Intel 471 has published its annual threat report, highlighting that the 2025 cyber landscape experienced acceleration rather than disruption, primarily driven by advancements in artificial intelligence. While this technological enhancement has increased the efficiency of cybercriminals, it has not significantly transformed profit-oriented cybercrime dynamics. The report identifies DarkForums as the foremost assembly point for English-speaking cyber adversaries and notes that the Qilin group has solidified its position as the leading player in the ransomware-as-a-service (RaaS) sector. As security teams gear up for 2026, the report urges them to recalibrate their focus on evolving techniques and platforms that have gained prominence in the past year.
Titled ‘Intel 471: 2026 Cyber Threat Trends & Outlook,’ the report reveals a record surge in extortion activities, fueled by supply chain attacks which have contributed to a staggering 63% rise in extortion figures compared to the previous year, continuing an upward trajectory that began in 2022. Meanwhile, the report indicates a 27% decrease in initial access broker activity from 2024, although new participants continue to emerge despite the overall decline.
The extortion landscape, significantly reshaped by ransomware and data extortion attacks, has become a hub for diverse cybercrime specialists seeking to monetize network breaches. Intel 471 documented occasions from February to August 2025 when several ransomware and data extortion groups faced betrayals from affiliates or disruptions by competitors, elucidating the cutthroat nature of this ecosystem.
Within these extortion operations, profit-sharing frequently leads to internal conflicts, wherein the temptation of financial gain supersedes any sense of loyalty amongst group members. This ruthless environment often results in betrayals that endanger ongoing operations, expose sensitive data, or compromise critical infrastructure. Though disruptions may be temporary, they can result in a group’s downfall, which competitors may exploit. Demonstrating resilience against rivals attracts new affiliates, while setbacks such as arrests or leaks can lead to vulnerabilities that opponents capitalize on.
Information-stealing malware persists as a major threat, with prominent examples including Lumma, Stealc, and Vidar. The report highlighted over 500 vulnerabilities discovered throughout the year, with 80% of them either being weaponized or productized. Additionally, hacktivist activities were robust, with over 700 documented responses in the cybercrime underground, predominantly concerning propaganda efforts and distributed denial-of-service attacks.
The report sheds light on the English-speaking Com, also known as TheCom, a significant online ecosystem for adversaries. A notable development in 2025 was the rise of the SP1D3R HUNTERS, or SCATTERED LAPSUS$ HUNTERS, a group recognized for its aggressive tactics. This group has been known to threaten employees of compromised organizations, as well as individuals investigating its activities. Many of the breach claims generated by this group were either unsubstantiated or easily disproven.
In 2025, generative AI and large language models (LLMs) surfaced prominently in cybersecurity discussions and underground forums. However, the practical applications of these technologies by threat actors were more tempered than often portrayed. AI tools have enhanced the effectiveness of phishing and business email compromise strategies, serving as performance enhancers rather than core components of cybercriminal operations.
Intel documented evidence of AI-driven tools such as InboxPrime AI, which utilizes third-party AI models to create customized phishing emails and assess their effectiveness against spam detection mechanisms. These innovations allow attackers to generate contextually rich content across various media formats, strengthening the credibility of their campaigns. Notably, AI has facilitated disinformation and influence campaigns, where scaling and perceived authenticity often outweigh technical precision.
Despite heightened conversations around ‘AI malware,’ Intel 471 indicates a dearth of proof demonstrating widespread usage of generative AI or LLMs in active malware. Most instances remain in the proof-of-concept stage or pertain to AI-assisted development discussions. Financially driven actors continue to rely on established, proven tools rather than developing new proprietary AI systems, as the latter demands substantial resources. Incremental advancements in experimentation have generally been linked to state-sponsored actors.
Looking to the future, experts project selective escalation rather than a comprehensive AI-driven overhaul of cyber tactics. This includes an anticipated rise in deepfake impersonation, AI-generated executive voice fraud, and synthetic media campaigns aligned with electoral and geopolitical events. Furthermore, Intel 471 reported that international law enforcement efforts in 2025 disrupted prominent English-speaking cybercrime forums, arresting several high-profile individuals. As a result, the underground landscape underwent fragmentation, with DarkForums emerging as the central hub.
The Qilin RaaS operation notably dominated the extortion domain in 2025, accounting for about 18% of reported incidents. The group continued to diversify its toolkit and implement sophisticated coercion techniques, such as structured data audits to amplify leverage over its targets. In parallel, several major RaaS operations, including Black Basta, LockBit, and RansomHub, faced significant operational challenges due to rival group activities.
As the landscape evolves, the expectation is that extortion will continue to pose the primary threat in 2026, shown by this year’s surge in breaches compared to 2024. The success of high-profile supply chain attacks by groups like CLOP and Qilin will likely influence the strategies of other ransomware and data extortion entities. The Qilin RaaS model is anticipated to maintain its prominence, enhancing its offerings and actively seeking new affiliates.
However, a shift in legislation regarding extortion payments may reduce the willingness of organizations to comply with ransom demands, compelling cyber extortion groups to reassess their strategies or explore alternative revenue streams, including data sales. As these dynamics unfold, the tools employed by access brokers will continue to adapt, prompting more intricate analysis of the ties between these brokers and ransomware groups.
The report also highlighted that malware tactics have dramatically shifted towards high-volume social engineering, as evidenced by the emergence of ClickFix. This technique capitalizes on user-initiated actions, allowing attackers to expand their reach into macOS environments. Enforcement actions have also targeted major information-stealer operations, pushing actors to pivot towards other malware families.
In conclusion, the trends outlined in the report suggest a critical need for businesses to bolster their cybersecurity posture amid an evolving threat landscape, where extortion and sophisticated attacks fuel both challenges and opportunities for adversaries.
