ensure an anomalous behavior can be detected quickly.


All of it depends on the context of the situation. If you know where a vulnerability lives and have a system in place to detect its exploitation, then that is as important as knowing the vulnerability itself. Changing the approach from 'what it is' to 'where and when it is.' Access role, network placement, and the speed of anomaly detection determine your exposure.


Another key finding within Rapid7's 2026 Threat Report is that attackers are using known preventable exposure conditions, not breakthrough exploitation techniques.

  • "Valid account / no MFA accounted for 43.9% of all IR incidents in 2025, making it the single most common initial access vector."
  • "Vulnerability exploitation accounted for 24.6% and exposed services for 7.0%."
  • "On underground forums, RDP (21.2%), VPN (12.8%), and RDWeb (11.2%) were the most frequently advertised access types."
  • ""Domain User” privileges were the most commonly sold level of access."


Initial Access Brokers: The Real Marketplace of Cybercrime


Initial access refers to the attacker’s entry point into a victim’s network, system, or environment (Huntress 2025). This is the most important point; without an entry point, the rest of the chained attack fails. Many organizations tend to overlook the initial stage of an attack. Unfortunately for us, most access types observed were sold in underground forums, proving an ecosystem in which access is harvested, packaged, and sold to threat actors. These IABs (Initial Access Brokers) sell packaged access to ransomware and botnet operators. Domain admin access, VPN credentials, RDP, and so much more. These brokers rely on weak configurations and exposed services. So it is critical for one to secure and harden the access points and implement MFA. Ensure a zero trust and least privilege model. Segment your network and implement strict firewall rules. If you want a proactive approach, implement logging to detect early-stage compromises like unusual RDP login attempts. As well as deploy honeypot servers filled with honeyfiles to deceive threat actors.


Rapid7's investigators also observed that the confirmed exploitation clustered around a small number of weakness classes.

  • CWE-502 (Deserialization) was the most common root cause among exploited vulnerabilities.
  • Authentication bypass and memory corruption vulnerabilities remained consistently represented in confirmed exploitation data.
  • Several high-profile ransomware campaigns focused on deserialization flaws and authentication bypasses in file transfer systems, edge appliances, and collaboration platforms.


Modern Loaders and Memory‑Resident Malware


The data shows that North America was the most targeted region, accounting for 82% of the observed incidents. Rapid7 found that the most targeted industries were manufacturing, business services, and retail. The top forms of this malware were Bunny Loader, ClickFix, and trojan tools. In September 2023, Zscaler ThreatLabz noticed a new Malware-as-a-Service threat named "Bunny Loader." BunnyLoader is a trojan sold on the darknet and underground forums to black-hat hackers. This program is then used by attackers to infiltrate a system. It is extremely dangerous and, in 2025, accounted for 45.61% of all incidents involving malware.

How does one combat this rising threat of modern loaders? You would have to take a prevention-first approach. Modern loaders don't use easily detectable .exe files like a normal virus. Instead, they use obfuscated techniques to run directly in memory. Thus, it is important for one to restrict the shell that is to execute those scripts.

For example, configure group policy to open script files in a text editor rather than executing them automatically. Disable PowerShell, WMI, or WScript to only work with essential processes. Block execution of scripts from the temp folder and untrusted locations. Implement EDR and XDR solutions that are able to identify anomalies and correct them. Change execution policy settings within PowerShell. Use DNS to block malicious domains and known C2 servers.


Ransomeware was found by Rapid7 to be the dominant operational outcome. 43% of Rapid7's MDR investigators involved ransomware in 2025.

  • Total ransomware leak posts increased from 6,034 in 2024 to 8,835 in 2025 (a 46.4% year-over-year rise)
  • The number of unique active ransomware groups grew from 102 to 140.
  • Data theft increasingly preceded encryption, reinforcing smash-and-grab extortion models.


Threat actors are learning to use ORB networks, which use stealth and speed instead of the size and volume of traditional botnets. These ORB networks are comprised of compromised edge devices and are used as a private proxy mesh. Sitting between the threat actor and victim, making the malicious traffic look legitimate. Threat actors have in the recent past been targeting supply chains more and more. This year a 2025 supply chain attack targeted a GraphQL Chrome extension. Hijackers took control of the developer's account and pushed scripts into the code that would steal session cookies from innocent users. According to Vectra AI, supply chain attacks have doubled year over year. Detection takes 267 days to identify and contain. And that attackers are targeting more developer environments due to the increased reliance on open source and developer tools.


The supply chain attack lifecycle is usually as follows:

  • Reconnaissance
  • Vendor compromise
  • Payload injection
  • Trusted distribution
  • Lateral movement
  • Data exfiltration


AI as an Accelerator, Not a Novel Threat


Now let's talk a bit about AI and how it was used as an accelerator and not as a novel tool. Adversaries were bolting AI onto known playbooks, proving an increase in speed and precision. Relying less on the skills of operators and more on how to scale a model wider. OpenAI's threat reporting over 2025 proved this pattern. According to OpenAI, models were being used to optimize phishing emails, automate scripts, and develop iterative solutions. The best defense against the rise of use in AI models is to join the adversaries in utilizing AI-augmented workflows; that way, you can match their speed. The use of AI agents is exploding; so is their attack surface. Every day there is a new agent, tool, connector, plugin, MCP server, or pipeline that has defenders struggling to keep up with.


The top 3 ways AI was leveraged are as follows:

  • Social Engineering
  • Ransomeware
  • Shadow AI


As we discussed before, adversaries would take AI and bolt it onto a known attack playbook since AI materially improved the speed and personalization of their phishing attempts. Adversaries have also begun implementing AI into their ransomware operations. Used to accelerate the analysis of the data that was stolen and scale the extortion operations. Finally, we have Shadow AI. Relating to Shadow IT, Shadow AI is the use of generative AI models without the knowledge or approval of your organization's security team. This introduces compliance, security, and data leak issues. It happens when employees adopt GenAI tools on their own. It could be ChatGPT summarizing documents or you using third-party extensions that rely on AI to design, develop, or market.

While AI itself was rarely the direct attack surface, its infrastructure has been targeted frequently since 2025.


According to Rapid7's report, the most impactful vulnerability patterns observed across AI tech stacks were the following:

  • Unsafe deserialization and memory handling in model servers
  • Weak authentication and LLM token exposures
  • Arbitrary file access in AI web interfaces
  • Serialization and injection flaws in agent and orchestration frameworks
  • Supply chain compromise


High-performance inference frameworks were targeted to enable DoS and, in some cases, RCE. "Inference frameworks are software platforms that take a model and execute it against requests from users." — aussiai.com. vLLM is a known inference framework. That was targeted in 2025, resulting in CVE-2025-62164 and CVE-2025-66448. To a normal person, they may be overwhelmed, but to mitigate those risks, just ensure software is updated, restrict API access, and implement strict infrastructure control. Supply chain attacks are the hardest to defend against since they violate trust. Hackers have begun going after the MCP ecosystem. MCP servers are becoming the standard to increase context and tooling. Hackers use inject malicious instructions into a public tool's metadata, and then the AI reads the description and treats it as instructions. Finally, frameworks that are designed to introduce chained actions import an inherent risk of injection. Especially since untrusted data is converted into an object or code, the agent deserializes the data generated by that LLM without validation, leading to RCE.


RaaS and the Industrialization of Cybercrime


We spoke a bit about ransomware but didn't cover the details of its effects last year. Top-level trends observed by Rapid7 show that there has been a continued industrialization and maturation of the cybercrime ecosystem. This trend continues to soar as RaaS (Ransomware-as-a-Service). Credit card data remains highly sought after. A credit card with its CVV typically sells for $10-$40, though cards with higher limits fetch over $100.


But a new phenomenon is taking shape. Law enforcement observed threat actors like H2 dial down the heat by removing URLs and other identifiers from their data leak teasing. While other groups were using splashy attacks to gain visibility. Groups like H₂ know that visibility leaks attract attention; lower noise = lower risk. But other groups understand power in branding. In the RaaS market, if you have more visibility, you will have increased reputation and affiliates. Each group chooses a strategy based on their interests and goals. RaaS dominated and will most likely stay dominant because it's easily scalable, low-risk, and most profitable. Especially if you use double extortion, which is "encrypt + steal + leak." The only threat group to avoid this model was SafePay. They ran a self-contained operation.


Unusual, but still shows that a non-RaaS group can still succeed. Staying out of ransomware's optics in 2026.

  • Social engineering is still the popular choice for major ransomware threat actors, locking down the help desk with increased alertness to high-risk password changes.
  • Configure strict MFA controls for critical systems, remote access points, and privileged accounts.
  • Spam filtering will help reduce ransomware attacks that are accompanied by social engineering. Implement user awareness training.
  • Network edge devices were found to be the initial access point for many types of threat actors, so securing these devices with continuous patch management is essential.
  • Configuring the right backup recovery options shorten recovery time, best use case are offline, immutable, and versioned backups.


Nation‑State Pre‑Positioning: The Strategic Doctrine


Nation-state actors have shifted their tactics recently. Usually nation-state actors like China and Russia love spying on critical infrastructure. Their tactics have changed a bit; they are now practicing something called 'pre-positioning.' Pre-positioning is the act of embedding yourself into IT and OT infrastructure to prepare for a cyberattack or sabotage.


There are a couple of ways this works; first, we have a technique called Living-off-the-Land (LotL). This is when attackers avoid running custom malware and just use legitimate tools and commands available to them, blending their activities with authorized administrators. Second, we have Botnet Co-opting, where threat actors route their command traffic through compromised IoTs and/or routers. These two are primary methods, but there are many other advanced mechanics of pre-positioning.


The motive isn't for a single event that gives access. But rather, a continuous chain of mechanics working together.

  • Entry
  • Concealment
  • Exploration
  • Expansion
  • Longevity


Rapid7's 2026 report also found that embedded access, not perimeter breach, is what defines strategic risk. I say this because there are two types of operations, financially motivated and state/politically motivated. Across both of these motivations, the same control surfaces were attacked. All embedded access that includes things like

  • Telecommunications and network-edge infrastructure
  • Cloud identity and device-code authentication flows
  • Collaboration platforms abused as command-and-control channels
  • SaaS APIs and trusted third-party integrations


The Volt Typhoon is a state-sponsored actor from China that utilizes this doctrine. According to John Bruce (iiss.org), he believes that Volt Typhoon has effectively redrawn the boundary for acceptable state behavior in the cybersecurity space. As Bruce notes, "The revelation (referring specifically to Volt Typhoon’s pre‑positioning scheme) also places additional pressure on the West to develop strategies for anticipating and mitigating Volt Typhoon’s tradecraft while, at the same time, reassuring the international community that existing international law and the eleven voluntary norms offer a robust mechanism for regulating state behavior in cyberspace."

Emerging cyber risk used to be shaped by isolated crises, single events that occurred, resulting in catastrophes that bad actors would take advantage of. For example, NotPetya in 2017 was triggered by the Russia-Ukraine conflict. It targeted Ukranian companies and government systems. But today, cyber risk is no longer driven by those one-offs. Instead, global instability has caused conflicts to spill into cyberspace, having threat actors pursue long-term destructive positioning rather than isolated attacks.


Conclusion


At the beginning of our blog post, we talked about how our ability to defend ourselves from cyber threat actors before 2025 was defined by the speed of response. Now, the defender's operational capabilities are at the mercy of the speed of any given exploitation. The window between disclosure and confirmed exploitation, the "predictive window," collapsed. High vulnerabilities, once detected, are operationalized immediately, a trend shown by the 105% increase in confirmed CVSS 7-10 year over year. This acceleration was enabled by the adoption of AI and the industrialization of the cybercrime ecosystem. To effectively manage your cyber risk in 2026, organizations must shift towards preemptive security. Specifically those who will be able to apply AI-augmented workflows to match the adversary's speed.



Source List:

https://www.iiss.org/online-analysis/cyber-power-matrix/2026/01/volt-typhoons-long-shadow/

https://thehackernews.com/2025/07/critical-vulnerability-in-anthropics.html

https://www.aussieai.com/research/inference-frameworks

https://www.paloaltonetworks.com/cyberpedia/what-is-shadow-ai

https://www.vectra.ai/topics/supply-chain-attack

https://cloud.google.com/blog/topics/threat-intelligence/china-nexus-espionage-orb-networks

https://www.zscaler.com/blogs/security-research/bunnyloader-newest-malware-service

https://www.huntress.com/cybersecurity-101/topic/what-is-initial-access-cybersecurity-threats

https://www.first.org/epss/

https://attack.mitre.org/tactics/TA0108/

[rapid7-threat-landscape-report-2026.pdf]