Securonix Threat Labs - Spring 2026 Intelligence Insights

Executive summary

Attackers moved quickly in Q1 2026. They exploited exposed systems faster, leaned harder on trusted platforms, changed malware delivery paths more often, and ran ransomware operations more like full intrusions than simple encryption events. Internet-facing infrastructure, cloud services, software supply chains, CI/CD systems, collaboration tools, and remote management software were common entry points because they gave attackers reach, privilege, or both.

The quarter had a clear pattern: attackers tried to remove friction from every stage of an intrusion. Initial access often came through phishing, malicious archives, ISO and LNK files, fake installers, exposed management interfaces, default credentials, and newly disclosed vulnerabilities. After compromise, operators focused on persistence, cloud or messaging-based command and control, credential theft, tunneling, web shells, legitimate remote access tools, and selective use of ransomware or destructive tooling.

Several patterns showed up again and again:

• Edge infrastructure and management platforms drew heavy attention because they are exposed, trusted, and often poorly covered by endpoint telemetry.

• Phishing campaigns abused legitimate SaaS, collaboration, cloud storage, file-sharing, and messaging services to get around reputation-based controls.

• Malware operators used lighter execution chains: scripts, in-memory loading, signed or legitimate processes, runtime compilation, and fewer obvious files on disk.

• Supply-chain attacks moved beyond poisoned packages into CI/CD workflow compromise, GitHub Actions abuse, secret theft from runners, and broader developer targeting.

• Ransomware groups kept borrowing from APT playbooks: long dwell time, RMM abuse, BYOVD techniques, Active Directory changes, data theft, and cross-platform payloads.

• Geopolitical activity intensified, especially around Iran-linked groups and Russia-, China-, and Pakistan-aligned operations targeting government, telecom, critical infrastructure, diplomatic, defense, and regional strategic sectors.

For Q2, the defensive priority is behavior chaining. Blocking one malware family is not enough. Teams need to catch the sequence: external exploitation followed by a web shell, phishing followed by script execution, CI execution followed by credential access, RMM installation after identity compromise, or defense tampering just before encryption.

Key findings

• Exploit-led intrusions moved faster. Threat actors quickly weaponized public-facing vulnerabilities in remote support tools, enterprise mobility management, recovery appliances, and edge infrastructure. In some cases, they went from access to web shell or backdoor persistence within minutes.

• Trusted platforms became delivery and control infrastructure. GitHub, Jira, Dropbox, MEGA, Telegram, cloud storage, file-hosting services, and legitimate RMM tools were used for payload delivery, command and control, credential theft, persistence, or exfiltration.

• Phishing leaned into user-assisted execution. Campaigns used fake error pages, fake BSOD screens, CAPTCHA-style flows, professional lures, résumé themes, fake invitations, charity impersonation, brand replicas, localized SaaS notifications, and malicious archives to push users into launching scripts or pasting commands.

• Malware delivery became more modular and less file-dependent. Observed chains used MSBuild, PowerShell, VBScript, Windows Script Host, rundll32, msiexec, Add-Type runtime compilation, reflective .NET loading, steganographic payloads, and in-memory Linux ELF execution.

• Developers and CI/CD systems were active targets. Compromised GitHub Actions, trojanized packages, typosquatted domains, CI runner memory scraping, cloud metadata credential theft, and encrypted exfiltration of developer secrets pointed to a wider push upstream.

• Edge and Linux infrastructure served two purposes: target and attacker infrastructure. FortiWeb appliances, telecom edge devices, routers, IoT systems, Linux servers, and embedded hosts were used for Sliver C2, proxying, brute-force activity, botnets, cryptomining, and relay infrastructure.

• Ransomware operators focused on control before impact. LockBit, Medusa, CrazyHunter, Interlock, DeadLock, Sicarii, and Reynolds activity showed heavier use of RMM tools, vulnerable drivers, process killers, GPO deployment, backup suppression, and persistence before encryption.

• Geopolitical cyber activity became more fragmented and easier to deny. Iran-linked actors, proxy groups, hacktivist fronts, and state-aligned operators mixed espionage, phishing, ransomware, wiper-like disruption, cloud abuse, and commodity tooling.

Strategic threat view

Q1 2026 showed more overlap between cybercrime, espionage, and supply-chain intrusion. The lines between financially motivated malware, state-aligned access operations, and ransomware groups kept blurring. Commodity tools appeared in strategic intrusions, while more capable actors used low-cost methods such as password-protected archives, public file-sharing, RMM deployment, and cloud-hosted command channels.

Attackers kept going after places where defenders often have less visibility: edge appliances, CI/CD runners, unmanaged developer workstations, SaaS workflows, Linux infrastructure, local AI-agent ecosystems, and administrative interfaces. These systems frequently hold privileged credentials, connect to downstream environments, or sit outside mature EDR coverage.

Operators also showed practical flexibility. They did not rely on one clean path. Phishing and exploitation ran in parallel. Cloud services and attacker-owned infrastructure were blended. Persistence used both native operating system features and legitimate remote access software. Exfiltration often relied on ordinary tools such as Rclone, AZCopy, curl, tar, openssl, and standard web protocols.

The useful signals are rarely single indicators. They are sequences: archive opening, LNK execution, script engine launch, payload download, Defender tampering, persistence creation, and outbound traffic to rare infrastructure. Detection programs built only around IoCs will miss campaigns that rotate payloads but keep the same behavior.

Major threat themes

Exploitation of edge and management infrastructure

Public-facing infrastructure was one of the most reliable entry points in Q1. Attackers targeted remote support platforms, enterprise mobility management systems, recovery appliances, FortiWeb devices, telecom edge systems, and Linux-based appliances. These environments often combine administrative trust, external exposure, and weak monitoring.

Many intrusion chains followed the same rough path:

1. Exploit an exposed service or use default credentials.

2. Confirm access with sleep commands, DNS callbacks, or lightweight probes.

3. Deploy a web shell, backdoor, or remote control component.

4. Change configuration or startup scripts for persistence.

5. Use the compromised system as a relay, proxy, C2 node, or pivot point.

Remote support exploitation involving CVE-2026-1731 showed how WebSocket-exposed components could be abused for unauthenticated code execution. Follow-on activity included credential manipulation, PHP web shells, short-lived scripts, Apache configuration changes, and outbound connections to uncommon ports.

Enterprise mobility management exploitation involving CVE-2026-1281 and CVE-2026-1340 followed a similarly short path from crafted HTTP requests to reverse shells, JSP web shells, and agent deployment. GRIMBOLT-related recovery appliance compromise showed the risk of hard-coded or default Tomcat Manager credentials, with attackers deploying malicious WAR files and modifying startup scripts for boot-level persistence.

Edge systems were also reused as attacker infrastructure. Sliver implants appeared on compromised FortiWeb appliances, with binaries placed in hidden Linux paths such as dot-prefixed directories and persisted through systemd or supervisor configuration. Proxy tools such as FRP and microsocks helped attackers reach internal services or relay traffic through trusted perimeter systems.

Telecom and embedded systems stayed in scope. UAT-7290 and UAT-9244 activity showed the value of Linux-based edge devices, SSH brute-force, public-facing exploitation, peer-to-peer C2, BitTorrent-based command discovery, modular implants, and relay box behavior.

Phishing, social engineering, and trusted-platform abuse

Phishing in Q1 was not limited to stealing credentials. Many campaigns pushed users into running commands, installing remote access tools, or trusting SaaS-generated messages.

PHALT#BLYX used a Booking.com-themed lure and a fake browser failure flow that escalated into a fake BSOD. The notable piece was "ClickFix" behavior: users were told to open the Windows Run dialog and paste a malicious PowerShell command. That moved execution away from automatic exploitation and toward user-approved command execution, which can bypass controls built around attachment detonation or macro blocking.

Transparent Tribe used an ISO lure against India’s startup and cybersecurity ecosystem. A fake Excel file was actually an LNK file that launched a batch script, displayed a decoy spreadsheet, removed Mark-of-the-Web protections, and executed Crimson RAT from a user path. Similar archive-plus-shortcut patterns appeared across espionage activity, so mounted archives and LNK execution deserve close monitoring.

Operation CamelClone used ZIP archives containing lure images and malicious LNK files. Execution triggered PowerShell retrieval of a JavaScript loader, staged downloads, Rclone execution, and collection of Desktop documents and Telegram Desktop session data.

Trusted SaaS abuse increased as well. Jira Cloud-generated email notifications delivered localized lures that passed authentication checks, then redirected users through layered infrastructure to investment or casino-themed destinations. Operation TwinBrand copied well-known services with convincing replica portals, harvested credentials, and in some cases delivered VBS scripts that installed legitimate RMM tools such as LogMeIn, AnyDesk, or ScreenConnect.

The common thread is trust. Attackers borrowed credibility from brands, cloud-generated email, business workflows, collaboration tools, and legitimate software. The email is only the first clue. The stronger detections come later in the chain: redirects, credential submission, script execution, silent MSI installation, UAC elevation loops, and new remote access tooling.

Malware, loaders, and backdoors

Malware delivery in Q1 kept moving toward modular loaders, runtime execution, script-based staging, and legitimate process abuse.

SHADOW#REACTOR delivered Remcos RAT through an obfuscated VBS launcher, PowerShell downloader, text-based payload fragments, reflective .NET loading, and MSBuild execution. PHALT#BLYX also abused MSBuild to run a malicious project file, then used Startup Internet Shortcut files and Defender exclusions for persistence and evasion.

OysterLoader used a more traditional Windows loader model, but with strong evasion. Fake software sites distributed MSI installers that launched staged shellcode, allocated RWX memory, flooded API calls, checked for debugging, resolved imports dynamically, decoded payloads with custom logic, and created scheduled task persistence through rundll32 executing a DLL in AppData.

SILENTCONNECT used fake invitation lures and CAPTCHA-style delivery to run VBScript and PowerShell. The chain retrieved C# source, compiled it in memory with Add-Type, masqueraded activity, attempted UAC bypass, weakened Defender controls, and silently installed ScreenConnect as a persistent remote access service.

FAUX#ELEVATE used a résumé-themed VBScript lure with anti-analysis checks and a domain-join condition, apparently to focus deployment on corporate systems. The campaign combined browser credential theft, desktop file collection, SMTPS exfiltration, RAT access, Defender exclusion changes, firewall modification, and Monero mining.

Linux malware also expanded. CondiBot turned compromised Linux devices into DDoS nodes through multi-architecture payloads, C2 registration, reboot tampering, and removal of competing malware. Monaco used SSH brute-force to deploy XMRig and maintain persistence through daemonization, watchdog behavior, and temporary directory execution.

APT tooling changed too. MuddyWater’s RustyWater used a Rust implant with encrypted HTTP C2, anti-analysis logic, registry persistence, and process injection. PLUGGYAPE used a Python backdoor and MQTT C2. UAT-9244 deployed TernDoor, PeerTime, and BruteEntry across Windows, Linux, and embedded environments, combining DLL side-loading, in-memory ELF execution, peer-to-peer C2, and brute-force infrastructure.

Supply-chain and developer ecosystem risk

Developer environments were a major target in Q1. The TeamPCP campaign showed how one supply-chain compromise can spread across CI/CD systems, package repositories, cloud credentials, and developer workflows.

Attackers abused compromised GitHub Actions, trojanized PyPI packages, poisoned workflow tags, and developer dependencies to trigger execution inside trusted build environments. Compromised Trivy-related workflows harvested secrets from CI runner memory and cloud metadata services. Stolen credentials were then reused to compromise other integrations, including Checkmarx-related workflows.

Telnyx-related activity used WAV audio steganography for payload delivery. Malicious payloads hidden inside audio files were rebuilt at runtime, with separate execution paths for Windows and Linux. On Windows, activity included suspicious msbuild.exe placement in the user Startup directory and process injection into dllhost.exe. On Linux, the chain used python3 stdin execution, openssl, tar, curl, temporary staging directories, encrypted archive creation, and exfiltration of developer secrets.

OpenClaw abuse exposed risks in local AI-agent ecosystems. Attack paths included malicious skills, trojanized editor extensions, typosquatted domains, exposed local admin interfaces, plaintext memory and configuration files, browser-assisted token theft, and recurring execution through modified memory files or cron jobs. Local agent folders, .env files, SSH keys, OAuth tokens, Git tokens, cloud credentials, wallet files, and conversation histories became attractive targets.

For defenders, the practical lesson is that supply-chain security cannot stop at dependency scanning. It needs runtime CI/CD monitoring, immutable dependency pinning, secret isolation, credential rotation, metadata-service restrictions, developer endpoint telemetry, and governance over local agents, plugins, extensions, and automation tools.

Ransomware and hands-on-keyboard intrusions

Ransomware activity in Q1 looked less like isolated encryption and more like full intrusion operations. Operators spent more time on persistence, credential theft, lateral movement, defense evasion, exfiltration, and recovery suppression before impact.

LockBit 5.0 continued to refine RaaS operations with optimized encryption, service termination, backup suppression, and dynamic extension generation. Medusa leaned on RMM tools such as SimpleHelp, Atera, ScreenConnect, and AnyDesk for access, persistence, movement, and exfiltration. CrazyHunter used Active Directory compromise, GPO deployment, BYOVD techniques, Donut loaders, AV-killer binaries, and domain-wide payload propagation. Interlock combined loader malware, Node.js implants, scheduled tasks, ScreenConnect abuse, AZCopy exfiltration, process-killer drivers, and cross-platform ransomware payloads for Windows and Nutanix environments.

DeadLock tested decentralized infrastructure by using Polygon smart contracts to retrieve proxy and communication endpoints. Sicarii combined ransomware behavior with destructive scripts, LSASS dumping attempts, SafeBoot tampering, local account creation, Fortinet exploitation attempts, and ideological messaging.

Reynolds ransomware built evasion directly into the payload. It dropped a signed vulnerable driver, created the NSecKrnl service, terminated security processes, and encrypted files with a .locked extension. Side-loaded components before encryption and remote access tooling afterward were reminders that ransomware impact is usually one phase of a longer intrusion.

The common pre-impact signals were consistent: remote access installation, unusual admin share execution, driver loading, process killing, VSS deletion, firewall changes, GPO abuse, credential dumping, exfiltration tooling, and rapid file renaming.

Geopolitically motivated activity

Geopolitical cyber activity intensified during the quarter. Iran-linked, Russia-linked, China-linked, and Pakistan-linked operations targeted government, critical infrastructure, telecom, diplomatic, defense, maritime, financial, healthcare, and regional strategic sectors.

Iran-linked activity became more fragmented and easier to disavow amid regional tensions. MuddyWater, APT42, Seedworm, Handala, Dust Specter, Void Manticore, and related operators mixed phishing, credential theft, Telegram-based C2, malware delivery, proxy activity, ransomware-like disruption, wipers, and influence activity. Campaigns used conflict-themed lures, cloud-hosted content, compromised accounts, Android payloads, PowerShell backdoors, Dindoor, SPLITDROP, GHOSTFORM, commodity malware, Deno runtime abuse, Rclone exfiltration to object storage, and messaging platforms as command channels.

Russia-linked activity included APT28 cloud-C2 exploitation chains and UAC-0190 operations against Ukrainian state and social organizations. APT28 activity combined Office/WebDAV retrieval, DLL execution, COM hijacking, scheduled tasks, image-based payload concealment, Outlook security weakening, macro persistence, and cloud exfiltration. UAC-0190 used messaging lures, fake charity sites, password-protected archives, double-extension payloads, PLUGGYAPE, Python components, and MQTT-based C2.

China-linked activity stayed focused on critical infrastructure, telecom, edge devices, and long-term access. UAT-8837 used compromised credentials, public-facing exploitation, Earthworm, SharpHound, Certipy, DWAgent, AD reconnaissance, RDP credential exposure tactics, and account persistence. UAT-7290 targeted telecom providers through edge exploitation, SSH brute-force, RushDrop, DriveSwitch, SilentRaid, and Bulbature relay behavior. UAT-9244 expanded similar infrastructure-focused activity with Windows and Linux implants, BitTorrent-based C2 discovery, and brute-force nodes.

Pakistan-linked Transparent Tribe activity targeted India’s startup and cybersecurity communities with ISO/LNK lures and Crimson RAT. The campaign showed that professional themes and shortcut-based execution still work.

Notable threat activity

• PHALT#BLYX: Booking.com-themed ClickFix campaign using fake BSOD pages, clipboard-injected PowerShell, MSBuild project execution, Defender exclusion changes, Startup .url persistence, and process injection.

• SHADOW#REACTOR: Modular VBS-to-PowerShell-to-MSBuild delivery framework using text-based payload fragments, reflective .NET loading, and Remcos RAT.

• Transparent Tribe startup lure: ISO and LNK-based campaign using a fake Excel file, batch execution, decoy document display, Mark-of-the-Web removal, and Crimson RAT.

• MuddyWater / RustyWater: Spear-phishing campaign using malicious Word macros to deploy a Rust implant with registry persistence, encrypted HTTP C2, anti-analysis behavior, and process injection.

• APT28 cloud-C2 exploit chain: Office/WebDAV chain using rundll32, COM hijacking, scheduled task persistence, image-hidden payload content, Outlook macro weakening, and cloud-based exfiltration.

• UAT-9244 telecom intrusions: Windows DLL side-loading and Linux/embedded implants, including TernDoor, PeerTime, and BruteEntry, with BitTorrent C2 discovery and brute-force infrastructure.

• TeamPCP supply-chain campaign: Compromised GitHub Actions and trojanized packages used to harvest CI/CD secrets, cloud credentials, SSH keys, .env files, and developer artifacts.

• OpenClaw abuse: Malicious skills, trojanized extensions, exposed admin interfaces, plaintext agent memory files, browser token theft, and recurring execution through modified local agent files.

• SILENTCONNECT: VBScript and PowerShell chain that compiled C# in memory, bypassed UAC, modified Defender exclusions, and installed ScreenConnect for persistent access.

• FAUX#ELEVATE: Résumé-themed VBScript intrusion combining UAC elevation attempts, credential theft, desktop file collection, SMTPS exfiltration, RAT access, and Monero mining.

• Edge Ghosts Sliver on FortiWeb: Sliver implants placed on compromised Linux-based edge appliances, persisted through systemd and supervisor configuration, and extended with FRP and microsocks proxy tooling.

• Reynolds ransomware: Vulnerable-driver-enabled ransomware using NSecKrnl service creation, security process termination, side-loaded components, and .locked file encryption.

Detection priorities

Organizations should focus on detections that connect multiple stages of an intrusion, not just one event.

Initial access and user execution

• Archive, ISO, ZIP, RAR, or disk image opening followed by LNK, VBS, JS, BAT, CMD, PowerShell, or rundll32 execution.

• Office documents spawning script interpreters, command shells, WebDAV retrieval, or unusual child processes.

• User-pasted command execution tied to fake error pages or ClickFix-style lures.

• Password-protected archives followed by shortcut execution or decoy document display.

• Brand-themed or SaaS-generated emails that lead to redirect chains, credential capture, or script downloads.

Script, LOLBin, and loader abuse

• wscript.exe -> powershell.exe -> msbuild.exe execution chains.

• MSBuild running project files from ProgramData, Temp, Downloads, or other user-writable paths.

• PowerShell using encoded commands, Add-Type compilation, Defender exclusion changes, download cradles, or execution policy bypass.

• rundll32.exe loading DLLs from AppData, Temp, ProgramData, removable drives, or archive extraction paths.

• msiexec.exe silent installation started by scripts, browsers, or PowerShell.

• Windows Script Host launching payloads from recruiting, invoice, invitation, update, or other business-themed lures.

Exploitation and appliance compromise

• Web shell creation under public web directories, Tomcat paths, Apache roots, CSS or image directories, or appliance application folders.

• Sleep-based probing, OAST/DNS validation, suspicious WebSocket requests, and exploit-style URI patterns.

• Unauthorized WAR, JSP, or PHP deployment, Tomcat Manager access, and configuration changes followed by service restarts.

• New systemd units, modified supervisor.conf, hidden Linux binaries, and execution from dot-prefixed appliance directories.

• Unexpected listeners on nonstandard ports or masqueraded services, including SOCKS listeners on printing-related ports.

Credential access and identity abuse

• LSASS dumping through rundll32.exe comsvcs.dll, registry hive export, browser credential-store access, and credential dumping from user-writable tools.

• CI runner access to /proc/*/mem, cloud metadata service requests to 169.254.169.254, and automated collection of SSH keys, cloud credentials, Git tokens, .env files, and shell histories.

• AD reconnaissance using SharpHound, Certipy, setspn, dsquery, dsget, secedit, and suspicious security policy exports.

• Creation of backdoored domain users, local admin accounts, unusual Run keys, or persistence values pointing to ProgramData or AppData.

Persistence, remote access, and C2

• New scheduled tasks, Run keys, Startup .url files, cron jobs, services, or systemd units pointing to user-writable or hidden paths.

• Unexpected installation or reconfiguration of AnyDesk, ScreenConnect, LogMeIn, SimpleHelp, Atera, DWAgent, NetBird, or other RMM tools.

• Telegram API usage, BitTorrent traffic, MQTT C2, WebSocket-based C2, GitHub raw downloads, cloud storage exfiltration, and uncommon outbound traffic from non-browser processes.

• Rclone, AZCopy, curl, tar, openssl, BusyBox, Docker, and Python appearing in unusual parent-child chains or staging directories.

Ransomware pre-impact signals

• Vulnerable driver drops, new kernel services, BYOVD activity, and security process termination.

• VSS deletion, backup service stoppage, SafeBoot or boot configuration tampering, and recovery suppression.

• GPO-based deployment, PsExec-style remote execution, admin share execution, and UNC path script execution from domain controllers.

• Large file rename bursts, ransom note creation, encryption extensions, and rapid modification across local and network drives.

Defensive recommendations

1. Reduce exposure of high-value infrastructure

• Remove direct internet exposure for management interfaces, remote support platforms, EPMM systems, recovery appliances, Tomcat Manager, VPN, OT, PLC, and edge-device administration.

• Restrict administrative access to VPN, ZTNA, jump hosts, segmented management networks, and controlled allowlists.

• Disable default, embedded, or weak credentials. Rotate privileged accounts after patching or exposure events.

• Maintain rapid patch SLAs for internet-facing systems and replace end-of-life appliances before they become permanent risk.

2. Harden email, web, and collaboration workflows

• Detonate or block high-risk attachments and containers, including ISO, LNK, VBS, JS, RAR, ZIP, PIF, macro-enabled Office files, and password-protected archives where business need is limited.

• Inspect redirect chains from trusted SaaS notifications and cloud collaboration services instead of relying only on email authentication results.

• Train users on ClickFix, fake browser errors, fake BSOD pages, fake CAPTCHA flows, and command-paste social engineering.

• Enforce file extension visibility and mark external content clearly.

3. Control script and LOLBin execution

• Restrict unnecessary use of Windows Script Host, PowerShell, MSBuild, rundll32, regsvr32, msiexec, cmd, and other commonly abused binaries.

• Enable PowerShell Script Block Logging, Module Logging, command-line auditing, and transcription where feasible.

• Alert on Defender exclusion changes, UAC bypass behavior, execution policy bypass, runtime compilation, and encoded PowerShell.

• Use application control to block execution from Temp, Downloads, ProgramData, AppData, Public, Startup, and other user-writable paths unless explicitly approved.

4. Secure developer, CI/CD, and AI-agent environments

• Pin GitHub Actions and dependencies to immutable commit SHAs, use hash verification, and review force-pushed tags or unexpected workflow changes.

• Treat any CI/CD environment that executed compromised dependencies as potentially breached. Rotate exposed credentials, tokens, and cloud keys.

• Restrict cloud metadata service access from runners and enforce workload identity controls.

• Monitor CI runners for memory scraping, curl POST exfiltration, archive creation, and access to secrets files.

• Govern local AI agents, plugins, editor extensions, and skills. Prevent exposed admin interfaces, plaintext secret storage, and unvetted extension installation.

5. Strengthen identity and remote access controls

• Enforce phishing-resistant MFA for privileged accounts, remote access, SaaS platforms, and high-risk users.

• Restrict RDP, SMB, SSH, and administrative shares to approved systems and jump hosts.

• Monitor for new RMM installations, unexpected remote access reconfiguration, and outbound connections to support infrastructure that is not used by the enterprise.

• Alert on new local administrators, suspicious domain account creation, Run key persistence, and credential access tooling.

6. Improve visibility on Linux, edge, and appliance systems

• Ingest logs from Linux appliances, WAFs, VPNs, EPMM systems, Tomcat, Apache, SSH, systemd, supervisord, and container runtimes.

• Monitor hidden directories, unexpected binaries, new services, modified startup scripts, unauthorized web shells, and unusual outbound traffic.

• Detect BusyBox, Docker checks, peer-to-peer traffic, brute-force nodes, unexpected SOCKS listeners, FRP configurations, and execution from /tmp.

• Restrict outbound connectivity from edge devices and appliances to required destinations only.

7. Prepare for ransomware before encryption starts

• Block or monitor vulnerable driver loading, unsigned driver installation, and kernel service creation.

• Treat security process termination, VSS deletion, backup service stoppage, and Defender tampering as emergency pre-impact signals.

• Restrict GPO modification, PsExec usage, remote service creation, and domain controller-hosted script execution.

• Monitor Rclone, AZCopy, robocopy, curl, and large outbound transfers from file servers or admin systems.

• Validate offline backups, immutable storage, and recovery workflows against scenarios where security tools are disabled immediately before encryption.

Outlook

Q2 2026 will probably bring more overlap between espionage, cybercrime, ransomware, and supply-chain intrusion. Attackers are likely to keep targeting places where trust is high and visibility is low: edge appliances, CI/CD runners, SaaS workflows, developer endpoints, local AI-agent ecosystems, and remote management tools.

Public-facing systems will remain a fast route in, especially where patching lags, default credentials persist, or administrative interfaces stay exposed. Phishing will keep using trusted brands, cloud-generated email, localized content, and user-assisted execution instead of relying only on malicious attachments. Malware operators will continue reducing disk artifacts through in-memory loading, runtime compilation, steganography, fileless execution, and legitimate tool abuse.

Ransomware groups are likely to keep moving earlier in the intrusion lifecycle, with more time spent on credential theft, remote access persistence, driver-based defense evasion, and data exfiltration before encryption. Geopolitical operations will probably stay fragmented and deniable, mixing state objectives with criminal tooling, hacktivist branding, and proxy infrastructure.

The strongest defense will come from correlation. Teams need telemetry that connects identity, endpoint, email, network, cloud, CI/CD, and appliance activity into a single intrusion story. The best detection chances will appear where attacker convenience creates repeatable behavior: script execution from user paths, trusted tools acting outside their normal context, credentials accessed by unusual processes, persistence created shortly after phishing or exploitation, and legitimate remote access software appearing where no administrator put it.