Explore more publications!
Today on the Internet
Got News to Share?

Huntress Cyber Threat Report Exposes The Playbook for Organized Cybercrime

12-month analysis of Huntress data finds cybercriminals are maturing their operations, prioritizing scalable, repeatable attacks to optimize efficiency and maximize profits

COLUMBIA, Md., Feb. 17, 2026 (GLOBE NEWSWIRE) -- Cybercrime has become the world’s third-largest economy, with costs projected to reach $12.2 trillion annually by 2031. Today, Huntress exposes the tactics, techniques, and procedures (TTPs) fueling this multi-trillion-dollar illicit market in its 2026 Cyber Threat Report. The in-depth analysis sheds light on the playbook used by organized, profit-driven cybercriminals, uncovering how they weaponize legitimate tools, exploit everyday behaviors, and leverage a vast underground network to exploit people, businesses, and employees across the globe.

To produce this report, Huntress analyzed proprietary telemetry from over four million endpoints and nine million identities across the 230,000+ organizations it protects worldwide. This robust dataset served as the foundation for uncovering critical insights into the evolving ransomware ecosystem, shifting adversary tradecraft, and actionable strategies to help organizations prepare for the year ahead. Key findings include:

  • Remote monitoring and management (RMM) tools are cybercriminals' new favorite weapon: The abuse of RMM tools surged 277% year-over-year, accounting for 24% of all observed incidents. As cybercriminals built entire playbooks around these legitimate, trusted tools to drop malware, steal credentials, and execute commands, the use of traditional hacking tools plummeted by 53%, while remote access trojans and malicious scripts dropped by 20% and 11.7%, respectively.
  • Over half of all malware loader activity came from ClickFix: In 2025, attackers didn’t need to break in when they could just trick users into giving them access. No technique did this more effectively than ClickFix, which fueled 53% of all malware loader activity. By masquerading as routine tasks, like solving a CAPTCHA, ClickFix and its variants tricked users into becoming unwitting accomplices, facilitating the silent installation of infostealers, ransomware, and remote access tools.
  • Time-to-ransom (TTR) rose as ransomware groups prioritized stealth, data theft, and extortion: The average TTR increased from 17 to 20 hours as attackers adopted “low and slow” tactics to evade detection and spent more time identifying and exfiltrating high-value data. With more organizations implementing robust backup and recovery solutions, operators have also shifted their focus from immediate encryption to leveraging stolen data for extortion or sale on dark web marketplaces.
  • Ransomware has its own big four, and they are dominating the market: Four major players—Akira, Medusa, Qilin, and Ransomhub—collectively accounted for over half (51.3%) of all ransomware incidents seen by Huntress. Driven by intense competition, these groups and their rivals adopted a common playbook that favored proven attack chains over novel exploits, resulting in a steep decline in the variety of TTPs seen across ransomware groups.
  • Buying access is cheaper and easier than ever: A thriving ecosystem of initial access brokers and dark web marketplaces has turned stolen credentials into a cheap, high-volume commodity, fueling a surge in shady login attempts from suspicious locations, malicious infrastructure, and unauthorized VPNs. These access policy and trust boundary violations accounted for 37.2% of all identity-based attacks.
  • Mailbox manipulation and OAuth abuse set the stage for business email compromise (BEC) attacks: Mailbox manipulation and OAuth abuse, critical precursors to BEC, emerged as top identity threats, accounting for 19% and 10.1% of identity-based attacks, respectively. By using tactics like hiding emails with automated rules or leveraging malicious applications for persistent access, attackers blended into daily operations, conducted covert reconnaissance, and impersonated users, laying the groundwork for high-impact BEC schemes.

“Cybercriminals have evolved into highly efficient operators, running their campaigns like well-oiled businesses,” said Greg Linares, Principal Threat Intelligence Analyst at Huntress. “They’ve moved away from flashy exploits and are instead doubling down on simple, effective, and scalable attacks that let them target countless organizations with high success rates. By abusing trusted tools, compromising identities, exploiting user behavior, and leveraging stolen credentials, they’ve fine-tuned their operations for minimal effort and maximum impact. This trend is only set to accelerate as AI enables attackers of all skill levels to automate and refine traditional tradecraft. To stay ahead, organizations need a defense strategy that prioritizes identity protection, monitors the abuse of trusted processes, and empowers every employee to recognize and disrupt attacker tradecraft.”

To learn more, get your copy of the Huntress 2026 Cyber Threat Report or read the TL;DR for the highlights.

Additional resources:

  • See who’s behind modern cybercrime, how they operate, and what you can do to protect yourself here.
  • Join Tradecraft Tuesday on March 10, 2026, to hear from our experts as they break down key findings from this year’s report.
  • Tune into declassified on March 18, 2026, where John Hammond and special guest Jim Browning will expose the business of modern cybercrime.
  • Read the Huntress blog to stay updated on the latest tradecraft and tips to protect your business.

About Huntress
Huntress is a global cybersecurity company on a mission to make enterprise-grade products accessible to all businesses. Purpose-built from the ground up, Huntress' technology is specifically designed to continuously address the unique needs of security and IT teams of all sizes. From Endpoint Detection and Response (EDR) and Identity Threat Detection and Response (ITDR) to Security Information and Event Management (SIEM) tools and Security Awareness Training (SAT), the platform provides targeted protection for endpoints, identities, data, and employees, delivering trusted outcomes and valuable peace of mind.

Its 24/7 AI-assisted Security Operations Center (SOC) is powered by a team of world-renowned engineers, researchers, and security analysts dedicated to stopping cyber threats before they cause harm. Huntress is often the first to respond to major hacks and incidents, with its expert security team sharing real-time tradecraft analysis and actionable advisories with the community.

Currently safeguarding over 4 million endpoints and 10 million identities, Huntress empowers internal security and IT teams and Managed Service Providers (MSPs) worldwide to protect their businesses with enterprise-grade, accessible security products.

As long as hackers keep hacking, Huntress keeps hunting. Join the hunt at www.huntress.com and follow us on X, Instagram, Facebook, and LinkedIn.

Huntress Contact:
press@huntresslabs.com


Primary Logo

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share us

on your social networks:
Facebook Facebook LinkedIn LinkedIn
AGPs

Get the latest news on this topic.

SIGN UP FOR FREE TODAY

No Thanks

By signing to this email alert, you
agree to our Terms & Conditions