As we speak’s risk panorama is extra various and chilling than ever: Subtle nation-state actors. Hyper-volumetric DDoS assaults. Deepfakes and fraudsters interviewing at your organization. Even stealth assaults by way of trusted inside instruments like Google Calendar, Dropbox, and GitHub.
After spending the final 12 months translating trillions of community alerts into actionable intelligence, Cloudforce One has recognized a elementary evolution within the risk panorama: the period of brute power entry is fading. As a substitute is a mannequin of high-trust exploitation that prioritizes outcomes in any respect prices. In an effort to equip defenders with a strategic roadmap for this new period, immediately we’re releasing the inaugural 2026 Cloudflare Menace Report. This report supplies the intelligence organizations must navigate the rise of industrialized cyber threats.
The brand new barometer for danger: Measure of Effectiveness (MOE)
Cloudforce One has noticed a broader shift in attacker psychology. To grasp how these strategies win, now we have to take a look at the why behind them: the Measure of Effectiveness, or MOE.
In 2026, the trendy adversary is buying and selling the pursuit of “sophistication” (advanced, costly, one-off hacks) in favor of throughput. MOE is the metric attackers use to determine what to take advantage of subsequent. It’s a chilly calculation of the ratio of effort to operational end result.
Why use an costly zero-day exploit when a stolen session token (Id) has a better MOE?
Why construct a customized server when a repute protect (LotX) supplies free, almost untraceable infrastructure with a excessive supply price?
Why write code manually when AI can automate the invention of the connective tissue that hyperlinks your most delicate knowledge?
In 2026, probably the most harmful risk actors aren’t those with probably the most superior code; it’s those who can combine intelligence and know-how right into a single, steady system that achieves their mission within the shortest time attainable.
Key findings from the 2026 Cloudflare Menace Report
Eight key developments — all pushed by their MOE — will outline the risk panorama in 2026:
AI is automating high-velocity attacker operations. Menace actors use generative AI for real-time community mapping, exploit growth, and the creation of deepfakes, enabling low-skill actors to conduct high-impact operations.
State-sponsored pre-positioning is compromising important infrastructure resilience. Chinese language risk actors, together with Salt Storm and Linen Storm, are prioritizing North American telecommunications, business, authorities, and IT providers, anchoring their presence now for long-term geopolitical leverage.
Over-privileged SaaS integrations are increasing the blast radius of assaults. As demonstrated by the GRUB1 breach of Salesloft, the connective tissue of third-party API integrations permits a single compromised API to cascade right into a breach affecting lots of of distinct company environments.
Adversaries are weaponizing trusted cloud tooling to masks assaults. Menace actors actively goal authentic SaaS, IaaS, and PaaS instruments reminiscent of Google Calendar, Dropbox, and GitHub to camouflage malicious actions inside benign enterprise exercise.
Deepfake personas are embedding adversarial operatives inside Western payrolls. North Korea has operationalized the distant IT employee scheme, utilizing deepfakes and fraudulent identities to embed state-sponsored operatives immediately into Western payrolls for espionage and illicit income.
Token theft is neutralizing multi-factor authentication. By weaponizing infostealers like LummaC2 to reap lively session tokens, attackers bypass conventional multi-factor authentication and transfer straight to post-authentication actions.
Relay blind spots are enabling inside model spoofing. Phishing-as-a-service bots are exploiting a blind spot the place mail servers fail to re-verify a sender’s id, permitting high-trust model impersonations delivered on to consumer inboxes.
Hyper-volumetric strikes are exhausting infrastructure capability. Hyper-volumetric distributed denial-of-service (DDoS) assaults, fueled by huge botnets like Aisuru, are breaking data regularly, closing the window for human response.
Now let’s take a deeper take a look at one high-MOE tactic we recognized: weaponized cloud tooling. As a substitute of utilizing recognized malicious servers, attackers are using authentic cloud ecosystems like Google Drive, Microsoft Groups, and Amazon S3 to masks their command-and-control (C2) site visitors. This is named “living off the land” (or off of anything-as-a-service): carrying the uniform of trusted suppliers, attackers make their exercise almost indistinguishable from benign company site visitors.
SaaS platforms are additionally being utilized by risk actors to host, launch, redirect, or scale assaults. For example, providers like Amazon SES and SendGrid, designed for authentic bulk electronic mail supply, are regularly exploited to launch refined phishing and malware distribution campaigns.
How some teams are making use of these techniques
Whereas the exploitation of cloud sources is a longtime tradecraft, 2025 investigations highlighted an accelerated maturation in nation-state technique: actors are persevering with to shift from mere infrastructure abuse towards pervasive living-off-the-land. We predict that for 2026, risk actors will try and standardize these methods as a strategic goal for his or her operational playbooks.
Listed below are a few of these risk actor teams, the place they’re based mostly, and examples of their approaches.
| Menace Actor | Nation | Approach | Particulars | Instance |
|---|---|---|---|---|
| FrumpyToad | China | Logic-based C2 | Transferring “inside the box” of respected SaaS logic to evade detection. | Weaponizes Google Calendar for cloud-to-cloud C2 loop, studying and writing encrypted instructions immediately into occasion descriptions. |
| PunyToad | China | Encrypted tunneling | Using authentic developer instruments to bypass egress filtering. | Makes use of tunneling capabilities and cloud computing to create resilient, living-off-the-cloud architectures, masking backend origin IPs and prioritizing long-term persistence. |
| NastyShrew | Russia | Paste website lifeless drop resolvers | Utilizing public “paste” websites to coordinate shifting infrastructure. | Makes use of providers like Teletype.in and Rentry.co as lifeless drop resolvers (DDR); contaminated hosts ballot these websites to retrieve rotating C2 addresses. |
| PatheticSlug | North Korea | PaaS-ing the perimeter | Exploiting the “reputation shield” of cloud ecosystems to masks malicious supply. | Used Google Drive and Dropbox to host XenoRAT payloads, leveraging GitHub for covert C2, efficiently mixing into authentic enterprise site visitors. |
| CrustyKrill | Iran | SaaS-hosted phishing | Mixing credential harvesting into frequent cloud internet hosting. | Hosts C2 pages on Azure Net Apps (.azurewebsites.internet) and makes use of ONLYOFFICE to host payloads, giving their operations a veneer of legitimacy. |
How Cloudforce One unmasked the 2026 panorama
Establishing MOE requires extra than simply high-level commentary. To really unmask the 2026 panorama, this report particulars how Cloudforce One leverages a singular mix of inside experience and international telemetry to uncover insights that conventional safety fashions miss.
Our methodology is various. For instance:
As a part of our AI-driven protection analysis, we tasked an AI coding agent with a self-vulnerability evaluation, utilizing the agent to uncover its personal safety gaps. This “dogfooding” uncovered CVE-2026-22813 (9.4 CVSS), a important flaw in markdown rendering pipelines permitting for unauthenticated Distant Code Execution.
Our deep dives into Phishing-as-a-Service (PhaaS) reveal that the barrier to entry has a vanished barrier to entry. Analysts noticed attackers leveraging high-reputation domains (Google Drive, Azure, and many others.) to bypass filters. E-mail telemetry discovered an id hole, the place almost 46% of analyzed emails failed DMARC (an electronic mail authentication protocol), revealing a big floor space that PhaaS bots are quickly exploiting.
We tracked the transition from stealthy exploitation to tried blackout, uncovering a 31.4 Tbps baseline for DDoS. Our telemetry additionally confirmed that, previously 3 months, 63% of all logins contain credentials already compromised elsewhere and that 94% of all login makes an attempt now originate from bots.
By way of each stage of this analysis, Cloudforce One has leveraged our huge international telemetry and frontline risk intelligence to attach the dots throughout seemingly remoted incidents. Whether or not we’re dogfooding our personal AI brokers to preempt zero-day exploits or monitoring assaults launched by thousands and thousands of bot-infected hosts tunneling by means of residential proxies, this unified visibility permits us to see the throughline between a single phished credential and a multi-terabit blackout.
The trail ahead: Drive MOE to zero with autonomous protection
Figuring out these throughlines is just step one. When threats transfer at machine velocity, human-centric protection is now not a viable protect. To counter “offense by the system,” defenders throughout the business should pivot to a mannequin of autonomous protection so as to drive the adversary’s MOE to zero.
This shift towards autonomous protection requires shifting past guide checklists and fragmented alerts. Organizations should harden the connective tissue of their networks, utilizing real-time visibility and automatic response capabilities. On this new period, the purpose is not simply to construct a greater wall — it is to make sure your system can act sooner than the attacker, even when nobody is watching.
To assist this shift, immediately we’re debuting a serious improve to our risk occasions platform: evolving from easy knowledge entry to a completely automated, visible command heart on your safety operations heart.
Get the 2026 Cloudflare Menace Report
By way of our unmatched risk visibility and the experience of our Cloudforce One researchers, we offer the intelligence you must outpace industrialized cyber threats. To discover the complete knowledge set, deep-dive case research, and tactical suggestions, learn the whole 2026 Cloudflare Menace Report.
And if you happen to’re fascinated with studying extra about our risk intelligence, managed protection, or incident response choices, contact Cloudforce One consultants.
