Cyber Threat Landscape Report: February 2026
Phishing was used by 200+ tracked threat entities, making it the single most common initial access vector across our intelligence dataset. In the first two months of 2026, ransomware groups have already claimed over 460 victims, with Qilin leading the pack at 188 YTD. CISA added seven new CVEs to its Known Exploited Vulnerabilities catalog in the first two weeks of February alone.
This report covers the period from January to February 2026. It breaks down the most active threat actors and their TTPs, the ransomware groups driving the highest victim counts, the CVEs being exploited in the wild, and the detection gaps your SOC should close this month. The spotlight this month is on Qilin, a ransomware operation that has become one of the most prolific groups globally. The World Economic Forum's Global Cybersecurity Outlook 2026 warns that accelerating AI adoption, geopolitical fragmentation, and widening cyber inequity are reshaping the risk landscape (WEF, 2026).
Qilin Ransomware: Threat Group Spotlight
Qilin has claimed 1,480+ victims all-time and almost 190 victims in 2026 YTD, making it one of the most active ransomware operations on the planet right now. Active since October 2022, Qilin targets Manufacturing, Technology, Healthcare, Business Services, Financial Services, Construction, Education, and Agriculture across the US, France, Canada, the UK, Spain, Germany, Italy, and Japan.
TTPs and Tooling
Qilin maps to 10 ATT&CK techniques, but their operational toolkit is extensive. Their defense evasion stack is where they stand out.
Offensive security: Cobalt Strike, Evilginx, NetExec. Cobalt Strike remains the most common offensive framework in ransomware operations, and Qilin is no exception. Evilginx for adversary-in-the-middle phishing is a notable addition, suggesting Qilin operators are targeting MFA-protected accounts.
Defense evasion: EDRSandBlast, PCHunter, PowerTool, YDArk, Zemana Anti-Rootkit driver, and a Toshiba power management driver for BYOVD attacks. They also abuse an updater binary for Carbon Black's Cloud Sensor AV (upd.exe). This is a group that comes prepared to kill your EDR before deploying ransomware.
Credential theft: Mimikatz, widely used across ransomware operations.
Remote management: NetSupport, ScreenConnect.
Discovery: Nmap, Nping.
Lateral movement and living-off-the-land: PsExec (the single most common tool across ransomware operations), WinRM, fsutil.
Exfiltration: EasyUpload.io. Using a public file-sharing service for exfil is a low-sophistication but effective choice.
Networking: Proxychains for tunneling.
For a deeper dive into how these tools map to detection opportunities, see our Threat Actor Tools: The Complete Guide for Defenders.
MITRE ATT&CK Mapping
Key technique IDs include Phishing (T1566) for initial access, PowerShell (T1059.001) for execution, Valid Accounts (T1078) for persistence and privilege escalation, and Data Encrypted for Impact (T1486). Their known exploitation of CVE-2016-9124 shows willingness to target older, unpatched vulnerabilities.
Detection Coverage
Qilin's operations are covered by extensive Sigma and YARA detection rules across their tool and technique footprint, with thousands of rules available. That is strong coverage on paper. The real gap is in their BYOVD and EDR-killing capability: detecting the load of vulnerable drivers (EDRSandBlast, Zemana driver, Toshiba driver) before they disable your endpoint protection is the critical race condition.
Defensive Recommendations
The following D3FEND defenses map to Qilin's operational profile: Application Protocol Command Analysis, Certificate Analysis, Client-server Payload Profiling, Content Filtering, Content Modification, Content Quarantine, Data Inventory, Database Query String Analysis, Decoy File, and Dynamic Analysis. In practice, Client-server Payload Profiling and Dynamic Analysis are your highest-value investments against this group's C2 and tool delivery patterns.
What to Do About Qilin
- Block BYOVD attacks: Maintain a blocklist of known vulnerable drivers. Microsoft's Vulnerable Driver Blocklist is a starting point. Monitor for driver loads from unusual paths.
- Detect EDR tampering: Alert on your EDR agent process being stopped or its services being modified. If EDRSandBlast succeeds, you are blind.
- Hunt for Evilginx: Look for phishing infrastructure that proxies legitimate login pages. Session token theft bypasses MFA entirely.
- Monitor EasyUpload.io: Block or alert on connections to public file-sharing services from endpoints that have no business uploading files externally.
Ask about Qilin techniques and defenses
Threat Actors
Our analysis tracks 900+ threat actors. The table below ranks the top nation-state and espionage-focused actors by TTP breadth, a measure of operational sophistication. Beyond these, five ransomware operations (Qilin, Cl0p, Playgroup, incransom, safepay) are confirmed active in 2026 and are covered in the Ransomware Landscape section.
| Actor | MITRE ID | Key TTPs | Notable Malware | Status |
|---|---|---|---|---|
| Kimsuky | G0094 | Phishing (T1566), Malicious File (T1204.002), RDP (T1021.001) | Troll Stealer, Amadey, gh0st RAT | Unknown |
| APT28 | G0007 | Credential Harvesting (T1589.001), Timestomp (T1070.006), VPS (T1583.003) | CHOPSTICK, DealersChoice, Cannon | Active (2024) |
| Mustang Panda | G0129 | WMI (T1047), Malicious Link (T1204.001), Upload Malware (T1608.001) | ShadowPad, TONESHELL, Cobalt Strike | Active (2024) |
| APT41 | G0096 | Supply Chain (T1195.002), PowerShell (T1059.001), Rootkit (T1014) | PlugX, gh0st RAT, KEYPLUG | Active (2024) |
| Volt Typhoon | G1017 | Network Discovery (T1046), RDP (T1021.001), Proxy (T1090) | VersaMem | Active (2024) |
| Magic Hound | G0059 | Keylogging (T1056.001), PowerShell (T1059.001), Registry Run Keys (T1547.001) | CharmPower, PowerLess | Unknown |
| APT32 | G0050 | Pass the Hash (T1550.002), Masquerading (T1036), JavaScript (T1059.007) | Kerrdown, Cobalt Strike | Unknown |
| UNC3886 | G1048 | Hypervisor CLI (T1059.012), Host Binary Compromise (T1554), Default Accounts (T1078.001) | VIRTUALPITA, CASTLETAP | Active (2025) |
| Ke3chang | G0004 | Email Collection (T1114.002), Golden Ticket (T1558.001), Ingress Tool Transfer (T1105) | Okrum, MirageFox | Active (2024) |
| APT5 | G1023 | PowerShell (T1059.001), Local Account Creation (T1136.001), Log Enumeration (T1654) | PoisonIvy, RAPIDPULSE | Active (2024) |
UNC3886 stands out with confirmed 2025 activity. Their use of Hypervisor CLI (T1059.012) and Compromise Host Software Binary (T1554) means they target virtualization infrastructure directly, a capability most SOCs are not equipped to detect. UNC3886 has among the highest Sigma detection coverage of any tracked actor, with hundreds of rules available.
APT41 (Wicked Panda/Brass Typhoon) continues to be one of the most versatile actors, combining supply chain compromise (T1195.002) with PowerShell execution and rootkit deployment. Its Sigma detection coverage is extensive. A China-linked APT was observed exploiting a Sitecore zero-day in critical infrastructure intrusions in January 2026 (Cisco Talos, 2026), a reminder that this region's threat activity remains persistent.
Volt Typhoon remains a concern for critical infrastructure defenders. Their living-off-the-land approach and focus on network infrastructure makes them harder to detect with traditional endpoint tools. Their campaigns against Versa Director and KV Botnet infrastructure underscore the focus on edge devices.
Ask about APT28 techniques and defenses
Ask about Volt Typhoon detection
Ransomware Threat Landscape 2026
Ransomware attacks hit 78% of companies over the past year, with projected growth of 40% by end of 2026 based on disclosed incidents (SentinelOne, 2026). In the first two months of 2026, the ransomware groups in our dataset have collectively claimed over 460 victims YTD. Cyble's analysis notes that over 350 new ransomware groups emerged in 2025, mostly based on MedusaLocker, Chaos, and Makop families, with the majority adopting double extortion immediately (Cyble, 2025).
| Group | All-Time Victims | 2026 YTD | Status | Key Targets |
|---|---|---|---|---|
| Qilin | 1,483 | 188 | Active | Manufacturing, Technology, Healthcare |
| Cl0p | 1,251 | 125 | Active | Technology, Transportation, Consumer Services |
| incransom | 671 | 72 | Active | Healthcare, Technology, Business Services |
| Playgroup | 1,179 | 67 | Active | Manufacturing, Business Services, Technology |
| safepay | 436 | 14 | Active | Manufacturing, Technology, Education |
Qilin is the story of 2026 so far. At 188 YTD victims, they are on pace to surpass their 2025 totals well before mid-year. Cl0p remains dangerous with 125 YTD victims, continuing to exploit a mix of legacy and recent CVEs.
Shared Tooling Across Groups
The overlap in ransomware toolkits is striking. PsExec, Cobalt Strike, Mimikatz, and RClone appear across the majority of tracked operations. If your detection engineering team is prioritizing what to build rules for, these four tools cover most ransomware lateral movement, credential access, and data theft activity.
RMM tool abuse is expanding. AnyDesk, Atera, ScreenConnect, and Splashtop are being used across multiple operations for persistent remote access. If your organization uses one of these tools legitimately, you need allowlisting policies that detect unauthorized installations.
CVEs in Ransomware Operations
Multiple groups share the same CVE exploitation targets. The EternalBlue family (CVE-2017-0143 through CVE-2017-0148) and SMBGhost (CVE-2020-0796) remain in active use by Cl0p, Playgroup, incransom, and 8base. CVE-2025-33073 is exploited by four groups simultaneously. If you still have unpatched SMB services exposed, this is an emergency.
Ask about Cobalt Strike detection
Top Cybersecurity Attack Techniques (MITRE ATT&CK)
The top techniques across the kill chain, ranked by threat entity usage. Full mitigation IDs and detection coverage are in the Detection & Defense Coverage tables below.
Initial Access
Phishing (T1566) dominates initial access, used by the widest set of threat entities of any technique in the dataset. Spearphishing Attachment (T1566.001) and Spearphishing Link (T1566.002) are the primary sub-techniques. Spearphishing Link has very thin Sigma coverage, making it the single biggest detection gap relative to its usage. If your email gateway is not sandboxing attachments and your users have not been phished in a test this quarter, start there.
Valid Accounts (T1078) is the second initial access vector. Credential theft and reuse is a primary entry point. MFA on everything, no exceptions for VPN, RDP, or cloud admin portals.
Execution
PowerShell (T1059.001) remains the execution method of choice for both APT and ransomware operators. It has the deepest detection coverage of any technique. Constrained Language Mode and script block logging are non-negotiable. Remove PowerShell v2 from all endpoints.
Malicious File (T1204.002) and Windows Command Shell (T1059.003) round out execution, both with thin Sigma coverage but strong YARA rules.
Persistence and Privilege Escalation
Valid Accounts (T1078), Registry Run Keys/Startup Folder (T1547.001), and Scheduled Task (T1053.005) are the dominant techniques. Registry Run Keys and Scheduled Task have no D3FEND defensive mappings, making them reliant on Sigma detections and ATT&CK mitigations. Audit all scheduled task creation events and restrict to admin accounts.
Lateral Movement
Remote Desktop Protocol (T1021.001) is the most widely used lateral movement technique. RDP should never be exposed to the internet. Use a jump server with MFA.
Exfiltration
Exfiltration Over C2 Channel (T1041) and Exfiltration Over Alternative Protocol (T1048) are the primary methods. Exfiltration Over Alternative Protocol has very thin YARA coverage, limited to a handful of APT families. Deploy DLP at network egress points and monitor DNS, ICMP, and non-standard ports for data exfil.
Impact
Data Encrypted for Impact (T1486) and Inhibit System Recovery (T1490) are the most widely adopted impact techniques, used by the majority of tracked ransomware groups. Nearly every ransomware group deletes shadow copies before encrypting. Immutable, offline backups remain the single best recovery control. Test your restore process this week.
The kill chain playbook is consistent: phish the user, execute via PowerShell, persist with valid accounts or scheduled tasks, move laterally via RDP, exfiltrate over C2, delete backups, encrypt.
Ask about PowerShell detection techniques
CVEs Exploited in the Wild: Vulnerability Intelligence
Eight CVEs are each exploited by four or more ransomware groups simultaneously. The table below maps actively exploited CVEs to the ransomware groups using them. Only CVEs shared across two or more groups are shown, individual group CVEs are listed in the Ransomware Landscape section profiles.
| CVE | Notes | Exploited By |
|---|---|---|
| CVE-2025-33073 | Cl0p, Playgroup, incransom, 8base | |
| CVE-2018-7445 | Cl0p, Playgroup, incransom, 8base | |
| CVE-2017-0143 | EternalBlue | Playgroup, incransom |
| CVE-2017-0144 | EternalBlue | Playgroup, incransom |
| CVE-2017-0145 | EternalBlue | Cl0p, Playgroup, incransom, 8base |
| CVE-2017-0146 | EternalBlue | Cl0p, Playgroup, incransom, 8base |
| CVE-2017-0147 | EternalBlue | Cl0p, Playgroup, incransom, 8base |
| CVE-2017-0148 | EternalBlue | Cl0p, Playgroup, incransom, 8base |
| CVE-2019-0703 | Cl0p, Playgroup, incransom, 8base | |
| CVE-2020-0796 | SMBGhost | Cl0p, Playgroup, incransom, 8base |
| CVE-2019-11510 | Pulse Secure | Cl0p, 8base |
| CVE-2021-26085 | Cl0p, 8base | |
| CVE-2025-64328 | lockbit2, BlackCat, safepay | |
| CVE-2025-40551 | lockbit2, BlackCat, safepay | |
| CVE-2026-1281 | lockbit2, BlackCat, safepay | |
| CVE-2025-52691 | lockbit2, BlackCat, safepay | |
| CVE-2021-39935 | lockbit2, BlackCat, RansomHub | |
| CVE-2019-19006 | lockbit2, BlackCat | |
| CVE-2026-24858 | lockbit2, BlackCat | |
| CVE-2018-14634 | lockbit2, BlackCat |
Source: CyberDesserts threat intelligence, February 2026
Two clusters stand out. Cl0p, Playgroup, incransom, and 8base share an almost identical CVE list dominated by EternalBlue and SMBGhost. This suggests shared tooling, a common initial access broker, or a shared playbook. lockbit2, BlackCat, and safepay share a separate cluster of 2025/2026 CVEs, pointing to a different operational pipeline.
CISA KEV Additions (February 2026)
CISA added seven vulnerabilities to the Known Exploited Vulnerabilities catalog between February 13 and 18, including CVE-2026-2441, CVE-2024-7694, CVE-2020-7796, CVE-2026-1731, and CVE-2026-22 (CISA, 2026). Additionally, CVE-2026-22769, a critical hardcoded-credential vulnerability in Dell RecoverPoint for Virtual Machines, is being exploited in the wild (SOCPrime, 2026). Active exploitation of CVE-2026-0625 targeting legacy D-Link DSL routers has also been confirmed (The Hacker News, 2026).
The persistence of EternalBlue-era CVEs (2017-vintage) in active ransomware campaigns is a clear signal: asset inventory gaps are still letting unpatched legacy systems provide entry points. CIS-1 (Inventory and Control of Enterprise Assets) and CIS-7 (Continuous Vulnerability Management) are the relevant controls.
Threat Detection and Defense Coverage: Sigma, YARA, D3FEND
Detection coverage varies dramatically by technique. PowerShell (T1059.001) has the deepest combined coverage, while several widely used techniques have critical gaps. The tables below consolidate mitigations, detection coverage, and gaps into a single reference.
ATT&CK Mitigations by Technique
| Technique | Tactic | Key Mitigations | Practical Action |
|---|---|---|---|
| Phishing (T1566) | Initial Access | M1031, M1021, M1049, M1017 | Sandbox email attachments, run phishing simulations quarterly |
| Spearphishing Attachment (T1566.001) | Initial Access | M1049, M1031, M1054, M1018 | Block macro-enabled files from external senders |
| Spearphishing Link (T1566.002) | Initial Access | M1021, M1017, M1054, M1047 | Deploy URL rewriting and time-of-click analysis |
| Valid Accounts (T1078) | Initial Access, Persistence, Priv Esc | M1032, M1027, M1026, M1018 | MFA everywhere: VPN, RDP, cloud portals, no exceptions |
| PowerShell (T1059.001) | Execution | M1038, M1045, M1042, M1026 | Constrained Language Mode, script block logging, remove v2 |
| Windows Command Shell (T1059.003) | Execution | M1038 | Application control to restrict cmd.exe to admin accounts |
| Malicious File (T1204.002) | Execution | M1038, M1040, M1017 | Block execution from user-writable paths |
| Scheduled Task (T1053.005) | Persistence, Priv Esc | M1026, M1018, M1047, M1028 | Audit scheduled task creation, restrict to admin accounts |
| Registry Run Keys (T1547.001) | Persistence, Priv Esc | (no specific M-series) | Monitor HKLM/HKCU Run key modifications via Sigma |
| RDP (T1021.001) | Lateral Movement | M1030, M1035, M1042, M1047 | Never expose RDP to internet, use jump servers with MFA |
| Data Encrypted for Impact (T1486) | Impact | M1040, M1053 | Immutable, offline backups with tested restore process |
| Inhibit System Recovery (T1490) | Impact | M1053, M1038, M1028, M1018 | Protect VSS/shadow copies, restrict vssadmin access |
| Exfiltration Over C2 (T1041) | Exfiltration | M1031, M1057 | DLP at egress, alert on large outbound transfers over C2 |
| Exfiltration Over Alt Protocol (T1048) | Exfiltration | M1030, M1057, M1037, M1031 | Monitor DNS, ICMP, and non-standard ports for data exfil |
| Application Layer Protocol (T1071) | C2 | M1031, M1037 | TLS inspection, block uncategorized domains at proxy |
| Ingress Tool Transfer (T1105) | C2 | M1031, M1037 | Block downloads of known offensive tools by hash/name |
| Masquerading: Match Name/Location (T1036.005) | Defense Evasion | M1022, M1038, M1045 | Code signing enforcement, executable allowlisting |
| Tool Acquisition (T1588.002) | Resource Development | M1056 | Pre-compromise: monitor for attacker infrastructure setup |
Detection Coverage: Sigma and YARA
| Technique | Tactic | Sigma Coverage | YARA Coverage |
|---|---|---|---|
| PowerShell (T1059.001) | Execution | Deep: hundreds of rules, mostly high severity | Strong: targets Cobalt Strike, APT28, APT41, APT32 |
| Application Layer Protocol (T1071) | C2 | Deep: hundreds of rules across network/cloud | Strong: covers APT27, APT28, APT34, APT37 |
| Inhibit System Recovery (T1490) | Impact | Deep: hundreds of rules including critical severity | Moderate: BadRabbit, Ryuk, Locky families |
| Data Encrypted for Impact (T1486) | Impact | Deep: hundreds of rules across multiple platforms | Moderate: targets GoldenEye, Hermes, DearCry |
| Exfiltration Over C2 (T1041) | Exfiltration | Moderate: dozens of rules | Moderate: Emotet, GoldenSpy families |
| Exfiltration Over Alt Protocol (T1048) | Exfiltration | Moderate: dozens of rules | Thin: APT34, Hidden Cobra, OilRig only |
| RDP (T1021.001) | Lateral Movement | Moderate: dozens of rules, mostly high severity | Moderate: APT10, APT41, Dragonfly, FIN7 |
| Valid Accounts (T1078) | Multiple | Moderate: dozens of rules across cloud/network | Moderate: APT10, APT28, APT41, Dragonfly |
| Phishing (T1566) | Initial Access | Moderate: dozens of rules, mostly high severity | Moderate: Cobalt Strike, APT29, APT34 |
| Ingress Tool Transfer (T1105) | C2 | Moderate: dozens of rules | Strong: targets wide range of APT families |
| Registry Run Keys (T1547.001) | Persistence | Moderate: dozens of rules, Windows only | Strong: APT28, APT32, APT37, APT41 families |
| Scheduled Task (T1053.005) | Persistence | Moderate: dozens of rules, mostly high severity | Moderate: APT32, APT34, APT41 families |
| Web Protocols (T1071.001) | C2 | Moderate: dozens of rules | Strong: APT15, APT28, APT32, APT37 |
| Spearphishing Attachment (T1566.001) | Initial Access | Thin: fewer than 20 rules | Strong: covers APT10, APT28, APT37, APT41 |
| Masquerading: Match Name (T1036.005) | Defense Evasion | Thin: fewer than 15 rules | Strong: APT10, APT28, APT41 families |
| Malicious File (T1204.002) | Execution | Thin: fewer than 30 rules | Strong: covers APT10, APT28, APT37 |
| Windows Command Shell (T1059.003) | Execution | Thin: fewer than 30 rules | Strong: APT10, APT28, APT41 families |
| Tool Acquisition (T1588.002) | Resource Dev | Very thin: fewer than 10 rules | Strong: wide APT family coverage |
| Spearphishing Link (T1566.002) | Initial Access | Very thin: 3 rules [CRITICAL GAP] | Moderate: APT32, FIN7, Emotet |
Detection Coverage: D3FEND, CIS Controls, and Gaps
| Technique | D3FEND Defenses | CIS Controls | Gap Flag |
|---|---|---|---|
| PowerShell (T1059.001) | 15 defenses | CIS-10 | |
| Application Layer Protocol (T1071) | 29 defenses | CIS-13 | |
| Inhibit System Recovery (T1490) | None | CIS-11 | No D3FEND |
| Data Encrypted for Impact (T1486) | None | CIS-11 | No D3FEND |
| Exfiltration Over C2 (T1041) | 21 defenses | CIS-13 | |
| Exfiltration Over Alt Protocol (T1048) | None | CIS-13 | Low YARA, no D3FEND |
| RDP (T1021.001) | None | CIS-6 | No D3FEND |
| Valid Accounts (T1078) | 9 defenses | CIS-4, CIS-5, CIS-6 | |
| Phishing (T1566) | 34 defenses | CIS-9, CIS-14 | |
| Ingress Tool Transfer (T1105) | 11 defenses | CIS-13 | |
| Registry Run Keys (T1547.001) | None | CIS-10 | No D3FEND |
| Scheduled Task (T1053.005) | None | CIS-8 | No D3FEND |
| Web Protocols (T1071.001) | None | CIS-13 | No D3FEND |
| Spearphishing Attachment (T1566.001) | 31 defenses | CIS-9 | Low Sigma |
| Masquerading: Match Name (T1036.005) | None | CIS-10 | Low Sigma, no D3FEND |
| Malicious File (T1204.002) | None | CIS-10 | Low Sigma, no D3FEND |
| Windows Command Shell (T1059.003) | 15 defenses | CIS-10 | Low Sigma |
| Tool Acquisition (T1588.002) | None | Very low Sigma, no D3FEND | |
| Spearphishing Link (T1566.002) | 34 defenses | CIS-9 | CRITICAL: Sigma gap |
Key Takeaways
Biggest detection gap: Spearphishing Link (T1566.002) has only a handful of Sigma rules despite being used by dozens of threat entities. This is the single highest-priority detection engineering investment.
D3FEND blind spots: Seven techniques have no D3FEND defensive mappings, concentrated in Impact (T1486, T1490), Persistence (T1547.001, T1053.005), Lateral Movement (T1021.001), and Defense Evasion (T1036.005). For these, defenders must rely on ATT&CK mitigations and CIS Controls.
Sigma vs. YARA inversion: Several techniques with thin Sigma coverage have strong YARA coverage (Spearphishing Attachment, Masquerading, Malicious File). This means file-based detection compensates for behavioral detection gaps, but only if you are running YARA scans on inbound files and artifacts.
The best-covered techniques are the phishing variants from a D3FEND perspective: Phishing (T1566) and Spearphishing Link (T1566.002) each have extensive D3FEND defenses, including Dynamic Analysis, Emulated File Analysis, and Client-server Payload Profiling.
CIS Controls Mapping
The threats in this report map to these priority CIS Controls: CIS-9 (Email and Web Browser Protections) for phishing, CIS-11 (Data Recovery) for ransomware impact, CIS-13 (Network Monitoring and Defense) for exfiltration and C2, CIS-5 (Account Management) and CIS-6 (Access Control Management) for valid accounts abuse, CIS-7 (Continuous Vulnerability Management) for the legacy CVEs still in active exploitation.
Emerging Cyber Threats and Trends 2026
Technique Convergence
A clear pattern is emerging: both APT actors and ransomware groups are converging on the same core techniques. PowerShell (T1059.001) is used by over a hundred threat entities spanning nation-state groups (APT28, APT41, Magic Hound, APT5) and ransomware operations alike. Valid Accounts (T1078) spans both categories extensively. This convergence means defensive investments against these techniques provide dual coverage against espionage and financially motivated intrusions.
BYOVD as Standard Practice
Qilin's use of multiple vulnerable drivers (EDRSandBlast, Zemana driver, Toshiba driver) for defense evasion is not unique. RansomHub also uses BYOVD with the BadRentdrv2 and ThreatFire System Monitor drivers. BYOVD is becoming a standard phase in ransomware deployment. If your driver blocklist is not current, your EDR can be rendered useless before encryption begins.
Supply Chain Escalation
Group-IB's High-Tech Crime Trends Report 2026 identifies supply chain attacks as the top global cyber threat, with 2025 marking a "pivotal escalation" in open-source weaponization, malicious browser extensions, and OAuth abuse (Group-IB, 2026). Cybercriminals are linking breaches, credential theft, and ransomware into an industrial-scale, self-reinforcing ecosystem (The Register, 2026).
In our data, over 30 actors use supply chain techniques (T1195, T1195.001, T1195.002, T1199). APT41's use of Compromise Software Supply Chain (T1195.002) confirms nation-state actors continue to pursue this vector. Sigma coverage for supply chain techniques is very thin. CIS-15 (Service Provider Management) and CIS-2 (Inventory and Control of Software Assets) are the relevant controls. Implement SBOM tracking and vendor risk assessments now.
Cloud and Identity Threats
Dozens of actors now use cloud-targeting techniques (T1530, T1537, T1580, T1078.004, T1098.001, T1611, T1610), spanning misconfiguration exploitation, identity compromise, and container escape. Ninety-four percent of enterprises now use cloud services, yet cloud misconfigurations remain a leading cause of data breaches (CyberDesserts, 2026). Detection coverage is thin across this entire cluster, with very few Sigma and YARA rules available. Cloud security skills are in high demand. See our Career Intelligence Report for the certifications and roles growing fastest in this area.
AI/ML Attack Surface
AI-driven attacks now account for 16% of all breaches (IBM, 2025). Techniques associated with adversarial ML, model poisoning, and prompt injection map to over a hundred actors using related vectors (T1027, T1036, T1190, T1195, T1565). Detection coverage is relatively strong because these techniques overlap with traditional evasion methods. For a detailed breakdown, see our AI Security Threats guide.
RMM Tool Abuse Expanding
The use of legitimate remote management tools for persistent access is accelerating. AnyDesk, Atera, ScreenConnect, Splashtop, and TeamViewer all appear across multiple ransomware operations. Group-IB reports that infostealers feeding credentials to ransomware operators is now a mature pipeline (Group-IB, 2026). Defenders need allowlisting and anomaly detection for RMM tools, not just malware signatures. For more on how infostealers feed this pipeline, see Infostealers in 2026: How They Work and How to Stop Them.
Ask about supply chain attack detection
Cybersecurity Recommendations: What to Patch, Detect, and Block
Priority 1: This Week
- Patch EternalBlue and SMBGhost: If any system in your environment is still vulnerable to CVE-2017-0143 through CVE-2017-0148 or CVE-2020-0796, patch it today. Four active ransomware groups are exploiting these even though these are several years old now.
- Verify backup integrity: Test your restore process. Inhibit System Recovery (T1490) is used by the majority of ransomware groups. Immutable, offline backups are your last line of defense.
- Block known BYOVD drivers: Update your Windows driver blocklist. Qilin and RansomHub both use vulnerable drivers to kill EDR agents.
- Review CISA KEV additions: Seven new CVEs were added to the catalog in February. Validate patch status against your asset inventory. Add CVE-2026-22769 (Dell RecoverPoint) and CVE-2026-0625 (D-Link DSL routers) to your patch queue.
Priority 2: This Month
- Deploy PowerShell Constrained Language Mode: PowerShell (T1059.001) is the top execution technique across both APT and ransomware operations. Enable script block logging, remove PowerShell v2, and enforce constrained language mode on all endpoints.
- Audit RMM tool installations: Inventory all remote management tools. Flag unauthorized AnyDesk, Atera, ScreenConnect, and Splashtop installs. Restrict installation to approved accounts.
- Implement MFA on all remote access: Valid Accounts (T1078) is the top persistence and privilege escalation technique. MFA on VPN, RDP gateways, and cloud admin portals. Watch for Evilginx-style session theft that bypasses MFA.
- Build detection for exfiltration tools: RClone, WinSCP, and MEGA are the primary exfil tools across multiple ransomware operations. Alert on their execution or network signatures.
- Close Sigma detection gaps: Spearphishing Link (T1566.002) and Tool acquisition (T1588.002) have very thin Sigma coverage. Invest detection engineering time in these under-covered techniques.
Priority 3: This Quarter
- Implement network segmentation (M1030): Limit lateral movement paths, especially for RDP (T1021.001). Network controls and authentication monitoring are your primary defense against lateral movement.
- Deploy DLP for exfiltration detection (M1057): Both Exfiltration Over C2 Channel (T1041) and Exfiltration Over Alternative Protocol (T1048) are in the top 10 techniques. DLP at network egress points, combined with CIS-13 (Network Monitoring and Defense), catches data theft before encryption.
- Expand cloud detection coverage: Sigma coverage for cloud-targeting techniques is thin relative to the dozens of actors using them. Invest in cloud-native detection for your CSP.
- Strengthen supply chain controls: Very thin detection coverage despite 30+ actors using these techniques. Implement CIS-15 (Service Provider Management) and SBOM tracking. Group-IB's 2026 findings confirm supply chain compromise is now industrial-scale, not theoretical.
The rise of detection engineering as a discipline is creating new career paths. See our Career Intelligence Report for the skills and certifications in demand.
Summary
The first two months of 2026 show ransomware operations accelerating, led by Qilin's 188 YTD victims and a collective 460+ victims across tracked groups. Supply chain attacks have escalated to industrial scale, and BYOVD is now a standard ransomware tactic. The convergence of APT and ransomware tooling on shared techniques like PowerShell, Valid Accounts, and Cobalt Strike means solid fundamentals (patching, MFA, PowerShell hardening, backup testing) defend against the widest range of threats. Detection gaps in spearphishing links, supply chain techniques, and cloud-targeting methods demand investment this quarter.
For deeper analysis on any actor, technique, or CVE discussed in this report, use the CyberDesserts Learning Assistant. For more on threat actor tools, AI security threats, and infostealers, visit the CyberDesserts Blog.
Frequently Asked Questions
What is the biggest ransomware threat in 2026?
Qilin is the most active ransomware operation in early 2026 with 188 victims in the first two months alone and 1,483 all-time. They target manufacturing, technology, and healthcare sectors and use BYOVD techniques to disable endpoint protection before encrypting.
Which CVEs should I patch first?
The EternalBlue family (CVE-2017-0143 through CVE-2017-0148) and SMBGhost (CVE-2020-0796) are the highest priority because four active ransomware groups exploit them simultaneously. Also add CVE-2026-22769 (Dell RecoverPoint) and CVE-2026-0625 (D-Link DSL routers) to your queue.
What is the biggest detection gap in 2026?
Spearphishing Link (T1566.002) has the most critical detection gap, with only a handful of Sigma rules despite being used by dozens of threat actors. Seven ATT&CK techniques also have no D3FEND defensive mappings, concentrated in Impact, Persistence, and Lateral Movement phases.
What tools do ransomware groups use most?
PsExec, Cobalt Strike, Mimikatz, and RClone appear across the majority of tracked ransomware operations. Legitimate remote management tools (AnyDesk, Atera, ScreenConnect, Splashtop) are increasingly abused for persistent access.
What is BYOVD and why does it matter?
Bring Your Own Vulnerable Driver (BYOVD) is a technique where attackers load a legitimate but vulnerable kernel driver to disable endpoint protection. Qilin and RansomHub both use BYOVD, making it a standard phase in ransomware deployment. If your driver blocklist is not current, your EDR can be killed before encryption begins.
References and Sources
- MITRE. (2025). ATT&CK Framework. Technique and group definitions used throughout. https://attack.mitre.org/
- MITRE. (2025). D3FEND Framework. Defensive technique mappings. https://d3fend.mitre.org/
- CISA. (2026). Known Exploited Vulnerabilities Catalog. Seven CVEs added February 13 to 18, 2026. https://www.cisa.gov/known-exploited-vulnerabilities-catalog
- CIS. (2025). CIS Controls v8. Security control mappings for prioritized defense. https://www.cisecurity.org/controls
- Sigma HQ. (2025). Sigma Detection Rules. Community detection rules referenced for coverage analysis. https://github.com/SigmaHQ/sigma
- NCSC. (2026). CTO Weekly Threat Reports. Weekly highlights for weeks ending February 8 and 15, 2026. https://www.ncsc.gov.uk/section/keep-up-to-date/threat-reports
- Verizon. (2025). Data Breach Investigations Report. Industry breach patterns and campaign timelines. https://www.verizon.com/business/resources/reports/dbir/
- NIST. (2024). Cybersecurity Framework 2.0. Implementation examples referenced. https://www.nist.gov/cyberframework
- World Economic Forum. (2026). Global Cybersecurity Outlook 2026. AI adoption, geopolitical fragmentation, and widening cyber inequity reshaping risk. https://www.weforum.org/publications/global-cybersecurity-outlook-2026/
- Group-IB. (2026). High-Tech Crime Trends Report 2026. Supply chain attacks identified as top global cyber threat. https://www.group-ib.com/media-center/press-releases/htct-2026-supply-chain/
- Cyble. (2025). 10 New Ransomware Groups of 2025 & Threat Trends for 2026. Over 350 new groups emerged in 2025. https://cyble.com/knowledge-hub/10-new-ransomware-groups-of-2025-threat-trend-2026/
- SOCPrime. (2026). CVE-2026-22769: Critical Dell RecoverPoint Zero-Day. Hardcoded credential vulnerability exploited in the wild. https://socprime.com/blog/cve-2026-22769-vulnerability/
- The Hacker News. (2026). Ongoing Attacks Exploiting Critical RCE Vulnerability in Legacy D-Link DSL Routers. CVE-2026-0625 under active exploitation. https://thehackernews.com/2026/01/active-exploitation-hits-legacy-d-link.html
- The Register. (2026). Supply chain breaches fuel cybercrime cycle. Supply chain attacks described as industrial-scale, self-reinforcing ecosystem. https://www.theregister.com/2026/02/12/supply_chain_attacks
- CrowdStrike. (2025). 2025 Global Threat Report. Threat trends and adversary intelligence. https://www.crowdstrike.com/en-us/global-threat-report/
- SentinelOne. (2026). Cloud Security Statistics 2026. 78% of companies hit by ransomware, 40% growth projected. https://www.sentinelone.com/cybersecurity-101/cloud-security/cloud-security-statistics/
- Cisco Talos. (2026). China-Linked APT Exploited Sitecore Zero-Day. UAT-8837 targeting critical infrastructure in North America. https://thehackernews.com/2026/01/china-linked-apt-exploits-sitecore-zero.html
About This Report
Period covered: January to February 2026. Methodology: This report is generated from CyberDesserts' threat intelligence, which aggregates data from a knowledge graph of threat actors, ransomware groups, ATT&CK techniques, detection rule analysis, government advisories, and industry report findings. Actor and victim data reflects intelligence available as of mid-February 2026.
Member discussion