Cyber attackers are more and more sidestepping conventional safety instruments by exploiting customers themselves, in response to Bridewell’s newly launched Cyber Menace Intelligence Report 2026. The report highlights a major shift in attacker behaviour, with risk actors transferring away from malware-heavy campaigns in direction of identity-driven and socially engineered assaults that function inside trusted programs, typically leaving little hint for safety instruments to detect.
Gavin Knapp, Head of Cyber Menace Intelligence at Bridewell, mentioned the findings level to a basic evolution in how cyber assaults are executed.
“A key discovering within the report is the transfer away from malware-led assaults towards identity-driven and user-led compromise, leveraging reputable identities, software program and strategies that function inside trusted programs and bypass typical defences,” he famous.
Safety instruments bypassed as attackers goal customers
On the centre of this shift is the rise of so-called “fix-style” assaults, together with ClickFix, FileFix and ConsentFix. These strategies manipulate customers into finishing up actions themselves, resembling copying malicious instructions, approving fraudulent authentication prompts, or finishing reputable login processes that hand management to attackers. As a result of these assaults depend on consumer execution, they will bypass endpoint safety instruments, multi-factor authentication (MFA), and conventional detection mechanisms totally. In lots of instances, assaults now happen wholly inside browsers or reputable identification workflows.
Sooner, extra resilient cyber threats
Somewhat than reinventing ways, attackers are refining current strategies to extend velocity and resilience. Bridewell’s analysis reveals that extensively out there offensive instruments and command-and-control frameworks stay dominant, whereas adversary infrastructure is turning into extra agile and distributed. This enables risk actors to rapidly get well from disruption. When one instrument or malware household is taken down, attackers quickly change to options, minimising downtime and sustaining operational continuity.
Id emerges as main assault floor
The report identifies identification because the central battleground in fashionable cyber assaults. Credentials, session tokens and OAuth entry are actually closely focused, with information-stealing malware enjoying a key function in harvesting login information. This permits attackers to function as reputable customers, considerably decreasing the chance of detection whereas enabling follow-on assaults together with ransomware and fraud.
Ransomware evolves in direction of information extortion
Bridewell additionally highlights a shift in ransomware ways, with attackers more and more prioritising information theft over encryption. This “smash-and-grab” strategy focuses on fast information exfiltration, permitting cyber criminals to extort victims with out the necessity for extended community entry. The result’s quicker assaults that scale back response occasions for defenders whereas growing strain on organisations to pay.
Blurring traces between cyber crime and nation-state exercise
The report famous a rising convergence between cyber legal teams and nation-state actors, with each adopting comparable instruments, strategies and infrastructure. This overlap is driving elevated sophistication and unpredictability, significantly in assaults concentrating on crucial nationwide infrastructure and key industries.
What to anticipate
Trying forward, Bridewell warns that organisations will face an more and more adaptive risk panorama formed by identification abuse, agile infrastructure, and AI-enabled assaults.
Key dangers anticipated to dominate in 2026 embrace:
- Elevated exploitation of edge units and identification programs
- Continued development in provide chain assaults
- Rising exercise linked to DPRK and different state-aligned actors
- Ongoing convergence between cyber crime and nation-state operations
Knapp added that organisations should rethink their strategy to safety in response to those tendencies.
“As attackers proceed to use trusted programs and human behaviour, organisations should transfer past conventional safety approaches and concentrate on identification safety, consumer consciousness and threat-informed defence,” he cautioned.
