QuoIntelligence assesses that the 2026’s threat landscape will almost certainly (95%) be marked by continued expansion of Ransomware-as-a-Service (RaaS) programs, the growing shift toward exfiltration-only attacks, and the persistence of infostealers distributed through social platforms and developer ecosystems.
In early 2025, we released our annual outlook, in which we highlighted that ransomware groups were refining their extortion methods and that the criminal use of AI would increase, particularly in social engineering and tooling development. These trends materialized throughout 2025, and we assess they will very likely (70%) remain central throughout the year ahead.
Looking toward 2026, QuoIntelligence assesses the threat environment will almost certainly (95%) remain highly dynamics, with strengthened eCrime ecosystems. Ransomware, infostealers, and residential proxy abuse expanding in scale and sophistication. AI will also remain a core enabler for cybercriminals, particularly in social engineering. At the geopolitical level, state-aligned activities will continue to reflect global tension points, with North Korea intensifying supply chain abuse and workforce infiltration, China pursuing espionage goals, and Russia sustaining hybrid operations. Additionally, we expect the US to maintain an assertive and interventionist foreign and trade policy in 2026, leveraging tariffs and military actions to advance strategic interests, a posture that is already straining relations with European partners.
Ransomware Ecosystem Consolidates Around RaaS Expansion, ESXi Targeting, and Exfiltration-Only Operations
Ransomware-related activities are expected to persist through 2026 with minimal slowdown, driven by evolving Ransomware-as-a-Service (RaaS) models, new alliances, and a shift toward exfiltration-only attacks. Emerging and consolidating trends such as increased ESXi targeting and white-label ransomware services will serve as key indicators to observe for defensive measures and evolvement.
Infostealer MaaS and IAB Markets Intensify Through Developer Ecosystem Abuse and Supply Chain Compromise
Infostealers and Initial Access Brokers (IABs) remain critical enablers of the underground ecosystem in 2026, with Malware-as-a-Service (MaaS) offerings and supply chain compromises driving infection rates. Increasing abuse of developer ecosystems and social platforms, combined with persistent innovation in delivery techniques, signals a growing challenge for detection and mitigation efforts.
Resilient Infrastructure Services Expand as Residential Proxy Abuse Rises
Bulletproof hosting and residential proxies remain critical enablers for threat actors in 2026, with proxy abuse highly likely (85%) expected to increase as a tactic to evade detection and bypass IP reputation controls.
EDR Impairment Tools Proliferate as BYOVD Techniques Lower Barriers for Endpoint Compromise
EDRKillers are likely (55%) to proliferate in 2026, lowering entry barriers for threat actors and increasing the risk of endpoint compromise. The evolution toward BYOVD-based techniques underscores the need for layered security beyond EDR solutions to mitigate kernel-level attacks.
Social Engineering Evolves Through ClickFix Variants and Increasing Criminal Adoption of LLM-Driven Development
ClickFix and its variants are almost certain (90%) to dominate the social engineering threat landscape in terms of techniques throughout 2026, while AI-assisted development accelerates the creation of new techniques. The growing reliance on LLMs for phishing and malware development will likely (70%) reduce entry barriers and expand the threat landscape.
Reactive Hacktivism Continues Amid Geopolitical Flashpoints, While ICS Exposure Sustains Sabotage Risks
Hacktivist activity will highly likely (90%) remain reactive and opportunistic in 2026, with DDoS campaigns continuing as the primary tactic during geopolitical flashpoints. While sabotage targeting ICS environments is still publicly limited, persistent exposure of critical systems creates uncertainty and potential for escalation.
North Korean Intrusion Sets Expand Supply Chain Attacks and Workforce Infiltration to Fund Strategic Programs
North Korean actors will likely (60%) continue their supply chain compromise efforts and employment fraud schemes in 2026, alongside persistent cryptocurrency theft.
China-Nexus Espionage Prioritizes Energy, Telecom, and Edge Device Exploitation Through Shared Tooling
Chinese state-sponsored activities will highly likely (90%) maintain their espionage campaigns in 2026, prioritizing energy, transportation, telecommunications, and edge device exploitation. Current geopolitical tensions between China and the US will highly likely (90%) intensify more persistent and continuous activities, further exacerbating cyber tensions throughout 2026.
Russia Maintains Hybrid Cyber Operations Blending Destructive Attacks, Edge Exploitation, and Global Influence Campaigns
Russian state-sponsored activities will likely (60%) sustain hybrid operations in 2026, combining destructive attacks, edge-device exploitation, and large-scale disinformation campaigns.
Iran Pressuring Israel and Western Critical Sectors
Iranian state-sponsored activity demonstrated a comparatively lower operational tempo in 2025 relative to 2024 but maintained consistent targeting of Israeli entities. We assess it is unlikely (35%) that Iran will significantly evolve its cyber operations in 2026, aside from sustaining its persistent focus on Israel and the wider geopolitical tensions within the country itself.
Middle East: Continued Confrontation Under The Threshold of War, Iran At a Turning Point
In 2026, the Middle East will very likely (85%) remain highly volatile, with conflict continuing below the threshold of full-scale war as Israel sustains military pressure across multiple fronts and Iran faces mounting internal and external constraints. The Iranian regime is approaching a critical turning point, and its survival in its current form is increasingly uncertain.
A More Aggressive and Predatory US To Place the EU At a Strategic Crossroads For its Global Relevance
In 2026, the US will almost certainly (90%) continue pursuing an assertive, interventionist foreign and trade policy, using tariffs and military actions to advance its interests. This increasingly predatory posture will very likely (75%) heighten tensions with European partners, placing the EU at a critical crossroads for its unity, credibility, and role in international affairs.
