Threat Landscape

Apr 11 — Jun 27 (weekly, 26-week baseline) · Last updated: 2026-07-04 08:00 UTC
Detailed Analysis
Prepositioning
⇋ SHIFTING
0 this week
▼ Falling (-37.1%/w) Shift: -100.0%
Details
Mean: 8.4/w Z-score: -0.72 Recent 3w avg: 0.0/w Prior 3w avg: 3.3/w Total: 160
Initial access brokering
⇋ SHIFTING
0 this week
▼ Falling (-24.3%/w) Shift: -100.0%
Details
Mean: 10.3/w Z-score: -1.03 Recent 3w avg: 0.0/w Prior 3w avg: 3.3/w Total: 147
Espionage
⇋ SHIFTING
0 this week
▼ Falling (-28.5%/w) Shift: -100.0%
Details
Mean: 5.6/w Z-score: -0.68 Recent 3w avg: 0.0/w Prior 3w avg: 2.3/w Total: 97
Account takeover (ATO)
⇋ SHIFTING
0 this week
▼ Falling (-39.7%/w) Shift: -100.0%
Details
Mean: 1.3/w Z-score: -0.68 Recent 3w avg: 0.0/w Prior 3w avg: 1.0/w Total: 29
Crypto theft
⇋ SHIFTING
0 this week
▼ Falling (-36.4%/w) Shift: -100.0%
Details
Mean: 1.5/w Z-score: -0.64 Recent 3w avg: 0.0/w Prior 3w avg: 1.3/w Total: 28
BEC / Wire fraud
⇋ SHIFTING
0 this week
▼ Falling (-26.7%/w) Shift: -100.0%
Details
Mean: 2.0/w Z-score: -1.04 Recent 3w avg: 0.0/w Prior 3w avg: 0.7/w Total: 25
Data exposure
⇋ SHIFTING
0 this week
▼ Falling (-17.8%/w) Shift: -100.0%
Details
Mean: 1.0/w Z-score: -0.57 Recent 3w avg: 0.0/w Prior 3w avg: 1.3/w Total: 19
Wiper / Sabotage
⇋ SHIFTING
0 this week
▼ Falling (-11.9%/w) Shift: -100.0%
Details
Mean: 1.9/w Z-score: -0.85 Recent 3w avg: 0.0/w Prior 3w avg: 0.3/w Total: 12
Influence operations
⇋ SHIFTING
0 this week
▼ Falling (-30.1%/w) Shift: -100.0%
Details
Mean: 0.6/w Z-score: -0.61 Recent 3w avg: 0.0/w Prior 3w avg: 0.7/w Total: 11
Credential theft
▼ LOW
0 this week
▼ Falling (-15.1%/w) Shift: -100.0%
Details
Mean: 15.3/w Z-score: -1.59 Recent 3w avg: 0.0/w Prior 3w avg: 2.7/w Total: 135
Ransomware
▼ LOW
0 this week
▼ Falling (-16.9%/w) Shift: -100.0%
Details
Mean: 4.5/w Z-score: -1.56 Recent 3w avg: 0.0/w Prior 3w avg: 2.0/w Total: 47

Low Volume

< 10 articles — limited statistical significance
Payment card theft
⇋ SHIFTING
8 total (12w)
Cryptojacking
⇋ SHIFTING
5 total (12w)
Ad fraud
● NORMAL
8 total (12w)
DDoS
● NORMAL
4 total (12w)
Sextortion
● NORMAL
4 total (12w)
Archetype Status This Week Mean Z-Score Total (12w) Trend Shift
Prepositioning shifting 0 8.4 -0.72 160 -37.1%/w -100.0%
Initial access brokering shifting 0 10.3 -1.03 147 -24.3%/w -100.0%
Espionage shifting 0 5.6 -0.68 97 -28.5%/w -100.0%
Account takeover (ATO) shifting 0 1.3 -0.68 29 -39.7%/w -100.0%
Crypto theft shifting 0 1.5 -0.64 28 -36.4%/w -100.0%
BEC / Wire fraud shifting 0 2.0 -1.04 25 -26.7%/w -100.0%
Data exposure shifting 0 1.0 -0.57 19 -17.8%/w -100.0%
Wiper / Sabotage shifting 0 1.9 -0.85 12 -11.9%/w -100.0%
Influence operations shifting 0 0.6 -0.61 11 -30.1%/w -100.0%
Payment card theft shifting 0 0.5 -0.58 8 -19.7%/w -100.0%
Cryptojacking shifting 0 1.0 -0.94 5 -7.6%/w -100.0%
Credential theft declining 0 15.3 -1.59 135 -15.1%/w -100.0%
Ransomware declining 0 4.5 -1.56 47 -16.9%/w -100.0%
Ad fraud normal 0 1.2 -0.96 8 -8.5%/w
DDoS normal 0 1.0 -0.91 4 -6.5%/w
Sextortion normal 0 0.2 -0.46 4 -18.2%/w
Actor Articles Associated Archetypes
TeamPCP
crime-syndicate
aka Mini Shai-Hulud, Team PCP, Mini Shai-Hulud campaign, Mini Shai-Hulud threat actor, TGR-CRI-1135, TeamPCP (behind the Trivy breach and subsequent operations), TeamPCP (cyber criminal operation), TeamPCP (ex-HellCat affiliate)
Engages in software supply chain compromise attacks, injecting malicious code into software to exfiltrate sensitive secrets (e.g., cloud access tokens, SSH keys). Partners with RaaS and EaaS operators (e.g., LAPSUS$ Group, Vect ransomware) to monetize intrusions.
64 Credential theft (27) Initial access brokering (21) Prepositioning (6)
Lazarus Group
nation-state
aka Lazarus, Contagious Interview, Famous Chollima, PolinRider, Void Dokkaebi, Blender.io, DPRK/Lazarus, HexagonalRodent
Targeted developers and the cryptocurrency ecosystem with social engineering schemes, including Operation DreamJob against European drone manufacturers and Operation DangerousPassword compromising the JavaScript library axios.
25 Espionage (10) Crypto theft (9) Prepositioning (3)
fraudsters
criminal
aka criminals, cyber criminals, Organized scam call centers, scammers, bad actors, organized crime groups
Individuals or small groups engaging in opportunistic fraud such as bonus abuse, chargeback disputes, and multi-accounting. Uses automation, shared data, and behavioral simulation to evade detection and blend into legitimate user activity.
14 BEC / Wire fraud (5) Ransomware (4) Ad fraud (1)
Kimsuky
nation-state
aka BlueNoroff, Sapphire Sleet, UNC1069, Stardust Chollima
Conducted quicker, opportunistic attacks targeting developers and the cryptocurrency ecosystem, aligned with North Korea.
13 Espionage (5) Crypto theft (3) Initial access brokering (2)
ShinyHunters
crime-syndicate
aka Bling Libra
Steals data and demands ransom; if the victim does not comply, the data is published or sold to the highest bidder. Known for targeting organizations to exfiltrate personal and sensitive information for extortion purposes.
12 Ransomware (6) Data exposure (4) Espionage (1)
LockBit
crime-syndicate
aka LockBit affiliates, Artur Sungatov and Ivan Kondratyev, Dmitry Yuryevich Khoroshev, Zservers
Combines encryption with data theft and extortion in ransomware attacks targeting various organizations.
12 Ransomware (10) Espionage (1) Credential theft (1)
advanced persistent threat (APT) actor
crime-syndicate
aka Threat Actor A, Threat Actor B, Operation GriefLure Threat Actor, PRC-nexus threat actor (associated with UNC6201), Suspected China-linked Threat Actor, Threat actor behind DigiCert support portal hack, threat actor exploiting CVE-2024-55224 and CVE-2024-55225, threat actor targeting misconfigured or abandoned password manager instances
Conducted a large-scale poisoning campaign targeting Ghost CMS by exploiting CVE-2026-26980 to inject malicious JavaScript loaders into articles. The campaign involved automated bulk vulnerability scanning, Admin API key extraction, and dynamic C2 distribution to deliver malware such as stealer trojans via ClickFix social engineering attacks. The group used cloaking domains and updated payloads to evade detection and maintain persistence.
11 Initial access brokering (4) Prepositioning (3) Credential theft (3)
The Gentlemen
crime-syndicate
aka Hastala, Storm-2697, zeta88, hastalamuerte, The Gentlemen RaaS, The Gentlemen RaaS administrator, The Gentlemen ransomware operation, The Gentlemen Ransomware-as-a-Service
Operates the Gentlemen ransomware-as-a-service (RaaS) platform, managing the RaaS while affiliates carry out attacks. Uses double extortion tactics, encrypting data and exfiltrating sensitive information to pressure victims. Recently partnered with BreachForums to recruit affiliates and expand operations.
10 Ransomware (10)
Qilin
crime-syndicate
aka Qilin ransomware
Infrastructure (workstation WIN-8OA3CCQAE4D) identified as being associated with Qilin ransomware operations, indicating potential collaboration or shared resources with other ransomware groups.
10 Ransomware (10)
Scattered Spider
crime-syndicate
aka Muddled Libra, Octo Tempest
Targeted entertainment and hospitality organizations with ransomware campaigns, including attacks on reservations, digital keys, point-of-sale (PoS) machines, and loyalty data. Demonstrated capability to disrupt major hotel operators through social-engineering campaigns.
8 Espionage (3) Prepositioning (2) Ransomware (2)
Shai-Hulud
crime-syndicate
aka Shai-Hulud attacker, Shai-Hulud threat actor, Shai-Hulud malware, Shai-Hulud worm
Conducted a large-scale supply chain attack on the npm ecosystem by compromising the 'atool' npm account, which owns popular packages like timeago.js. The attack involved publishing malicious versions of over 300 packages across Alibaba's AntV data visualization ecosystem, exfiltrating credentials, and establishing persistence via backdoors in developer tools like VS Code and Claude Code. The attacker used advanced techniques such as memory scraping to extract unmasked secrets from CI runners, GitHub API dead-drops for exfiltration, and OpenTelemetry impersonation for command and control (C2). The attack was well-orchestrated, with deliberate signaling via GitHub repository descriptions using Dune-universe terminology.
8 Initial access brokering (4) Credential theft (3) Account takeover (ATO) (1)
Clop
crime-syndicate
aka Cl0p, Hazy Scorpius
Exploits vulnerabilities (e.g., Oracle EBS) to conduct data theft and extortion, shifting away from ransomware encryption to pure extortion tactics.
7 Ransomware (6) Data exposure (1)
APT28
nation-state
aka Fancy Bear, TA422
Weaponized CVE-2026-21509 and CVE-2026-32202 in targeted spear-phishing campaigns delivering weaponized document attachments with high-fidelity institutional lures to Ukrainian government agencies and European defense, transportation, and diplomatic entities. Used multi-stage infection chains culminating in the NotDoor Outlook backdoor and Covenant Grunt implants, with cloud storage services as C2 infrastructure.
7 Espionage (3) Credential theft (2) Ransomware (1)
BlackCat
crime-syndicate
aka ALPHV/BlackCat, BlackCat/Alphv, ALPHV, ALPHV BlackCat, operators of ALPHV aka BlackCat ransomware
Engages in ransomware attacks involving encryption and data theft for extortion purposes.
7 Ransomware (6) Credential theft (1)
VECT
crime-syndicate
aka Vect ransomware group, Vect ransomware operators, Vect (ransomware group), VECT Ransomware
Partners with TGR-CRI-1135 to monetize intrusions through ransomware-as-a-service (RaaS) operations, though recent forum removal may impact future collaborations.
7 Credential theft (2) Data exposure (2) Prepositioning (1)
LAPSUS$
crime-syndicate
aka LAPSUS$ Group, Scattered Lapsus$
Collaborates with TGR-CRI-1135 to extort organizations via data leak sites as part of extortion-as-a-service (EaaS) operations.
7 Data exposure (4) Credential theft (2) Espionage (1)
EvilTokens
crime-syndicate
aka EvilTokens affiliates, EvilTokens operators, EvilTokens (related infrastructure), EvilTokens administrator, EvilTokens PhaaS
Developed and distributed the EvilTokens phishing-as-a-service toolkit, which automates device code phishing attacks at scale. The toolkit uses AI to generate realistic attack infrastructure and lowers victim friction through responsive design and automated device code generation.
7 Credential theft (2) Account takeover (ATO) (2) Espionage (1)
MuddyWater
nation-state
aka Seedworm, APT34, Iranian-aligned group connected to the Ministry of Intelligence and Security (MOIS), OilRig
Develops and deploys malware targeting Israeli water infrastructure, including ZionSiphon, which is designed to sabotage water treatment systems. The group is associated with Iranian cyber activity and exhibits tradecraft consistent with mid-tier Iranian state-aligned operations.
6 Espionage (3) Prepositioning (2) Wiper / Sabotage (1)
Akira
crime-syndicate
aka Conti ransomware group
Ransomware operators providing ransomware-as-a-service (RaaS), maintaining the ransomware variant, infrastructure, and managing ransom negotiations. Affiliates deploy the ransomware in victim environments.
6 Ransomware (6)
Handala
nation-state
aka Handala Hack Team, Handala Hacking Team, Ministry of Intelligence and Security (MOIS), MOIS Linked Cyber Influence Ecosystem, The Handala Popular Resistance Front (HPR)
Executed significant wiper attacks in early 2026, targeting high-level government officials, doxxing employees of public companies, and conducting disruptive operations against U.S. critical infrastructure, including internet-exposed PLCs in water, energy, and municipal services.
6 Influence operations (2) Credential theft (1) Espionage (1)

State-Sponsored Activity

Attributed nation-state operations (12w)
North Korea 19 articles
Active Actors
Lazarus Group (12) Famous Chollima (5) APT38 (2) Contagious Interview (2) Kimsuky (1) APT37 (1)
Operations
Crypto theft (10) Espionage (9) Prepositioning (2) Credential theft (1) Initial access brokering (1)
Recent articles Evolution of Void Dokkaebi's InvisibleFerret: Cython Compilation Enhances Evasio Analysis of Kimsuky's Multi-Themed Spear Phishing Campaigns: Exploiting Legitima North Korea's Cybercrime Operations: Funding Military Ambitions and Evading Sanc Inside DPRK’s npm Malware Factory: A 31-Day Campaign of 108 Packages and 261 Ver noon-contracts: Sophisticated DeFi-Targeted npm Supply Chain RAT with Triple Per
Russia 12 articles
Active Actors
APT28 (3) APT29 (3) Fancy Bear (3) Secret Blizzard (2) Turla (2) Sandworm (2) Midnight Blizzard (1) Cozy Bear (1)
Operations
Espionage (11) Credential theft (3) Wiper / Sabotage (1) Ransomware (1) Account takeover (ATO) (1)
Recent articles The Evolving CVE Landscape: AI-Driven Discovery Outpaces Exploitation but Strain Evolution of Kazuar: From Backdoor to Modular Espionage Framework by Secret Bliz ROADtools: Dual-Use Framework Exploited by Nation-State Actors for Cloud Intrusi Midnight Blizzard Attack on Microsoft: A Deep Dive into Nation-State Espionage a Evolution of Kazuar: From Monolithic Backdoor to Modular P2P Botnet Ecosystem
Tracking 624 unique CVEs over the window. Found: persistent 3
CVE-2026-41940
9.3 PERSISTENT
cPanel and WHM versions after 11.40 contain an authentication bypass vulnerability in the login flow that allows unauthenticated remote attackers to gain unauthorized access to the control panel.
CpanelCpanel WhmCpanel Wp Squared
0 this week 19 total 4w active
Articles The Evolving CVE Landscape: AI-Driven Discovery Outpaces Exploitation but Strain April 2026 High-Impact Vulnerabilities: A Surge in Exploited CVEs and Emerging T Critical Authentication Bypass Vulnerability in Palo Alto Networks PAN-OS (CVE-2 Threat Actor Mr_Rot13 Exploits CVE-2026-41940 to Deploy Multi-Stage Backdoors in Mr_Rot13: A Stealthy Six-Year Cyber Espionage Campaign Exploiting cPanel CVE-202
CVE-2026-31431
7.8 PERSISTENT
In the Linux kernel, the following vulnerability has been resolved: crypto: algif_aead - Revert to operating out-of-place This mostly reverts commit 72548b093ee3 except for the copying of the associ
Linux Linux KernelRedhat Openshift Container PlatformRedhat Enterprise LinuxRedhat Enterprise Linux AusRedhat Enterprise Linux Eus
0 this week 14 total 5w active
Articles The Evolving CVE Landscape: AI-Driven Discovery Outpaces Exploitation but Strain Analysis and Detection of the Linux Kernel Privilege Escalation Vulnerability CV Critical Linux Kernel Zero-Copy Vulnerabilities Enable Trivial Local Privilege E Fragnesia (CVE-2026-46300): Analysis of the New Linux Kernel XFRM ESP-in-TCP Pri Linux Kernel Privilege Escalation Vulnerabilities: Analysis and Detection of Cop
CVE-2026-39987
9.3 PERSISTENT
marimo is a reactive Python notebook. Prior to 0.23.0, Marimo has a Pre-Auth RCE vulnerability. The terminal WebSocket endpoint /terminal/ws lacks authentication validation, allowing an unauthenticate
Coreweave Marimo
0 this week 5 total 4w active
Articles The Evolving CVE Landscape: AI-Driven Discovery Outpaces Exploitation but Strain First Observed AI-Agent-Driven Intrusion: LLM Orchestrates End-to-End Attack in April 2026 High-Impact Vulnerabilities: A Surge in Exploited CVEs and Emerging T April Security Briefing: Supply Chain Attacks and Exploitation of Trust in Autom Critical Pre-Authentication SQL Injection in LiteLLM: Rapid Exploitation and Hig