Report examines current cybersecurity trends, increase of threats across different geographies, and MITRE tactics used by cyber criminals
Lumu, the cybersecurity company pioneering Continuous Compromise Assessment®, issued the 2026 Compromise Report, identifying four key cybersecurity trends across anonymizers, droppers and downloaders, infostealers, and ransomware. The report also identifies North America as the global epicenter for high-value targets, with Telecommunications, Education, State and Local Government, Finance Services, and Professional Services being the top sectors impacted. North America’s mature digital infrastructure makes it the primary playground for sophisticated Ransomware-as-a-Service (RaaS) operations that prioritize high payouts over volume.
Also Read: CIO Influence Interview with Gera Dorfman, Chief Product Officer at Orca
“This year, we’ve seen a strategic shift in attack methods from high-profile malware to stealthier techniques. We no longer look for the enemy at the gate; we have to assume they are already inside,” says Ricardo Villadiego, founder and CEO of Lumu.
“This year, we’ve seen a strategic shift in attack methods from high-profile malware to stealthier techniques. We no longer look for the enemy at the gate; we have to assume they are already inside. Attackers have mastered camouflaging their activity within legitimate tools and network noise, trading brute force for behavioral evasion, and favoring anonymizers, DNS tunneling, and AI-generated domains,” said Ricardo Villadiego, founder and CEO of Lumu. “Our latest report serves as a battle plan for security leaders, breaking down the anatomy of these new, invisible threats from Keitaro to DeathRansom. It highlights the importance of persistent monitoring, seamless tool integration, and actionable threat intelligence.”
The Lumu report finds that attackers have abandoned ‘loud’ breaches for ‘low-and-slow’ evasion, mastering Living-off-the-Land tactics and hiding within existing tools. Attackers may use VPNs, legitimate traffic distribution systems, or encrypted DNS channels. The report notes that the clearest evidence of this shift is in the Tactics, Techniques, and Procedures (TTPs). MITRE ATT&CK framework data shows a distinct trend: attackers are prioritizing evasion above all else. Notably, Command and Control (C2) has replaced Execution among the top three TTPs, signaling a change in priorities—adversaries are less concerned with running destructive code immediately, and more focused on maintaining a persistent, silent lifeline to networks without tripping alarms.
Other key findings of the Lumu report include:
- Anonymization remained the most detected Indicator of Compromise (IoC) type all year, reinforcing its position as a foundational tactic.
- The top anonymizers detected worldwide include services like Tor and private VPNs.
- Lumu most frequently detected the dropper Keitaro, a legitimate Traffic Distribution System (TDS) used by marketers to route web traffic, which attackers have weaponized to create a ‘velvet rope’ for malware.
- Despite the takedowns of malware-as-a-service (MaaS) infostealer Lumma Stealer, Lumu sensors detected new, more resilient Lumma infections in late July 2025.
- While Lumma is still dominant, the landscape shifted to include new financial credential stealers like MagentoCore, Remo, and Ramnit.
- The 2025 ransomware landscape was dominated by fragmented groups that split from larger, well-known gangs, with DeathRansom being the largest.
Catch more CIO Insights: Identity is the New Perimeter: The Rise of ITDR
[To share your insights with us, please write to psen@itechseries.com ]
