The Silent Push Threat Intelligence team discussed what we see as some of the greatest threats and motivators the global community will encounter in the New Year. Here are our 2026 predictions:
Proactive Threat Hunting will be increasingly seen as table stakes in 2026, with companies and organizations that fail to adopt it falling behind in their defenses and ability to keep pace with sophisticated threats.
- Proactive Threat Hunting is the concept of identifying malicious infrastructure before it’s used in an attack. At Silent Push, this is the foundation of our threat hunting methodologies. It underpins our data collection strategies and the insights we append to that data, such as our IP/ASN density, diversity metrics, and change analytics, which form the basis of the technical fingerprints we use to create and track specific deployment strategies and malicious content used by threat actors.
- Our team searches for consistent decisions made by threat actors that create a fingerprint, enabling us to find their new infrastructure in real-time as it’s spun up and exposed to the internet. Sometimes, this involves specific infrastructure deployment tactics, or it could be fragments of code they regularly use, or perhaps even just a particular CSS file or image they reuse. Looking for these patterns and consistency decisions is a core aspect of proactive threat hunting.
- Attack methodologies will always continue to change, but this can be countered through equally changing and evolving detection methods. We can hunt for threats that have never been seen by building datapoints and detections that have equally never been seen. This requires some creativity and research, but it’s surprising how much can be discovered by building capabilities in advance and exploring areas where no one else is searching.
- We have built specific tools and made it extremely accessible for defenders to track Fast Flux networks (which are networks of domains that rapidly rotate through a series of IP addresses, typically hosted on a variety of ASNs located around the world). When security teams lack the tools to effectively threat hunt complex technical architectures, the threat actors win. This is why we continually study threat actors to find ways to track even the most complex campaigns.
- Silent Push utilizes advanced machine learning models, continuously tested and refined by our team of world-class researchers and data scientists, to analyze change patterns across the internet and identify specific fingerprints of emerging malicious infrastructure during its spin-up phase, allowing us to catch it before it’s weaponized. We also have a variety of in-house experiments utilizing ML & AI to drive deterministic outcomes. We have found that targeted and relentlessly end-user-tested use cases for AI work far better than broad guesswork or “hoping for magic” to emerge when it comes to relying on these new tools for defense.
AI-driven attacks and AI-supported defenses will continue to get more attention as we strive to keep up with evolving trends.
- Threat actors love AI website builders because they make it child’s play to create realistic-looking websites emulating their targets, at scale, in no time at all. We’re finding massive amounts of these sites being used to age domains before their use in malvertising attacks and other malicious campaigns. At this point, if you aren’t tracking AI website builders and the websites created from them, you’re missing out on origination points of entire waves of attacks, as many threat actors wait and send the next “salvo” once the first is done or has been blocked by defenders.
- Beyond those website builders, it’s still rare to see threat actors with deep or sophisticated AI integration within their attack chains. Even so, AI is still being used for initial access tooling, code generation, and scripting support—we can easily spot its inclusion at this point. Our team believes that 2026 will see threat actors increase their experimentation within this arena, alongside the use of open-source Large Language Models (LLMs) from platforms such as HuggingFace, as well as disguised connections back to cloud-connected LLMs from major players in the space, including OpenAI and Google.
- Voice cloning and video interview fakes will also continue to be an ever more present problem in the coming years as companies deal with increasing adoption of these techniques by North Korean APT groups and other financially motivated threat actors.
- Ultimately, there is no replacing the human element within the threat hunting process, so we don’t believe it will ever be fully automated. However, there is no denying that it will increasingly be used to augment defenders’ capabilities and empower human experts to have even greater impacts at even larger scales. It is essential to bear in mind that attackers are constantly evolving their techniques and adapting their tactics to new technologies; therefore, defenders must adopt the same mindset to not only keep pace but also stay ahead.
Residential proxy usage by threat actors will continue to scale, along with hopefully increased attention from law enforcement on this growing criminal sector that impacts regular people, corporate targets, and major ISPs alike.
We’re now several years since the 911 S5 Proxy botnet takedown, which affected 19 million devices. As we expected, threat actors are continuing to scale up similar networks by bundling their illicit residential VPN software with malware, freeware, and other schemes to get them deployed across both home and corporate networks.
- Unsecured edge devices, routers, and home IOT devices will continue to be a target surface of high interest for threat actors attempting to build botnets, and our team continues to see them used to support corporate attacks, scale residential proxy networks, engage in ad fraud schemes, and more.
- North Korean threat actors will also continue to heavily utilize proxy and VPN providers to attempt to obscure the origination points of their attacks, with Astrill VPN being one we have called out specifically in the past. Organizations targeted by malicious DPRK campaigns should take note of the available opportunities to identify these campaigns in their earliest stages, provided they have the right access to proper data, contextual information, and intelligence products.
Ransomware will continue to thrive and impact organizations of all sizes.
- Despite this, we believe law enforcement will continue to see success in taking down members of Scattered Spider and other threat actors associated with The Com. However, it will likely remain difficult to stop Russian ransomware or bring other global threat actors to justice. We are optimistic that 2026 will lead to the identification, indictment, and arrest of those behind ransomware, as these criminals are brought within the long reach of the law. Based on current trends, we can expect to see younger individuals participating in these serious ransomware attacks, driven by the large amounts of money to be made and the current scale of communities involved in the attacks.
- We hope elected officials around the world will take these threats more seriously, whether by increasing penalties for participating in ransomware operations or allocating larger budgets for law enforcement to effectively combat the harsh impacts these attacks have on companies and the public.
Supply chain attacks and vendor attacks targeting client data for ransom will continue with renewed vigor.
- Regrettably, 2025 witnessed a significant increase in supply chain attacks, resulting in extremely serious ransomware incidents, further underscoring that targeting support vendors remains a reliable attack strategy for criminal groups. We suspect that open-source code attacks will also continue, with worms like Shai Hulud showing how even simple code can have a substantive impact. Additionally, we expect to see more novel supply chain attacks via browser plugins and extensions, as well as via prompt injection attacks targeting emerging AI-centric browsers.
- Most supply chain attacks in 2025 focused on acquiring cryptocurrency either directly from targeted users or through corporate ransomware efforts. We expect threat actors to continue being arrested for operational security (OPSEC) mistakes when attempting to launder or cash out their proceeds from these attacks. We also expect to see more threat actors from the larger hacks fall for money laundering honeypots set up by law enforcement and encourage those efforts to continue. Crypto laundering tools, such as Tornado Cash and similar efforts, will undoubtedly continue to be used. 2026 will also see more countries pushing back, such as Canada stepping in to enforce its anti-money laundering laws, which included their takedown of the TradeOgre Exchange, resulting in the seizure of $56 million.
Despite all of this, post-attack remediation will still provide opportunities for defenders to pivot toward proactive threat hunting.
- An adversary who has already left the system still presents a significant risk for organizations, either due to data stolen or vulnerabilities discovered along the way, leaving new opportunities for later access. Remediation operators should consider these possibilities as they pursue their mission and push to find other infrastructure that an attacker may have laid in wait for its next wave of attacks.
- If a company has the appropriate data retention and collects the right data in the first place, then past activity will remain well within the realm of a successful threat hunting pivot to preemptive defense. In our experience, these artifacts are likely to appear in the outbound network logs, correlated with our malicious infrastructure data, which we often see when onboarding a new customer who is connecting to our data for the first time.
Geopolitical Cybersecurity Predictions
- Ongoing tension and conflicts worldwide will continue to extend into cyberspace with serious, government-backed APT groups and not-so-subtly indirectly supported threat actors operating with the tacit approval of their national government.
- In this vein, 2026 is likely to see more advanced tactics from Russian threat actors and significant collaboration between Russian and Chinese threat groups, who will share tactics, malware, and collaborate on sophisticated attacks, including ransomware.
- North Korea will continue to take advantage of novel attack vectors, increasing the scope of its growing list of targeted industries for remote job fraud and exploiting vulnerable individuals with fake hiring schemes.
- Next year is likely to have more people in the U.S. and Europe arrested for running laptop farms for North Korean threat actors. Based on the scale of these campaigns and the ease with which they have previously recruited people in need of money to join their schemes, unwitting collaborators are unlikely to ever fully understand the implications of their cooperation until it is too late.
- We expect to see major corporations continue to evolve their “Know Your Customer” (KYC) processes and hiring checks, increasing the burden of proper due diligence needed to combat these types of threats.
- Threat actors from The Com (Scattered Spider / SHSL, CryptoChameleon, and PoisonSeed) will continue to be a challenge for organizations, defenders, and individuals alike.
- Even though we’re two years into members of Scattered Spider being arrested and charged with serious crimes for their corporate ransomware attacks, their 2025 partnership with DragonForce and association with both Lapsus and Shiny Hunters speak to a sprawling ecosystem that is unlikely to wrap up as cleanly as defenders would prefer.
- Malicious campaigns targeting cryptocurrency by members of The Com, who have been referred to as CryptoChameleon, will continue to be poorly reported by mainstream media and will likely expand under the radar. These campaigns are aligned with an effort known as PoisonSeed, which conducts supply chain attacks against email providers to acquire infrastructure for sophisticated cryptocurrency phishing attacks.
- Voice phishing and AI video interview fakes will become a growing challenge for individuals and corporations alike.
- We’ve seen everything from homegrown U.S.-based threat actors to the DPRK using AI tools to disguise their voice and manipulate live video feeds. These tools are becoming easier to use and integrate into popular teleconferencing platforms, even as corresponding defensive detection tools emerge across the industry to help major platforms prevent deepfake scenarios. Attackers are moving more quickly than defenders on this front, even though we are seeing encouraging catch-up from new and veteran entrants to the space.
- Countries targeted by the China-based APT Salt Typhoon, including the U.S., will face significant modernization costs or tough trade-offs in maintaining legacy SS7 systems.
- We’re now multiple years into evidence of China’s eavesdropping on the world through insecure phone systems, while details of the attacks are still slowly dripping out. When the “U.S. Telecommunications Insecurity Report (2022)” is officially released by CISA and the U.S. Government, outlining specific details of these attacks, the public will become more aware of the risks associated with ignoring telecommunication system updates.
- More politicians will speak about the SS7 systems globally, emphasizing the importance of modernizing these systems to utilize encryption frameworks. However, industries will need financial support to make these changes a reality.
- China’s regional conflicts are unlikely to reach peaceful ends by 2026.
- China’s 2027 military plans are expected to be fully underway in 2026, and if so, the increased pressure on Taiwan will continue. Cyber campaigns targeting Taiwan are likely to ramp up, and Chinese espionage efforts to monitor global conversations will continue as they have in years past.
- Increases in AI website builders used for malvertising and malicious campaigns.
- Many threat actors who don’t speak English as their primary language love using AI website builders because they can obtain complete custom content without having to create and translate blocks of text. We expect to see an increase in AI websites deployed to age domains prior to sophisticated attacks being launched on those sites, often via malvertising campaigns.
- Distributed Denial of Service (DDoS) records will continue to be broken as botnets grow in scale before disruption efforts can prevent them.
- Every few months, the record for traffic generated by a DDoS botnet seems to get broken, and we expect these trends to continue. DDoS attacks are essentially advertising for botnet admins bragging about the number of devices they control, and these can be used for numerous other cash-out schemes.
- Botnets comprised of compromised routers and IoT devices are used for all types of criminal activity, supporting proxy networks and ad fraud schemes. Some threat actors, such as Raspberry Robin, have historically used compromised residential devices to host their malware C2 domains.
- Organizations like FUNNULL CDN with ties to the Chinese triads will continue to host malicious infrastructure and scams targeting individuals worldwide.
- Our team at Silent Push has been tracking FUNNULL CDN for over three years, and in 2025, the Treasury Department sanctioned FUNNULL and its admin in reporting, “Funnull is linked to the majority of virtual currency investment scam websites reported to the FBI. US-based victims of these scam websites have reported over $200 million in losses, with average losses of over $150,000 per individual.”
- Unfortunately for law enforcement and those targeted by these schemes, FUNNULL has not slowed down since it was sanctioned. If anything, its scope of operations has increased, and we are now seeing that trend emerge in its campaigns in Europe. We hope to see Europe take action against FUNNULL CDN, leading to an increase in global pressure and collaboration among companies hosting FUNNULL’s infrastructure.
- Other financial scams from China conducted via Smishing (SMS phishing) attacks will continue to be a global challenge for individuals and defenders. Threat actors continue to scale up SMS farms for bulk smishing campaigns, and these networks will continue to provide opportunities for attacks beyond spam operations.
- Bulletproof Hosting (BPH) providers will continue to scale up and modernize their methods as defenders remain largely unequipped to deal with their growth without the proper tools in hand.
- Our team is tracking over 100 ASN ranges operated by hosting companies that we consider to be in this category, including those that purposefully ignore specific types of abuse complaints. BPH providers regularly host content that is illegal in other jurisdictions.
- We hope to see ASNs that provide peering services to BPH providers see increased scrutiny of these types of partnerships, and, hopefully, law enforcement action will follow.
- More BPH providers are registering shell companies in hard-to-reach jurisdictions, including the U.S., as this apparently does not create increased risks for their operations and provides some degree of cover for bypassing partner KYC processes.
- There is a growing industry of hosting companies that ignore U.S. laws, with “DMCA Ignored Offshore Hosting” becoming not just common marketing language, but also lax policies from these providers that offer support for all types of criminal schemes hosted on their platforms.
- A shift in preemptive mindset and the theory that “offense is the new defense,” with an estimated $1 billion being spent in the U.S. on offensive security programs.
- In recent years, China has uncovered and publicized attacks it claims were conducted by the NSA and other global intelligence agencies with increased regularity, and it’s likely we’ll hear more about these types of campaigns in 2026.
- SocGholish and threat actors who compromise legitimate websites to host their malicious payloads will continue their attacks, tricking users with “Your browser is out of date” messages and similar themed lures. We also expect to see a growing increase in ClickFix, FileFix, and similar lures that attempt to trick victims into executing malicious code on their devices.
- Our team has seen a steady stream of compromised WordPress websites being used to host attacks against unsuspecting users. There don’t appear to be strong efforts in the WordPress community to address these challenges, and we expect these problems to continue for years to come. Organizations should bear in mind the need to track both the malware C2s used in these campaigns as well as the websites themselves that are being compromised, to prevent impact on their business.
- In 2025, the U.S. DOJ successfully seized $15 billion from the Prince Group due to its support of pig-butchering investment scams targeting U.S. victims and global money laundering efforts. Where there’s cash, there’s attention from U.S. law enforcement.
- We hope and expect to see more actions from the DOJ in the U.S. and other global law enforcement agencies to hold these types of global criminal schemes accountable by seizing their proceeds.
Overall
These trends paint a dark picture of an increasingly complex and murky landscape that organizations and their defenders will be forced to navigate, whether they are ready or not, in the New Year. At Silent Push, we believe that adopting preemptive and proactive methods and mindsets is the best way to secure an organization and keep businesses operating unimpeded in the face of relentless, ever-evolving adversarial infrastructure.
Interested in Updates on Growing Threats?
Follow the Silent Push threat intelligence team on LinkedIn and X/Twitter for our latest research findings.
Learn More About Silent Push Cyber Defense Technology
Sign up for a free Silent Push Community Edition account to gain a powerful introduction to our preemptive threat hunting solution that provides a complete view of emerging threat infrastructure in real-time, exposing malicious intent through our Indicators of Future Attack™.
Alternatively, if you’re interested in discussing how to experience the platform and the cybersecurity benefits it can offer, schedule some time to talk with our threat-hunting experts. We can demonstrate how our Indicators of Future Attack™ can provide your team with the visibility to preempt threats, reduce noise, and drive faster, more confident security decisions—all through one unified platform.
