Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

As a threat intelligence team, our job is to separate noise from persistence in the cybersecurity threat landscape. In this article, we assess the threats most likely to remain and evolve through 2026 based on the threat actors, campaigns, and malware we have tracked and researched during the last year. Our work centers on tracking adversaries with a strong footprint in the underground ecosystem: forums, Telegram channels, data leak sites, and marketplaces where cybercriminals operate.

Following the recent cyberattack on Endesa, one of Spain’s largest electricity and gas providers, Outpost24’s threat intelligence team has compiled a comprehensive analysis of the incident based on publicly available evidence from underground forums, leaked dataset listings, and the threat actor’s own statements.

In 2026, organizations are already managing attack surfaces that are larger, more fragmented, and more volatile than in previous years. As the year progresses, attack surfaces will continue to expand in scope and complexity, making them harder to secure consistently.

In 2025, KrakenLabs tracked a series of shifts that reshaped how cyber threats materialized across organizations. Drawing on research conducted throughout the year, this article highlights the most consequential developments observed by KrakenLabs in 2025, where attacker success depended less on new tools or novel exploits and more on the large-scale exploitation of people, identity, and trusted access.

700Credit, a US-based credit check and compliance provider, disclosed in late October that it had suffered a significant data breach affecting nearly 18,000 dealerships and more than 5.6 million consumers. According to the company’s disclosure and subsequent reporting, the exposed data includes names, addresses, dates of birth, and Social Security numbers.

React2Shell is the name commonly used to describe a set of critical vulnerabilities affecting React Server Components (RSC) and frameworks that rely on them, including Next.js. Since disclosure, security teams have observed continued exploitation attempts targeting exposed applications, with attackers abusing the vulnerability to gain unauthorized code execution on affected servers.

The strategic acquisition strengthens market leadership by unifying user identity with device trust, eliminating security blind spots. STOCKHOLM / PHILADELPHIA (December 9, 2025) – Outpost24, a leader in exposure management and identity security, today announced the acquisition of Infinipoint, a specialist in device identity, posture validation, and secure workforce access.

The UK government introduced the Cyber Security and Resilience Bill to Parliament on November 12th, 2025. Science, Innovation and Technology Secretary Liz Kendall stated: “Cybersecurity is national security. This legislation will enable us to confront those who would disrupt our way of life.” If you work in healthcare, energy, water, transport, or supply IT services to these sectors, this legislation will directly affect how you manage cybersecurity.

The EU’s Digital Operational Resilience Act (DORA) has just turned a year old. This regulation represented a fundamental shift in how the financial sector manages ICT risk, moving beyond traditional compliance to demand continuous, demonstrable digital operational resilience. A year on, the focus has changed. Organizations can no longer just avoid cyber incidents. They need to prove they can withstand, respond to, and recover from disruptions quickly and effectively.

The recent developments surrounding the Salesforce data breach serve as a stark reminder of the persistent threats organizations face. What began as a concerning incident earlier this summer has now escalated dramatically, with threat actors following through on their threats and releasing a substantial trove of Qantas customer data to the public.