Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Monday, 6 July, 2026
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Cybercrime Goes Corporate: Huntress Report Reveals Rise of Scalable, Stealth-First Attacks

by Guru Writer
February 18, 2026
in Featured
SAS joins fight against cybercrime as NCRCG National Ambassador
Share on FacebookShare on Twitter

Cybercriminals are no longer lone hackers exploiting flashy zero-days; they are running streamlined, profit-driven operations that mirror legitimate businesses. That’s the key takeaway from the newly released Huntress 2026 Cyber Threat Report, which exposes how organised cybercrime groups are standardising their playbooks to maximise efficiency and revenue. Drawing on telemetry from more than 4.6 million endpoints and 9.4 million identities, Huntress’ year-long analysis paints a picture of an underground economy that is industrialised, competitive, and increasingly reliant on trusted tools and human behaviour rather than complex exploits

RMM Abuse Surges 277% as Criminals Weaponise Legitimate Tools

One of the report’s most striking findings is the explosive growth in abuse of remote monitoring and management (RMM) tools. According to Huntress, RMM abuse surged 277% year-over-year, accounting for nearly a quarter (24%) of all observed incidents. Rather than relying on traditional hacking tools, attackers are building entire playbooks around legitimate administrative software to drop malware, steal credentials, and execute commands; activity that often blends seamlessly into expected IT workflows. At the same time, the use of conventional hacking tools declined sharply, with traditional tools dropping 53%, remote access trojans down 20%, and malicious scripts down 11.7%, underscoring a broader shift towards quieter, more scalable attack chains.

ClickFix Dominates Malware Loader Activity

Social engineering also took centre stage in 2025. ClickFix emerged as the single most dominant malware loader, responsible for over 53% of all loader activity. By masquerading as routine actions, such as solving a CAPTCHA, ClickFix tricks users into unknowingly installing infostealers, ransomware or remote access tools. The tactic reflects a broader trend identified in the report: abusing user trust is proving more effective than exploiting vulnerabilities.

Identity Attacks and MFA Bypass on the Rise

Identity has become the new battleground. Huntress found that 37.2% of identity-based attacks stemmed from access policy and trust boundary violations, often involving suspicious login attempts from malicious infrastructure or unauthorised VPNs. Adversary-in-the-middle (AiTM) attacks, which can bypass multi-factor authentication (MFA), accounted for 18.9% of identity-based threats. Meanwhile, mailbox manipulation and OAuth abuse, key precursors to business email compromise (BEC), made up 19% and 10.1% of identity-based attacks, respectively. The report also highlights how Microsoft 365 environments remained firmly in attackers’ crosshairs, with over 35% of identity threats linked to suspicious logins from risky locations or networks.

Ransomware: Fewer Techniques, Greater Efficiency

While law enforcement disruption efforts have intensified, ransomware remains a ruthless and evolving threat. Four major groups, Akira, Medusa, Qilin and Ransomhub, were responsible for over 51% of all ransomware incidents observed by Huntress. Rather than innovating, these groups are refining proven attack chains. The variety of tactics, techniques and procedures (TTPs) has declined, suggesting a move toward standardised, repeatable operations.

The average “time-to-ransom” (TTR) increased from 17 hours to 20 hours, as attackers prioritised stealth, data theft and extortion over rapid encryption. Notably, Akira – the top ransomware group – recorded a TTR of just 6.58 hours and was linked to 22% of all ransomware incidents.

Phishing Evolves: Manufacturing Targeted

Phishing tactics also shifted. More than 57% of phishing attacks used malicious PDF attachments, while attacks targeting the manufacturing sector surged 88% year-over-year. The report further warns of AI-powered tradecraft, including deepfake impersonation, fake job interviews and manipulation of shared AI chat tools to trick users into executing malicious commands.

“Cybercrime Is Running Like a Business”

“Cybercriminals have evolved into highly efficient operators, running their campaigns like well-oiled businesses,” said Greg Linares, Principal Threat Intelligence Analyst at Huntress. He added that attackers are doubling down on simple, effective and scalable techniques, abusing trusted tools and compromised identities to maximise impact while minimising effort, a trend expected to accelerate as AI lowers the barrier to entry.

Preparing for 2026

The overarching message of the report is clear: defenders must adapt to a threat landscape in which legitimate tools, trusted identities, and everyday workflows are weaponised. Huntress advises organisations to prioritise identity protection, closely monitor abuse of trusted processes such as RMM tools, and strengthen employee awareness to disrupt attacker tradecraft early. As cybercrime continues to mature into a globalised, supply-chain-driven ecosystem, businesses in 2026 will need to assume that attackers are not just hacking – they are operating.

ShareTweet
Previous Post

Next Gen Spotlights: Trailblazing A Mindful, People-First Approach to Cyber – Q&A with Cyber Innovations Ltd.

Next Post

Forescout research points to record number of ICS vulnerabilities in 2025

Recent News

pentesting

Pentesting is dead. Long live pentesting.

July 3, 2026
AI Appreciation Day: Celebrating Progress, Embracing Responsibility

The industries being reimagined by AI

July 2, 2026
geopolitical cyber report

Iran-linked MuddyWater espionage campaign targets organisations across four continents

July 1, 2026
Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

Check Point Brings Cloud Firewall to AWS European Sovereign Cloud

July 1, 2026

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol

  • About Us
Manage Consent
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
  • Manage options
  • Manage services
  • Manage {vendor_count} vendors
  • Read more about these purposes
View preferences
  • {title}
  • {title}
  • {title}
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2026
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2024 IT Security Guru - Website Managed by Dessol