LUMINAR 2026 Threat Landscape Report Key Takeaways

Security leaders are facing a threat landscape that is not only expanding in scale but also increasing in sophistication, driven by AI-enabled attacks, organized ransomware ecosystems and heightened nation-state activity. The LUMINAR 2026 Threat Landscape Report extracts insights from thousands of real-world incidents to provide CISOs and cybersecurity teams with a clear view of the risks that matter most. It equips decision-makers with the intelligence needed to prioritize defenses, strengthen resilience and stay ahead of rapidly evolving adversaries. 

The LUMINAR Threat Intelligence team analyzed over 2,327 cyber incidents across 26 key industries. The report examines emerging trends across ransomware operations, the increase in nation-state APT attacks, dark web marketplace activity and the evolution of threats observed, including a fully AI automated cyber offensive activity campaign.  

But that’s not all. 

The report provides SOC teams and threat hunters, as well as CISOs and security leaders, with key insights to strengthen detection, prioritize threats and stay ahead of emerging attack pattern trends.  

Read on to get up to speed on key attack trends and then check out the full report to gain deeper insights.

Ransomware Attacks Soar and a New Ransomware “Supergroup” is Born 

There’s a new ransomware leader and its name is Qilin.  

Qilin eclipsed RansomHub as the leading ransomware group in 2025, with 1,004 reported incidents, approximately 64% increase year-over-year (YoY). Qilin accounted for 12.8% of reported attacks in 2025.  

A notable emerging trend is the formation of a ransomware supergroup. Scattered Spider, Lapsus$ and ShinyHunters are reportedly collaborating to expand operations through an Extortion-as-a-Service (EaaS) model, providing affiliates access to a full operational stack, including infrastructure, tooling and support. Affiliates can launch attacks with little to no technical expertise through this setup.  

Another important trend to note was that global ransom payouts dropped by 23%, which can be attributed to larger enterprises showing increased resistance, making SMBs a more lucrative and easier target for attack. Despite the decline in ransom payouts, we saw a 27.3% spike in ransomware activity with 7,809 recorded incidents in 2025.

Nation-State Threat Actors Adopt AI to Launch Attacks

Nation-state groups accounted for 38% of threat actor activity in 2025, marking a significant rise in state-sponsored operations. Geopolitical tensions and wars contributed to the rise of malicious cyber activity.  

At the same time, a significant breakthrough emerged in the use of AI for offensive cyber capabilities. 

In September 2025, a Chinese state-sponsored group successfully managed to manipulate Claude Code to autonomously execute a cyber espionage campaign targeting critical infrastructure, government agencies and financial institutions. 

The threat actors automated approximately 90% of the campaign. The campaign signifies a real wake-up call for security teams and a breakthrough for nation-state groups that can now launch attacks at scale.  

Further analysis shows that the AI model autonomously executed key stages of the attack lifecycle, including reconnaissance, content generation, task orchestration and elements of data exfiltration, with minimal human intervention.  

This signals the emergence of a new era of AI-powered cyber offensive activity, moving from manual, operator-driven campaigns to scalable, semi-autonomous attack frameworks.

Access Credentials Up for Grabs on The Dark Web  

The dark web is a goldmine for cybercriminal buyers purchasing stolen credentials and large volumes of data from “reputable” brokers. 

Our research team found over 7M sales ads for access credentials. 

Despite the relative ease and low cost of acquiring stolen credentials, we observed an approximately 50% YoY dip in the volume of newly compromised access credentials. This decline may be attributable to the proliferation of repackaged datasets and duplicate infostealer logs, which are repeatedly redistributed across dark web marketplaces and cybercriminal-operated Telegram channels. 

As a result, the overall signal quality of these credential dumps has degraded. Many lists contain stale, previously exposed or invalid credentials, often aggregated from older breaches or recycled infostealer outputs. This oversaturation reduces their effectiveness and diminishes buyer confidence. 

It’s also worth noting that stolen credentials were identified as the initial access vector in 22% of data breaches in 2025.

Are You Prepared?  

These emerging trends raise critical questions about whether your organization and external attack surface are adequately protected against persistent threats, such as nation-sponsored attacks, advanced ransomware and AI-generated phishing campaigns at scale.  

If you’re still relying on traditional defenses, you’re already falling behind.  

See what else our research team discovered in the LUMINAR 2026 Threat Landscape Report.