Cybersecurity Reports

Qilin dominated ransomware at 23.10% while small businesses bore 71.12% of attacks. BlackFile, BlueNoroff, GopherWhisper, Sapphire Sleet, TGR-STA-1030, and UNC6692 drove a mix of financially motivated and state-linked campaigns centered on data theft and advanced intrusion techniques. Actively exploited vulnerabilities targeted Cisco SD-WAN, Microsoft Windows and Defender, Apache ActiveMQ, and Zimbra, while AgingFly, FIRESTARTER, GoGra, Lotus Wiper, Ngate, and Snow represented threats spanning backdoors, loaders, wipers, and modular espionage toolkits.

Threat activity intensified as APT36, Bearlyfy, Silver Fox, TA446, TeamPCP, and UNC1069 leaned into credential theft, social-engineering lures, and quiet persistence, with several groups mixing classic phishing with browser-based exploits and cloud-identity abuse. Major exploits hit Apple, F5, Cisco, SharePoint, and NetScaler, while DarkSword, DeepLoad, and GlassWorm represented significant escalations in mobile, AI-assisted, and supply-chain malware.

Threat activity spiked as APT36, TA446, and UNC1069 leaned into credential theft and cloud-identity abuse, while Bearlyfy escalated politically driven ransomware. Silver Fox and TeamPCP pushed opportunistic access and data theft, and major exploits hit Apple, F5, Cisco, SharePoint, and NetScaler. Priorities for defenders include identity hardening, rapid patching, and post-compromise hunting.

Ransomware activity in early March 2026 remained fragmented, led by Qilin with continued pressure across manufacturing, technology, and construction sectors, while small businesses made up the vast majority of victims. The threat landscape featured a mix of established and emerging adversaries, alongside active exploitation of vulnerabilities across major platforms like Apple, Google, and enterprise software, reinforcing a broad, opportunistic attack environment.

Ransomware activity remained fragmented, led by Qilin, with technology and retail topping targeted sectors. Large enterprise victims increased to 16 this period, though activity was spread across multiple operators. Meanwhile, established actors resurfaced, CISA KEV added 11 actively exploited vulnerabilities, and threat activity continues to reflect overlap between financially motivated and state-aligned operations.

In early February, APT activity leaned hard on cloud abuse, identity compromise, and long‑dwell access, with UNC3886 standing out for its persistence. Exploited bugs across Notepad++, SolarWinds, Apple, and Microsoft underscored the need for fast patching and tighter identity controls. Ransomware crews stayed active, with Qilin and The Gentlemen driving most cases while Cl0p’s earlier huge Cleo‑linked victim dump kept pressure high despite fewer new hits.

Ransomware stayed hot in late January, with Cl0p jumping to the top after its huge Cleo linked victim dump, while Qilin, Akira, Sinobi and The Gentlemen kept pressure on manufacturing and mid market orgs. At the same time, exploitation of vCenter, SmarterMail, Zimbra, Ivanti EPMM and Fortinet gear drove a wave of opportunistic intrusions. Threat actors like Sandworm, Konni and ShinyHunters leaned on phishing, credential theft and stealthy C2, with Sandworm remaining the most worrying due to its destructive track record.

We open the new year with a Microsoft CVE dating back to 2009 finally being added to the CISA known exploited vulnerability catalog on the 7th of January. On the ransomware front, we start the year with Qilin once again taking the top spot. While good backup and DR processes can mitigate the impact of encryption, threat actors have learned that there is little that victims can do once their data is stolen.

As 2025 ended vendor reports slowed down. Even reports of emerging threats slowed down a little. Could the bad guys also be taking a break? The reality seems less comforting as we are still seeing plenty of victims and we are also seeing a significant number of actively exploited vulnerabilities.