Cybercriminals are no longer lone hackers exploiting flashy zero-days; they are running streamlined, profit-driven operations that mirror legitimate businesses. That’s the key takeaway from the newly released Huntress 2026 Cyber Threat Report, which exposes how organised cybercrime groups are standardising their playbooks to maximise efficiency and revenue. Drawing on telemetry from more than 4.6 million endpoints and 9.4 million identities, Huntress’ year-long analysis paints a picture of an underground economy that is industrialised, competitive, and increasingly reliant on trusted tools and human behaviour rather than complex exploits
RMM Abuse Surges 277% as Criminals Weaponise Legitimate Tools
One of the report’s most striking findings is the explosive growth in abuse of remote monitoring and management (RMM) tools. According to Huntress, RMM abuse surged 277% year-over-year, accounting for nearly a quarter (24%) of all observed incidents. Rather than relying on traditional hacking tools, attackers are building entire playbooks around legitimate administrative software to drop malware, steal credentials, and execute commands; activity that often blends seamlessly into expected IT workflows. At the same time, the use of conventional hacking tools declined sharply, with traditional tools dropping 53%, remote access trojans down 20%, and malicious scripts down 11.7%, underscoring a broader shift towards quieter, more scalable attack chains.
ClickFix Dominates Malware Loader Activity
Social engineering also took centre stage in 2025. ClickFix emerged as the single most dominant malware loader, responsible for over 53% of all loader activity. By masquerading as routine actions, such as solving a CAPTCHA, ClickFix tricks users into unknowingly installing infostealers, ransomware or remote access tools. The tactic reflects a broader trend identified in the report: abusing user trust is proving more effective than exploiting vulnerabilities.
Identity Attacks and MFA Bypass on the Rise
Identity has become the new battleground. Huntress found that 37.2% of identity-based attacks stemmed from access policy and trust boundary violations, often involving suspicious login attempts from malicious infrastructure or unauthorised VPNs. Adversary-in-the-middle (AiTM) attacks, which can bypass multi-factor authentication (MFA), accounted for 18.9% of identity-based threats. Meanwhile, mailbox manipulation and OAuth abuse, key precursors to business email compromise (BEC), made up 19% and 10.1% of identity-based attacks, respectively. The report also highlights how Microsoft 365 environments remained firmly in attackers’ crosshairs, with over 35% of identity threats linked to suspicious logins from risky locations or networks.
Ransomware: Fewer Techniques, Greater Efficiency
While law enforcement disruption efforts have intensified, ransomware remains a ruthless and evolving threat. Four major groups, Akira, Medusa, Qilin and Ransomhub, were responsible for over 51% of all ransomware incidents observed by Huntress. Rather than innovating, these groups are refining proven attack chains. The variety of tactics, techniques and procedures (TTPs) has declined, suggesting a move toward standardised, repeatable operations.
The average “time-to-ransom” (TTR) increased from 17 hours to 20 hours, as attackers prioritised stealth, data theft and extortion over rapid encryption. Notably, Akira – the top ransomware group – recorded a TTR of just 6.58 hours and was linked to 22% of all ransomware incidents.
Phishing Evolves: Manufacturing Targeted
Phishing tactics also shifted. More than 57% of phishing attacks used malicious PDF attachments, while attacks targeting the manufacturing sector surged 88% year-over-year. The report further warns of AI-powered tradecraft, including deepfake impersonation, fake job interviews and manipulation of shared AI chat tools to trick users into executing malicious commands.
“Cybercrime Is Running Like a Business”
“Cybercriminals have evolved into highly efficient operators, running their campaigns like well-oiled businesses,” said Greg Linares, Principal Threat Intelligence Analyst at Huntress. He added that attackers are doubling down on simple, effective and scalable techniques, abusing trusted tools and compromised identities to maximise impact while minimising effort, a trend expected to accelerate as AI lowers the barrier to entry.
Preparing for 2026
The overarching message of the report is clear: defenders must adapt to a threat landscape in which legitimate tools, trusted identities, and everyday workflows are weaponised. Huntress advises organisations to prioritise identity protection, closely monitor abuse of trusted processes such as RMM tools, and strengthen employee awareness to disrupt attacker tradecraft early. As cybercrime continues to mature into a globalised, supply-chain-driven ecosystem, businesses in 2026 will need to assume that attackers are not just hacking – they are operating.




