Huntress Cyber Threat Report Exposes The Playbook for Organized Cybercrime

Report finds cybercriminals are maturing their operations, prioritizing scalable, repeatable attacks to optimize efficiency and maximize profits

Published on Feb. 18, 2026

Got story updates? Submit your updates here. ›

Huntress, a global cybersecurity company, has released its 2026 Cyber Threat Report, which exposes the tactics, techniques, and procedures (TTPs) fueling the multi-trillion-dollar cybercrime market. The report analyzes proprietary telemetry from over 4 million endpoints and 9 million identities across 230,000+ organizations, uncovering critical insights into the evolving ransomware ecosystem, shifting adversary tradecraft, and actionable strategies to help organizations prepare for the year ahead.

Why it matters

The Huntress report provides valuable insights into the evolving tactics and strategies of organized cybercriminals, which can help businesses and security teams better understand and defend against the growing threat of cybercrime. As cybercrime becomes the world's third-largest economy, with costs projected to reach $12.2 trillion annually by 2031, understanding the playbook used by these profit-driven criminals is crucial for organizations to protect themselves.

The details

The report found that cybercriminals are increasingly abusing legitimate remote monitoring and management (RMM) tools to drop malware, steal credentials, and execute commands, with a 277% year-over-year surge in RMM tool abuse. Meanwhile, the use of traditional hacking tools has plummeted by 53%, and remote access trojans and malicious scripts have dropped by 20% and 11.7%, respectively. The report also highlights the rise of the ClickFix malware loader, which fueled 53% of all malware loader activity in 2025 by tricking users into becoming unwitting accomplices. Additionally, the report found that the average time-to-ransom (TTR) has increased from 17 to 20 hours as attackers adopt 'low and slow' tactics to evade detection and focus more on data theft and extortion.

  • In 2025, attackers didn't need to break in when they could just trick users into giving them access.
  • The average time-to-ransom (TTR) increased from 17 to 20 hours in 2025.

The players

Huntress

A global cybersecurity company on a mission to make enterprise-grade products accessible to all businesses.

ClickFix

A malware loader that fueled 53% of all malware loader activity in 2025 by tricking users into becoming unwitting accomplices.

Akira, Medusa, Qilin, and Ransomhub

Four major ransomware players that collectively accounted for over half (51.3%) of all ransomware incidents seen by Huntress in 2025.

Got photos? Submit your photos here. ›

What they’re saying

“Cybercriminals have evolved into highly efficient operators, running their campaigns like well-oiled businesses. They've moved away from flashy exploits and are instead doubling down on simple, effective, and scalable attacks that let them target countless organizations with high success rates.”

— Greg Linares, Principal Threat Intelligence Analyst at Huntress

What’s next

To learn more, get your copy of the Huntress 2026 Cyber Threat Report or read the TL;DR for the highlights. Additional resources include joining Tradecraft Tuesday on March 10, 2026, to hear from Huntress experts, and tuning into declassified on March 18, 2026, where John Hammond and special guest Jim Browning will expose the business of modern cybercrime.

The takeaway

The Huntress Cyber Threat Report highlights the evolving tactics and strategies of organized cybercriminals, who are increasingly prioritizing scalable, repeatable attacks that leverage legitimate tools and exploit user behavior to maximize their profits. This trend underscores the importance for organizations to prioritize identity protection, monitor the abuse of trusted processes, and empower employees to recognize and disrupt attacker tradecraft.