Top 10 Critical Threat Actors to Watch in 2026: Ransomware, APTs & Defensive Strategies

Executive Intelligence Summary: The 2026 Threat Hierarchy

The dominance of these ten threat actors in the enterprise landscape is driven by their proven operational scale, resilience, and measurable impact. Together, they form a stratified hierarchy of persistent risk, distinguished from the broader threat ecosystem by three core attributes: industrialized operating models, sustained adaptation to countermeasures, and strategic exploitation of systemic vulnerabilities.

Top Tier: Ransomware Syndicates

• Akira
• DragonForce
• Qilin
• Lockbit

These groups operate as mature, financially motivated enterprises. Their dominance is rooted in scalable Ransomware-as-a-Service (RaaS) and cartel-style models that separate attack execution from core development, enabling high-volume campaigns. They also evolve tooling quickly (for example, Akira’s move to C++ to improve stability and Qilin’s Rust variant designed to hinder analysis) and aggressively target edge-facing systems and virtualization layers to maximize disruption. Unlike less organized actors, they show business-like resilience—illustrated by LockBit’s post-takedown retooling and DragonForce’s ecosystem consolidation—sustaining persistent pressure on global enterprises.

Strategic State-Aligned Actors

• Lazarus
• Volt Typhoon
• APT29
• OilRig

These APT groups are defined by sustained, objective-driven campaigns backed by nation-state resources. Lazarus exemplifies this model through record-scale financial theft (approximately $2.02B in 2025), which can be reinvested into further capability development. Volt Typhoon and APT29 prioritize long-term, stealthy pre-positioning in critical infrastructure and government environments, relying on living-off-the-land techniques and credential abuse to maintain access. Their goal is strategic disruption or intelligence collection rather than immediate financial gain. This operational patience—combined with low-forensic-footprint TTPs—creates persistent, high-consequence risk that is difficult to attribute and to disrupt.

Hybrid Threat: Criminal-Operational Agility

• Scattered Spider
• Cl0p

These actors combine criminal innovation with APT-like focus. Scattered Spider stands out for highly effective identity-centric intrusions, using native-English social engineering and cloud/SaaS compromises to bypass traditional perimeter and endpoint controls. Cl0p has helped popularize encryption-less extortion, exploiting high-impact vulnerabilities (for example, MOVEit and Oracle E-Business Suite) to enable mass data theft with a minimal infrastructure footprint. Their agility in shifting tactics—such as Cl0p’s move toward direct executive-level extortion—lets them exploit systemic trust relationships and software dependencies more effectively than less specialized threat groups.

Common Differentiator: Resilience and Ecosystem Integration

All ten actors have demonstrated an ability to withstand law-enforcement pressure, replenish talent and infrastructure, and iterate tooling quickly. They are embedded in broader criminal or state-aligned ecosystems that provide access to vulnerabilities, initial access brokers, and money-laundering services—advantages that less organized groups typically lack. This blend of financial incentives or state backing, adaptive tradecraft, and ecosystem support keeps them at the apex of the 2026 threat landscape and reinforces the need for defense-in-depth focused on identity security, rapid patching, and behavior-based detection.

Why 2026 Will Reward Adaptive Threat Actors

The 2026 threat landscape will concentrate risk among actors that prioritize practical capability development over technical novelty for its own sake. This adaptive posture—disciplined tooling refinement, continuous technique iteration, and tactical flexibility—separates first-tier groups from secondary operators that cannot withstand sustained defensive pressure.

Across both ransomware syndicates and nation-state APTs, reporting consistently points to ongoing investment in anti-forensics, cross-platform targeting, and supply-chain exploitation. Groups that maintain this development cadence sustain operational momentum and scale victimization more quickly. By contrast, actors that rely on static tradecraft face intensifying law-enforcement pressure and increasingly optimized defender detection, which steadily erodes their effectiveness.

This divide—between operators that rapidly adapt and those constrained by legacy methods—will define the apex threat ecosystem in 2026. The following assessments illustrate the distinction through concrete examples of capability evolution, operational tempo, and resilience across ransomware groups, financially motivated collectives, and state-sponsored APTs.

Threat Actors to Watch in 2026

1. Akira

• Aliases: GOLD SAHARA, PUNK SPIDER, Howling Scorpius, Storm-1567.
• Category: Ransomware-as-a-Service (RaaS).
• Origin: Russian-speaking actors, with high-confidence links to former Conti members.
• Primary Motivation: Financial gain via double extortion.

Key Activity Highlights

The Akira ransomware group has claimed approximately $244 million in proceeds as of late September 2025 and is considered by the FBI to be among the top five ransomware variants it investigates globally. The group maintains a consistently high operational tempo, demonstrated by its status as the second most active ransomware group in 2025 with hundreds of victim claims.

Targets & Impact

Sectors: Manufacturing, Education, IT/MSP, Finance, Healthcare. Increasingly targets MSPs for cascading compromise across downstream customers.

Platforms: Windows, Linux, VMware ESXi, Hyper-V. Emphasizes hypervisor encryption to maximize infrastructure paralysis.

Impact: Double extortion — combining data theft with encryption—drives both operational disruption and regulatory breach-notification obligations. Victims often face prolonged recovery timelines, substantial ransom demands, and significant reputational harm stemming from the threat of public data disclosure.

Key TTPs & Defender Insights

Malware & Tooling Arsenal

2026 Threat Projection:

• Based on Akira’s established 2025 operating patterns—when it ranked among the most active ransomware groups and reportedly extorted roughly $244M from 600+ victims—the 2026 outlook points to a shift toward greater industrial efficiency and stealth.
• The group’s pragmatic tooling cycle, illustrated by its move away from experimental Rust code and back to a faster, more stable C++ encryptor, reflects a mature emphasis on sustained profitability over technical novelty.
• In 2026, Akira is likely to accelerate exploitation of edge-facing appliances and software supply-chain weaknesses for initial access, while further weaponizing living-off-the-land techniques to reduce its forensic footprint during dwell time.
• The double-extortion model will persist, with greater automation in negotiation workflows and leak-site operations to sustain high-volume campaigns against small and mid-sized businesses (SMBs), keeping Akira a persistent, top-tier financial threat.

2. DragonForce

• Aliases: Water Tambanakua (tracked by Trend Micro).
• Category: Ransomware-as-a-Service (RaaS) Cartel.
• Suspected Origin: Despite name overlap with DragonForce Malaysia, evidence indicates DragonForce is a financially motivated, Russian-speaking cybercriminal group.
• Primary Motivation: Financial Extortion via “Cartel” Consolidation.

Key Activity Highlights

In 2025, DragonForce reshaped the ransomware ecosystem by pivoting to a “cartel” model, offering affiliates a unified, white-label backend while allowing them to operate under independent brands (Check Point Software). This approach coincided with the collapse of RansomHub’s operations and broader consolidation dynamics, helping DragonForce expand its footprint during the post-LockBit reshuffle (Dark Reading). Check Point Research’s leak-site tracking shows that DragonForce’s published victim count rose from 26 in Q1 2025 (Jan–Mar) to 58 in Q2 2025 (Apr–Jun) — an approximate +123% QoQ increase (Check Point Research). By centralizing services such as leak infrastructure and negotiation channels while decentralizing frontline intrusions across affiliates, the group increases scale and revenue potential while making attribution and law-enforcement disruption more difficult (Dark Reading).

Targets & Impact

• Sectors: Manufacturing, Retail (High-Volume PII), Financial Services, Healthcare.
• Platforms: Windows, Linux, NAS, and VMware ESXi environments.
• Impact: Operations often lead to catastrophic business interruption through dual extortion—encryption paired with data theft. High-profile attacks on major retailers in mid-2025 triggered multi-day outages and exposed millions of customer records, pushing ransom demands into the multi-million-dollar range.

Key TTPs & Defender Insights

Tooling & Malware Arsenal

2026 Threat Projection:

• By 2026, DragonForce is likely to evolve into a RaaS platform provider, formalizing its white-label model through API-driven payload generation and deployment workflows. This would further commoditize high-end ransomware, allowing lower-skilled affiliates to launch distinct “sub-brand” variants without hands-on use of a builder.
• At the same time, as on-premises hypervisors (especially ESXi) harden through controls such as TPM 2.0–backed protections and “allow-only-installed” execution policies, DragonForce may shift development toward cloud-native data extortion. A plausible direction is targeting object storage (AWS S3, Azure Blob) via API misuse and credential abuse, bypassing hypervisor-level defenses altogether.
• This model also creates a strategic trade-off: while cartel-style centralization improves efficiency through shared infrastructure, it concentrates risk. Central negotiation portals and leak sites become a potential single point of failure, increasing the impact of any coordinated law-enforcement or infrastructure takedown that could disrupt the broader affiliate ecosystem at once.

3. Qilin (Agenda)

• Aliases: Agenda, Qilin Locker.
• Category: Ransomware-as-a-Service (RaaS).
• Origin: Russian-speaking.
• Primary Motivation: Profit-driven affiliate commission model, offering affiliates 80–85% of each ransom payment. Information theft serves to optimize ransom leverage, not espionage.

Key Activity Highlights

Qilin became the most active ransomware actor in Q3 2025 following the disruption of RansomHub in April, claiming 701 victims by October—a 280% surge from April’s 185 victims. This momentum, averaging 75 victims per month in Q3 up from 36 in Q1, is sustained by a resilient affiliate model and continuous technical evolution. Key advancements include GPO-deployed credential harvesting, a Rust variant (Qilin.B) employing intermittent encryption for speed and evasion, and demonstrated supply-chain attack capability via a single MSP breach impacting 28 downstream financial institutions.

Targets & Impact

• Sector: Manufacturing, Healthcare, Financial Services, Government (SLTT), and Managed Service Providers (MSPs).
• Platform: Cross-platform targeting of Windows, Linux ESXi, and Nutanix AHV environments.
• Impact: Operational shutdowns, patient care disruption, transaction failure, service outages, and supply-chain cascade effects (1 MSP breach → 28+ downstream compromises)

Key TTPs & Defender Insights

Tooling & Malware Arsenal

2026 Threat Projection

• Qilin (Agenda) is assessed to maintain first-tier ransomware threat status through mid-2026, defined by sustained victim volume (≥40 monthly leak-site disclosures), consistent monetization, and a resilient affiliate ecosystem that insulates core operators from localized disruption.
• Post-RansomHub absorption momentum (≈280% increase in victim disclosures relative to pre-absorption baselines) and a mature development cadence—characterized by frequent low-friction evasion-focused updates (Rust/Go variants, packer changes), Rust-dominant encryptor stability, intermittent/partial encryption refinement, and routine packer variation—support continued operational effectiveness.
• Sector risk is expected to remain elevated across healthcare, SLTT government, and MSPs, driven by proven 2025 ROI, including MSP compromises yielding significant downstream victim amplification.
• Law-enforcement action presents a moderate risk of temporary disruption but has rarely resulted in permanent elimination of mature RaaS operations, consistent with precedent observed in LockBit and ALPHV ecosystems.

4. Lockbit

• Aliases: LockBit (tracked as “Water Selkie” by Trend Micro).
• Administrator Alias: “LockBitSupp,” identified as Russian national Dmitry Yuryevich Khoroshev.
• Variant/Versions: LockBit 2.0 (Red), LockBit 3.0 (Black, “LockBit Black”), LockBit-NG-Dev (prototype for 4.0), LockBit Green, LockBit 5.0 (“ChuongDong”).
• Category: Ransomware-as-a-Service (RaaS) – Major Legacy Gang.
• Suspected Origin: Russian-speaking cybercriminal ecosystem (CIS-aligned). LockBit ransomware includes logic to avoid execution on systems using Russian and select Eastern European language or regional settings, a common OPSEC control among CIS-based ransomware operations.
• Primary Motivation: Financial gain through extortion. It employs a double-extortion model, encrypting victim data and threatening to publish stolen data unless a ransom is paid.

Key Activity Highlights

LockBit demonstrated significant resilience and technical capability following the February 2024 law enforcement disruption (Operation Cronos). Despite infrastructure seizures, arrests, and the public identification of its leader, the group resurfaced in September 2025 announcing LockBit 5.0, a cross-platform variant targeting Windows, Linux, and VMware ESXi environments. Check Point Research identified a dozen organizations targeted in September 2025, with half infected by the new 5.0 variant. While post-Cronos affiliate migration to Qilin and RansomHub persisted through mid-2025, LockBit’s September relaunch successfully attracted returning operators seeking established brand infrastructure; however, the group’s operational footprint by late 2025 remained substantially diminished relative to pre-disruption levels, suggesting the comeback represented tactical recovery within a structurally fragmented ransomware ecosystem.

Targets & Impact

LockBit affiliates have historically targeted a broad range of critical infrastructure and business sectors globally. The impact is consistently severe due to their double-extortion tactic.

Targets: Manufacturing, Financial Services, Software/IT, Government, Healthcare.

Impact: Operational paralysis from encryption is compounded by direct financial loss, reputational harm, and potential regulatory exposure in regulated environments. In practice, data theft and the threat of publication can trigger breach-notification and compliance obligations under frameworks such as the EU’s GDPR, HIPAA for U.S. healthcare organizations, the CCPA in California, and analogous regimes in other jurisdictions.

Key TTPs & Defender Insights

Tooling & Malware Arsenal

2026 Threat Projection

• LockBit’s historical scale, mature RaaS operating model, and demonstrated ability to endure sustained law-enforcement pressure support an assessment that it will remain a moderate but persistent ransomware threat into 2026—albeit at a reduced and more contested level than its pre-2024 peak.
• Operation Cronos materially disrupted centralized infrastructure and undermined affiliate trust; however, subsequent LockBit-branded activity and ongoing reuse of its leaked codebase suggest that parts of the ecosystem remain viable.
• While LockBit operators have promoted successor variants and post-takedown technical improvements, independently corroborated evidence of a fully reconstituted, centrally governed platform comparable to earlier iterations remains limited.
• In 2026, LockBit-attributed risk is therefore more likely to manifest as affiliate-driven campaigns leveraging established tradecraft and cross-platform targeting—sustaining pressure on hybrid enterprise environments—rather than as a single dominant ransomware platform. The group’s longevity will depend on whether affiliates continue to view the LockBit brand and tooling as reliable amid an increasingly fragmented and competitive RaaS landscape.

5. Scattered Spider

• Aliases: UNC3944 (Mandiant), Octo Tempest (Microsoft), Starfraud, Scatter Swine, Muddled Libra, Roasted 0ktapus, Storm-0875 (Microsoft).
• Category: Financially motivated cybercriminal collective operating within broader English-speaking hacking community (“The Com” or “The Community”).
• Suspected Origin: United States and United Kingdom; primarily comprised of individuals aged 19-22 as of 2024-2025; demonstrates native English proficiency facilitating social engineering operations.
• Primary Motivation: Financial gain through extortion-driven operations enabled by identity compromise, including data theft, account takeover, and ransomware deployment (encryption + data leakage) where operationally advantageous.

Key Activity Highlights

Scattered Spider sustained operational momentum despite law enforcement interdiction, executing high-impact retail campaigns in April-May 2025 (M&S: £300M profit loss; Co-op: £206M revenue impact; 6.5M customer records exfiltrated). Post-sentencing—Noah Urban received 10-year sentence in August 2025—operations accelerated into insurance (June-July) and airlines (July-August). Decentralized cell structure and active recruitment via gaming networks enabled rapid member replacement. Cloud-centric exploitation advanced dramatically: OAuth token theft, IdP federation hijacking, and session persistence via browser automation bypassed legacy MFA controls. Multiple RaaS partnerships (DragonForce adoption in April 2025) provided operational flexibility.

Targets & Impact

Targets: Scattered Spider primarily targets large enterprises in retail/e-commerce, insurance and financial services, airlines and transportation, and cloud/SaaS—especially environments where help desks, SSO/IdPs (for example, Okta and Microsoft Entra), and outsourced IT functions create reliable initial-access paths and broad downstream reach.

Impact: The typical impact is rapid account takeover followed by data theft and, in some cases, ransomware-enabled disruption. This can drive significant financial losses and extended service outages (for example, M&S publicly estimated a £300m profit hit; Co-op reported £206m in lost sales and confirmed the compromise of all 6.5m members).

Key TTPs & Defender Insights

Tooling & Malware Arsenal

2026 Threat Projection

• Scattered Spider is assessed to sustain elevated operational tempo through 2026 via decentralized cell structure and active recruitment within English-speaking cybercriminal communities. Post-arrest continuity (July 2025 arrests concurrent with ongoing insurance/aviation activity) indicates resilience and rapid reconstitution.
• Identity-centric exploitation of Okta/Microsoft Entra—inbound federation hijacking, OAuth token theft via AiTM phishing, MFA reset abuse—remains verified core capability against identity-dependent enterprises, with continued help-desk/SSO weaknesses enabling reliable initial access.
• While high-quality vishing and scripted social engineering will remain central, current evidence supports incremental refinement rather than a confirmed shift to fully automated or AI-generated impersonation at scale.
• Multi-RaaS partnerships (DragonForce adoption, Qilin partnerships ongoing) insulate operations from single operator disruption.
• Law enforcement demonstrates short-term individual impact but insufficient collective degradation; mid-term operational sustainability through 2026 remains high-confidence projection grounded in observed recovery patterns and persistent infrastructure weaknesses.

6. Cl0p

• Primary Designation: Clop (stylized as Cl0p, CL0P, CLOP)
• Aliases: Lace Tempest, FIN11, DEV-0950, TA505, Graceful Spider.
• Category: Ransomware-as-a-Service (RaaS) / financially motivated extortion collective primarily operating a data-theft model.
• Suspected Origin: Russian-speaking cybercriminal network operating from a likely non-extradition jurisdiction within the CIS ecosystem.
• Primary Motivation: Financial extortion via large-scale data theft and threat-of-exposure campaigns. Industry estimates suggest cumulative proceeds in the hundreds of millions of USD since 2019, with revenue increasingly driven by extortion-only operations.

Key Activity Highlights

Clop emerged as the most active extortion actor during early Q1 2025, driven by a surge of publicly disclosed victims in February following mass exploitation of previously unknown vulnerabilities in Cleo managed file-transfer products. Multiple leak-site monitoring sources reported several hundred victim disclosures within weeks, placing Clop ahead of other ransomware groups during a period of sustained disruption to LockBit operations. The campaign reinforced Clop’s strategic pivot toward an encryption-optional, data-exfiltration-first extortion model, enabling high-volume operations with reduced forensic exposure.

In late 2025, Clop further evolved its pressure tactics through an extortion campaign linked to Oracle E-Business Suite exposure, leveraging compromised enterprise email accounts to directly target C-suite executives. Reported cases indicate multimillion-dollar ransom demands and expanded “quadruple extortion” pressure, including customer and partner notification threats. The group’s recurring pattern of extended dormancy followed by explosive, vulnerability-driven campaigns underscores sustained investment in vulnerability discovery and a financially motivated operating model capable of rapid, large-scale victimization.

Targets & Impact

Primary targets: Retail/consumer goods and services (33% of Q1 2025 victims), manufacturing, technology, healthcare, and professional services. Cl0p strategically exploits vulnerabilities in widely used third-party platforms (for example, managed file-transfer solutions and ERP software) to compromise hundreds of organizations in parallel.

Impact: Cl0p’s impact is primarily driven by mass data exfiltration rather than encryption, exposing sensitive customer, patient, and proprietary business data at scale. These campaigns frequently generate supply-chain spillover, regulatory and legal exposure, and severe reputational harm. High-value victims may also face executive-level extortion and multimillion-dollar ransom demands even when disruption from encryption is minimal or absent.

Key TTPs & Defender Insights

Tooling & Malware Arsenal

2026 Threat Projection

• Cl0p is likely to remain a top-tier global extortion actor in 2026, building on operational shifts observed in 2024–2025. Its move toward an extortion-only model—reinforced by late-2025 executive-focused pressure campaigns tied to enterprise software exposure—reduces operational complexity while maximizing leverage through reputational and regulatory risk. This approach supports high-value targeting without relying on widespread ransomware deployment.
• Cl0p’s continued effectiveness will likely depend on its ability to identify and rapidly weaponize vulnerabilities in widely deployed enterprise platforms. Its history of exploiting managed file-transfer solutions reflects mature exploit-chain engineering and disciplined campaign timing, pointing to a sustained focus on high-impact, supply-chain-style opportunities rather than purely volume-driven intrusion. Emerging cross-platform elements—such as Java-based loaders and cloud-oriented exfiltration workflows—also suggest gradual diversification beyond Windows-centric tradecraft.
• The group’s resilience to past law-enforcement pressure, combined with clear financial motivation and limited ideological signaling, supports an assessment of ongoing operational longevity. Any increase in 2026 activity is more likely to be driven by opportunistic vulnerability discovery and ecosystem partnerships than by a predictable, steady campaign cadence.

7. Lazarus

• Aliases: Hidden Cobra, Guardians of Peace, APT38, BlueNoroff, Diamond Sleet, Labyrinth Chollima, Nickel Academy.
• Category: State-sponsored advanced persistent threat (APT) group.
• Suspected Origin: Democratic People’s Republic of Korea (North Korea).
• Primary Motivation: Regime-backed cybercrime and espionage; chiefly financial gain (large-scale cryptocurrency theft to fund DPRK weapons programs), alongside secondary goals of political/intellectual property theft and sabotage.

Key Activity Highlights

Lazarus (DPRK-linked) sustained aggressive multi-vector campaigns in 2025. Kaspersky reported the BlueNoroff subgroup using sophisticated social-engineering to target the crypto industry: GhostCall (impersonating investors on macOS/Windows) and GhostHire (fake job offers to blockchain developers) campaigns deployed new RATs to steal keys and credentials. Fox-IT analysts detailed a DeFi incident where Lazarus deployed multiple RAT stages (PondRAT → ThemeForestRAT → RemotePE) over months, illustrating adaptive malware evolution and persistence. ESET observed Operation DreamJob, where Lazarus lured European defense/aerospace firms with bogus job ads to exfiltrate UAV design data via the ScoringMathTea RAT. Chainalysis confirms DPRK hackers stole ~$2.02 billion in crypto in 2025 – a record haul reflecting Lazarus’s focus on large-scale financial theft. These trends show Lazarus maintaining momentum and resilience, continuously updating tools and tactics to sustain high-value thefts and espionage.

Targets & Impact

• Target sectors: Cryptocurrency exchanges, DeFi platforms, and blockchain bridges (for example, Bybit, Harmony, and Stake[.]com); Web3 developers and crypto executives targeted via social engineering (GhostCall/GhostHire campaigns); European defense contractors and UAV/drone manufacturers (Operation DreamJob); fintech platforms, remote-first technology companies, and software supply chains (including npm and GitHub developer ecosystems).

• Impact: Direct financial losses exceeding $2.02B in cryptocurrency theft during 2025 alone, including infrastructure compromise and customer-fund exfiltration; theft of intellectual property such as UAV design specifications and weapons-system data that can support North Korea’s drone industrialization; credential compromise enabling lateral movement and persistent backdoor deployment; downstream supply-chain compromise via trojanized repositories affecting enterprise and government software consumers; and broader operational disruption plus loss of proprietary R&D data across defense, aerospace, and technology sectors.

Key TTPs & Defender Insights

Tooling & Malware Arsenal

2026 Threat Projection

• Lazarus’s trajectory indicates continued innovation and agility into 2026. The group has increasingly targeted the software supply chain by trojanizing developer tools and open-source assets (for example, embedding loaders in GitHub projects) and has exploited localized software (such as Innorix and CrossEX), including reported zero-day abuse.
• Lazarus is likely to intensify supply-chain and living-off-the-land tradecraft, pairing sophisticated social engineering (including fake recruiter/HR lures) with newly discovered vulnerabilities. Given North Korea’s record ~$2.02B in cryptocurrency theft in 2025, the group will likely pursue larger, high-value intrusions in 2026 spanning both theft and espionage. Defense contractors, advanced manufacturing, and financial services remain high-risk targets. Ongoing refresh cycles for custom RATs/backdoors and the use of stealthier C2 channels suggest continued OPSEC investment (for example, memory-resident implants and encrypted beaconing).
• Overall, Lazarus’s momentum and survivability suggest it will maintain—and potentially expand—high-end capability, including campaigns that blend mission-driven espionage with financial objectives. Defenders should assume continued evolution in tooling and access methods and prioritize rapid patching, identity hardening, and anomaly-based detection to counter this threat.

8. Volt Typhoon

• Aliases: Vanguard Panda, BRONZE SILHOUETTE, Dev-0391, UNC3236, Voltzite, Insidious Taurus, TAG-87.
• Category: People’s Republic of China (PRC) state-sponsored Advanced Persistent Threat (APT) targeting critical infrastructure.
• Suspected Origin: PRC state-linked cyber operators, assessed as coordinated with Chinese state strategic objectives.
• Primary Motivation: Long-term strategic intelligence gathering and pre-positioning for disruptive cyberattacks on allied critical infrastructure. U.S. agencies note this group is “pre-positioning…for potential destructive or disruptive attacks” (not mere espionage).

Key Activity Highlights

Volt Typhoon is a PRC state-sponsored intrusion set characterized by stealth, operational patience, and long-term access achieved through living-off-the-land techniques and abuse of valid credentials. Public reporting has documented exploitation of CVE-2024-39717 in Versa Director and the use of the memory-resident VersaMem web shell to intercept credentials in ISP/MSP SD-WAN environments, indicating targeted technical sophistication. The group’s focus on communications, energy, transportation, and water is widely assessed as strategic pre-positioning for potential disruptive or coercive effects during future contingencies, rather than conventional intelligence collection. After the early-2024 disruption of its KV botnet infrastructure, independent research reported reconstituted router-based capabilities using compromised Cisco and Netgear devices and new cloud-based C2 nodes. Documented multi-year persistence—five years or more in some environments—reinforces the assessment that the campaign is optimized for endurance and survivability.

Targets & Impact

Target Sectors: U.S. and allied critical infrastructure spanning communications, energy, transportation, and water/wastewater sectors, plus adjacent government and telecommunications providers. Activity documented across continental U.S., territories (Guam), and interconnected Five Eyes partner networks.

Impact: Government advisories assess long-term, low-visibility IT access enabling detailed reconnaissance of network architecture, identity infrastructure, and operational dependencies, creating conditions for potential large-scale service disruption—power, water, communications, transportation—during future contingencies. While direct OT compromise is not publicly documented, sustained IT-side persistence is assessed as sufficient to degrade essential services through indirect means, distinguishing this activity from data-theft-driven espionage.

Key TTPs & Defender Insights

Tooling & Malware Arsenal

2026 Threat Projection

• Volt Typhoon has consistently prioritized stealthy pre-positioning in IT environments that support critical infrastructure operations, relying on living-off-the-land tooling, abuse of valid credentials, and router-based proxy infrastructure to sustain long-term, low-visibility access.
• Its technical sophistication is reflected in tailored capabilities such as the VersaMem implant on Versa Director, which enables in-memory credential interception in ISP and MSP SD-WAN environments, as well as in its use of compromised SOHO devices and custom or modified reverse-proxy tunneling to build multi-hop, low-attribution command-and-control paths.
• Public and government reporting has documented multi-year persistence across communications, energy, water/wastewater, and transportation sectors, and has also described infrastructure survivability following the early-2024 disruption of the KV router botnet, with router-based operations later observed as reconstituted and active.
• Given this pattern, Volt Typhoon is likely to keep refining—rather than replacing—its established access model. This likely includes continued exploitation of network-edge and management platforms (for example, VPNs, SD-WAN controllers, and ISP/MSP infrastructure), incremental evolution of in-memory and low-artifact implants on those platforms, and expanded use of service-provider and router ecosystems to enable indirect access to multiple critical infrastructure operators.
• The principal 2026 risk is the quiet expansion and redundancy of access paths into lifeline infrastructure—reinforcing strategic pre-positioning for potential disruption rather than visible, high-tempo operations.

9. APT29

• Aliases: APT29, COZY BEAR, The Dukes, Midnight Blizzard, NOBELIUM, IRON HEMLOCK, UNC2452.
• Category: Nation-State Advanced Persistent Threat (APT).
• Suspected Origin: Russia (SVR).
• Primary Motivation: Strategic foreign intelligence collection, aligned with the interests of Russia’s Foreign Intelligence Service (SVR).

Key Activity Highlights

Throughout 2024–2025, APT29 sustained operational momentum by executing parallel, high-tempo campaigns demonstrating significant capability evolution and survivability. Tactics evolved with the deployment of GRAPELOADER, a new, stealth-focused loader that refines anti-analysis and string obfuscation from previous tools like WINELOADER. The group intensified its focus on identity-centric attacks, weaponizing credentials and tokens stolen in previous breaches to pivot into new corporate environments and conduct extensive password spraying attacks. Credential harvesting scaled via sophisticated watering holes that used randomized victim selection and abused the Microsoft device code authentication flow. Consistent targeting of European government, diplomatic, and defense sectors aligns with Russian strategic intelligence priorities. This operational cadence—leveraging novel malware, aggressive identity compromise, and adaptive targeting—confirms a resilient and scalable intelligence collection model.

Targets & Impact

Target sectors: Western government ministries (foreign affairs, defense, interior), diplomatic missions, intergovernmental organizations, and policy research institutes remain primary targets. Secondary targets include IT and managed service providers that support government environments, as well as select energy and maritime organizations assessed to provide insight into national policy, logistics, or strategic planning rather than enabling direct operational disruption.

Impact: APT29 operations are designed to sustain access to sensitive diplomatic and government communications, enabling long-term intelligence collection on foreign policy and security decision-making. Cloud-tenant persistence supports low-noise monitoring across email and collaboration platforms, while selective compromise of service providers can extend intelligence reach into protected government networks without requiring repeated direct intrusions.

Key TTPs & Defender Insights

Tooling & Malware Arsenal

• APT29 is assessed to maintain a sustained, high-tempo intelligence-collection posture through 2026 in support of Russia’s Foreign Intelligence Service (SVR). Activity observed across 2024–2025 indicates a disciplined, multi-track operating model that pairs broad credential-harvesting with highly targeted follow-on intrusions, enabling continuous access generation and selective exploitation against priority targets.
• The group continues to demonstrate mature tooling lifecycle management, favoring iterative refinement over novelty. The 2025 use of GRAPELOADER reflects ongoing investment in stealthy loader frameworks and stronger anti-analysis features, building on earlier WINELOADER tradecraft. Innovation remains pragmatic, including abuse of trusted authentication workflows (for example, Microsoft’s device code flow) to harvest credentials at scale and evade MFA in certain environments.
• APT29 also shows strong tactical flexibility: shifting initial access from spear-phishing to compromised websites and watering-hole activity, and rapidly reconstituting infrastructure across cloud providers after disruption. Targeting has expanded beyond diplomatic entities to include political organizations, NGOs, academia, and other policy-adjacent communities aligned with SVR intelligence priorities.
• Survivability remains a key strength. Persistent abuse of OAuth applications, stolen access tokens, and cloud-native administrative features can enable tenant-level access that may outlast credential resets and endpoint remediation. Looking ahead, APT29 is likely to deepen its reliance on cloud identity abuse and legitimate APIs, reducing dependence on traditional malware implants while sustaining long-term, low-visibility intelligence collection.

10. OilRig

• Aliases: APT34, Helix Kitten, Earth Simnavaz, Hazel Sandstorm, Cobalt Gypsy, Crambus.
• Category: Iranian state-sponsored cyber espionage group.
• Suspected Origin: Iran. Assessed to operate on behalf of the Iranian government based on infrastructure characteristics, use of Iranian infrastructure, and targeting aligned with Iranian state interests.
• Primary Motivation: Strategic intelligence collection to support national security and geopolitical objectives, primarily focused on Middle Eastern rivals and international entities of interest to the Iranian state.

Key Activity Highlights

OilRig maintained consistent operational tempo through 2025, demonstrating notable technical evolution and adaptability. The group has increasingly targeted critical infrastructure in the Middle East, with a pronounced focus on the energy sector and government entities in the Gulf region. A key development is the rapid operationalization of the Windows Kernel privilege escalation vulnerability CVE-2024-30088, weaponized within months of its public disclosure in mid-2024 to gain SYSTEM-level access. Parallel deployment of Veaty and Spearal malware families alongside STEALHOOK demonstrates active tooling development and tactical flexibility. The group maintained foundational DNS tunneling infrastructure (Helminth, ALMA Communicator, BONDUPDATER/QUADAGENT), evidencing operational preference for redundant C2 architectures combining legacy DNS-based channels with Exchange-based exfiltration pathways. Rapid CVE weaponization integrated with RunPE in-memory loaders and ngrok remote access confirms sustained investment in kernel exploitation capabilities.

Targets & Impact

Target sectors: Primary targets include government, law enforcement, energy and utilities (especially oil and gas), telecommunications, and financial services across the Middle East—particularly the UAE, the wider Gulf region, and Israel. Secondary or enabling targets include aerospace/defense-adjacent entities and technology or service providers where access enables downstream intelligence collection.

Impact: Credential-centric intrusions can enable sustained access to government and critical infrastructure networks, resulting in theft of authentication material (for example, LSASS memory and domain credentials), exfiltration of strategic documents, and deployment of DNS-based C2 backdoors (ALMA Communicator, Helminth, BONDUPDATER). These operations may also involve abuse of Microsoft Exchange servers, further complicating detection by blending malicious activity with legitimate traffic.

Key TTPs & Defender Insights

Tooling & Malware Arsenal

2026 Threat Projection

• OilRig’s technical sophistication was demonstrated by the rapid weaponization of CVE-2024-30088, reportedly enabling SYSTEM-level privilege escalation within roughly four months of Microsoft’s June 2024 patch cycle, followed by deployment of the STEALHOOK backdoor against Gulf-region government targets by October.
• The group’s tactical flexibility is reflected in a dual-track command-and-control approach: legacy DNS-based infrastructure (including BONDUPDATER with TXT-record fallback, ALMA Communicator, and Helminth) operating in parallel with Exchange-focused credential theft delivered via spearphishing attachments. This redundancy improves survivability by reducing exposure to single-point disruption. Continued malware iteration—through successive STEALHOOK, Veaty, and Spearal variants—also indicates sustained investment in tooling.
• Observed 2024–2025 patterns—credential-centric tradecraft, proven spearphishing vectors, and ongoing DNS infrastructure refinement—support an assessment that OilRig will continue to blend Exchange-based persistence with resilient DNS C2 in 2026, maintaining focus on government, energy, and defense-related targets aligned with Iranian intelligence priorities.

Cross‑Actor Defensive Strategies for 2026

Core threat pattern: Across the ten profiled actors, recurring tradecraft includes heavy use of living-off-the-land binaries (for example, PowerShell, WMI, PsExec, and other administrative tools), modern Rust/C++ ransomware variants (such as Akira and Qilin.B), and cloud-native identity abuse (notably APT29 and Scattered Spider) to maintain access while reducing endpoint-detection visibility. As a result, effective defense must shift from primarily signature-driven controls toward behavior-based detection and architectural containment.

Critical Defensive Imperatives:

Treat identity as Tier-0 infrastructure.

Across APT29, Scattered Spider, Volt Typhoon, and OilRig, sustained access increasingly hinges on cloud identity abuse—OAuth token theft, federation manipulation, device-code flow abuse, and reuse of valid accounts. Defensive priorities should extend beyond password and MFA hygiene to continuous token risk evaluation, strict application-consent governance, and anomaly detection across IdP and identity-related APIs.

Expect “low-novelty, high-reliability” tooling evolution.

Akira, Qilin, LockBit, and DragonForce illustrate pragmatic development cycles: prioritizing speed, stability, and operational reliability over novelty, while selectively adopting languages such as Rust or Go where they provide clear advantages (for example, complicating analysis or enabling cross-platform execution). Defenders should emphasize behavior-based detections—file I/O bursts, backup and recovery inhibition, virtualization manipulation—over static signatures.

Kernel and hypervisor abuse is becoming routine.

Tradecraft such as BYOVD, ESXi/Nutanix targeting, and VM-layer kill chains is increasingly normalized. Mitigations should include enforcing vulnerable-driver blocklists, hardening hypervisor execution policies (for example, allow-only-installed/“execInstalledOnly” controls where applicable), using TPM-backed protections, and strictly separating hypervisor management planes from general enterprise networks.

Living-off-the-land dominates stealth campaigns.

Volt Typhoon, APT29, OilRig—and many ransomware affiliates—prefer native utilities and administrative tooling (for example, WMI, PowerShell, certutil, netsh, and cloud admin APIs). Effective detection requires baselining legitimate administrative activity and hunting for deviations in behavior, timing, and scope—not simply flagging tool usage.

Supply-chain and edge exploitation drives scale.

Cl0p, Qilin, Lazarus, and Volt Typhoon repeatedly leverage vulnerabilities in enterprise software and edge-facing platforms, including MSP tooling, SD-WAN, VPN appliances, and routers. Patch SLAs for internet-exposed systems should compress to days, not weeks, supported by an assumed-breach posture during active exploitation windows.

Resilience — not takedown avoidance — defines top-tier actors.

Cartel/RaaS models, tolerance for affiliate churn, redundant C2 paths (DNS, email, routers), and rapid cloud-infrastructure reconstitution enable fast recovery after disruption. Defensive strategy should prioritize blast-radius reduction, credential containment, and rapid access invalidation—rather than relying primarily on takedowns or infrastructure disruption.

Conclusion

The ten profiled threat actors sustain apex enterprise security risk through proven resilience, deep ecosystem integration, and ongoing capability evolution. Ransomware syndicates enable high-volume financial extraction through decentralized affiliate structures and pragmatic tooling iteration. Nation-state APTs maintain strategic pre-positioning across critical infrastructure and government environments using low-forensic-footprint persistence and identity abuse. Financially motivated collectives capitalize on systemic weaknesses in identity and cloud security, often adapting faster than perimeter-centric defenses can respond.

Law-enforcement actions — such as Operation Cronos (LockBit), disruption of Volt Typhoon’s KV botnet infrastructure, and arrests tied to Scattered Spider — tend to impose short-term friction rather than eliminate ecosystem viability. Decentralized operating models, affiliate economics, and state backing support rapid recovery and capability reconstitution. In 2026, the threat environment will continue to favor adaptive operators, while groups with stagnant tradecraft face faster detection and diminishing returns.

Enterprise defensive priorities should therefore include aggressive patching of internet-facing systems, identity-first controls (for example, phishing-resistant MFA such as FIDO2 and continuous token validation), immutable and offline backups, and behavior-based detection for living-off-the-land activity across endpoints and infrastructure.