Huntress Cyber Threat Report Exposes The Playbook for Organized Cybercrime

Columbia, MD – February 17, 2026 — Cybercrime has become the world’s third-largest economy, with costs projected to reach $12.2 trillion annually by 2031. Today, Huntress exposes the tactics, techniques, and procedures (TTPs) fueling this multi-trillion-dollar illicit market in its 2026 Cyber Threat Report. The in-depth analysis sheds light on the playbook used by organized, profit-driven cybercriminals, uncovering how they weaponize legitimate tools, exploit everyday behaviors, and leverage a vast underground network to exploit people, businesses, and employees across the globe.

To produce this report, Huntress analyzed proprietary telemetry from over four million endpoints and nine million identities across the 230,000+ organizations it protects worldwide. This robust dataset served as the foundation for uncovering critical insights into the evolving ransomware ecosystem, shifting adversary tradecraft, and actionable strategies to help organizations prepare for the year ahead. Key findings include:

• Remote monitoring and management (RMM) tools are cybercriminals' new favorite weapon: The abuse of RMM tools surged 277% year-over-year, accounting for 24% of all observed incidents. As cybercriminals built entire playbooks around these legitimate, trusted tools to drop malware, steal credentials, and execute commands, the use of traditional hacking tools plummeted by 53%, while remote access trojans and malicious scripts dropped by 20% and 11.7%, respectively.

• Over half of all malware loader activity came from ClickFix: In 2025, attackers didn’t need to break in when they could just trick users into giving them access. No technique did this more effectively than ClickFix, which fueled 53% of all malware loader activity. By masquerading as routine tasks, like solving a CAPTCHA, ClickFix and its variants tricked users into becoming unwitting accomplices, facilitating the silent installation of infostealers, ransomware, and remote access tools.

• Time-to-ransom (TTR) rose as ransomware groups prioritized stealth, data theft, and extortion: The average TTR increased from 17 to 20 hours as attackers adopted “low and slow” tactics to evade detection and spent more time identifying and exfiltrating high-value data. With more organizations implementing robust backup and recovery solutions, operators have also shifted their focus from immediate encryption to leveraging stolen data for extortion or sale on dark web marketplaces.

• Ransomware has its own big four, and they are dominating the market: Four major players—Akira, Medusa, Qilin, and Ransomhub—collectively accounted for over half (51.3%) of all ransomware incidents seen by Huntress. Driven by intense competition, these groups and their rivals adopted a common playbook that favored proven attack chains over novel exploits, resulting in a steep decline in the variety of TTPs seen across ransomware groups.

• Buying access is cheaper and easier than ever: A thriving ecosystem of initial access brokers and dark web marketplaces has turned stolen credentials into a cheap, high-volume commodity, fueling a surge in shady login attempts from suspicious locations, malicious infrastructure, and unauthorized VPNs. These access policy and trust boundary violations accounted for 37.2% of all identity-based attacks.

• Mailbox manipulation and OAuth abuse set the stage for business email compromise (BEC) attacks: Mailbox manipulation and OAuth abuse, critical precursors to BEC, emerged as top identity threats, accounting for 19% and 10.1% of identity-based attacks, respectively. By using tactics like hiding emails with automated rules or leveraging malicious applications for persistent access, attackers blended into daily operations, conducted covert reconnaissance, and impersonated users, laying the groundwork for high-impact BEC schemes.           

“Cybercriminals have evolved into highly efficient operators, running their campaigns like well-oiled businesses,” said Greg Linares, Principal Threat Intelligence Analyst at Huntress. “They’ve moved away from flashy exploits and are instead doubling down on simple, effective, and scalable attacks that let them target countless organizations with high success rates. By abusing trusted tools, compromising identities, exploiting user behavior, and leveraging stolen credentials, they’ve fine-tuned their operations for minimal effort and maximum impact. This trend is only set to accelerate as AI enables attackers of all skill levels to automate and refine traditional tradecraft. To stay ahead, organizations need a defense strategy that prioritizes identity protection, monitors the abuse of trusted processes, and empowers every employee to recognize and disrupt attacker tradecraft.”

To learn more, get your copy of the Huntress 2026 Cyber Threat Report or read the TL;DR for the highlights.

Additional resources:

• See who’s behind modern cybercrime, how they operate, and what you can do to protect yourself here.

• Join Tradecraft Tuesday on March 10, 2026, to hear from our experts as they break down key findings from this year’s report.

• Tune into _delcassified on March 18, 2026, where John Hammond and special guest Jim Browning will expose the business of modern cybercrime.

• Read the Huntress blog to stay updated on the latest tradecraft and tips to protect your business.