Report examines current cybersecurity trends, increase of threats across different geographies, and MITRE tactics used by cyber criminals
MIAMI--(BUSINESS WIRE)--#EDR--Lumu, the cybersecurity company pioneering Continuous Compromise Assessment®, today issued the 2026 Compromise Report, identifying four key cybersecurity trends across anonymizers, droppers and downloaders, infostealers, and ransomware. The report also identifies North America as the global epicenter for high-value targets, with Telecommunications, Education, State and Local Government, Finance Services, and Professional Services being the top sectors impacted. North America’s mature digital infrastructure makes it the primary playground for sophisticated Ransomware-as-a-Service (RaaS) operations that prioritize high payouts over volume.
“This year, we’ve seen a strategic shift in attack methods from high-profile malware to stealthier techniques. We no longer look for the enemy at the gate; we have to assume they are already inside. Attackers have mastered camouflaging their activity within legitimate tools and network noise, trading brute force for behavioral evasion, and favoring anonymizers, DNS tunneling, and AI-generated domains,” said Ricardo Villadiego, founder and CEO of Lumu. “Our latest report serves as a battle plan for security leaders, breaking down the anatomy of these new, invisible threats from Keitaro to DeathRansom. It highlights the importance of persistent monitoring, seamless tool integration, and actionable threat intelligence.”
The Lumu report finds that attackers have abandoned ‘loud’ breaches for ‘low-and-slow’ evasion, mastering Living-off-the-Land tactics and hiding within existing tools. Attackers may use VPNs, legitimate traffic distribution systems, or encrypted DNS channels. The report notes that the clearest evidence of this shift is in the Tactics, Techniques, and Procedures (TTPs). MITRE ATT&CK framework data shows a distinct trend: attackers are prioritizing evasion above all else. Notably, Command and Control (C2) has replaced Execution among the top three TTPs, signaling a change in priorities—adversaries are less concerned with running destructive code immediately, and more focused on maintaining a persistent, silent lifeline to networks without tripping alarms.
Other key findings of the Lumu report include:
- Anonymization remained the most detected Indicator of Compromise (IoC) type all year, reinforcing its position as a foundational tactic.
- The top anonymizers detected worldwide include services like Tor and private VPNs.
- Lumu most frequently detected the dropper Keitaro, a legitimate Traffic Distribution System (TDS) used by marketers to route web traffic, which attackers have weaponized to create a ‘velvet rope’ for malware.
- Despite the takedowns of malware-as-a-service (MaaS) infostealer Lumma Stealer, Lumu sensors detected new, more resilient Lumma infections in late July 2025.
- While Lumma is still dominant, the landscape shifted to include new financial credential stealers like MagentoCore, Remo, and Ramnit.
- The 2025 ransomware landscape was dominated by fragmented groups that split from larger, well-known gangs, with DeathRansom being the largest.
To read a full copy of the Lumu report, please visit 2026 Compromise Report. To learn more about Lumu’s industry-leading cybersecurity solutions, visit lumu.io.
About Lumu
Lumu is a cybersecurity company that helps organizations operate cybersecurity proficiently by measuring and understanding compromise in real time. Through its Continuous Compromise Assessment(r) model, Lumu empowers security teams to act immediately on confirmed compromises and minimize risk exposure. For more information, visit www.lumu.io.
Contacts
Media Contacts
Maria Lobato
mlobato@lumu.io
