TL;DR: The attacker playbook in 2026 looks fundamentally different from five years ago. Custom malware has given way to living-off-the-land techniques using legitimate system tools. Phishing has evolved from mass-blasted templates to AI-generated, context-aware messages that bypass both technical controls and human judgment. Identity — not endpoints — is the primary target, with Adversary-in-the-Middle kits stealing session tokens in real-time to bypass MFA. And supply chain attacks have moved from theoretical to routine, targeting CI/CD pipelines, package registries, and developer tooling. The organizations that get breached in 2026 are the ones still defending against 2020's threat landscape.
AI-Assisted Reconnaissance and Exploitation
Large language models have fundamentally changed the economics of offensive operations. Tasks that required specialized expertise and hours of manual work — analyzing leaked source code for vulnerabilities, understanding complex application logic, crafting context-specific social engineering — can now be automated or dramatically accelerated.
Source code analysis at scale: When source code leaks via misconfigured repositories, exposed .git directories, or insider theft, attackers now feed it to LLMs that identify authentication bypass opportunities, hardcoded credentials, SQL injection vectors, and insecure deserialization patterns in minutes rather than days. The LLM understands code structure, follows data flows, and explains how to exploit what it finds.
Phishing content generation: AI-generated phishing emails are grammatically perfect, contextually appropriate, and tailored to the target's role, company, and recent activities. The tell-tale signs of phishing — awkward grammar, generic greetings, implausible urgency — no longer exist in sophisticated campaigns. Voice cloning enables vishing attacks where the caller sounds exactly like the target's CEO, referencing real projects and using the correct internal terminology.
Exploit development: LLMs assist in adapting proof-of-concept exploits to specific target environments, generating payloads that bypass particular WAF rule sets, and automating the tedious parts of exploitation — leaving the attacker to focus on the creative elements that still require human judgment.
Living Off the Land: Why Attackers Stopped Dropping Malware
The most sophisticated attackers in 2026 — both nation-state and criminal — rarely deploy custom malware. Instead, they use tools already present on every Windows system: PowerShell for scripting, WMI for remote execution, certutil for file downloads, mshta for script execution, rundll32 for DLL loading, and BITSAdmin for persistent file transfers.
This approach — called Living Off the Land Binaries (LOLBins) — defeats traditional detection models. These tools are digitally signed by Microsoft, used legitimately by IT administrators every day, and expected in normal system telemetry. An EDR alert on PowerShell execution would generate thousands of false positives per day in any enterprise environment.
Volt Typhoon, the Chinese threat group that pre-positioned itself in US critical infrastructure, operated almost entirely through LOLBins. Their persistence in compromised networks lasted months to years because their activity was indistinguishable from normal administration. No malware to detect, no C2 beacons to block, no suspicious binaries to analyze — just legitimate tools used for illegitimate purposes.
The defensive implication is significant: organizations that rely primarily on signature-based detection and malware sandboxing are blind to the most dangerous threats. Detection must shift to behavioral analytics — not what tool was used, but whether the pattern of activity makes sense for that user, at that time, from that system.
Identity-First Attacks: Credentials Are the New Perimeter
The perimeter dissolved years ago. Remote work, cloud services, SaaS applications, and zero-trust marketing all pushed identity to the center of security architecture. Attackers followed. Why exploit a vulnerability when you can simply log in?
Adversary-in-the-Middle (AiTM) Phishing
AiTM phishing kits — EvilProxy, Evilginx, Modlishka — proxy the entire login experience in real-time. The victim enters their credentials and MFA code on what appears to be a legitimate login page. The phishing proxy forwards everything to the real service, captures the authenticated session cookie, and hands it to the attacker. MFA is completely bypassed because the attacker captures the post-authentication session token, not the MFA code itself. These kits are available as turnkey services for a few hundred dollars per month.
Session Token Theft
Browser infostealers (Raccoon, Vidar, Lumma) extract session cookies and authentication tokens directly from the victim's browser. With a valid session token, the attacker accesses every authenticated service — email, cloud consoles, source code repositories — without needing credentials or MFA. The tokens often remain valid for hours or days, even after the victim changes their password.
Cloud Identity Federation Abuse
Compromising an identity provider (Okta, Azure AD, Google Workspace) provides access to every federated application. The 2023 Okta breach demonstrated this: attackers with access to Okta's support systems could impersonate customer administrator sessions, accessing every SaaS application connected via SSO. In 2026, identity provider compromise is the highest-value target in the attacker ecosystem.
Supply Chain as Attack Vector
Supply chain attacks have moved from headline-grabbing exceptions (SolarWinds, 2020) to a routine attack vector. The targets have expanded from build infrastructure to the entire software development lifecycle:
- CI/CD pipeline compromise: Targeting GitHub Actions, Jenkins plugins, and build scripts that run with elevated permissions. The tj-actions/changed-files compromise reached 23,000 repositories in March 2025 by injecting credential-stealing code into a widely used GitHub Action.
- Package registry poisoning: Dependency confusion attacks targeting private npm, PyPI, and Maven packages. Typosquatting packages that differ by one character from popular libraries. Compromising legitimate maintainer accounts to push malicious updates to trusted packages.
- Developer tooling: Malicious VSCode extensions, compromised IDE plugins, trojanized development tools distributed through social engineering. North Korea's UNC4736 used a malicious VSCode tasks.json configuration to compromise developers at a cryptocurrency firm, leading to a $285M theft.
- Container image compromise: Backdoored Docker images on public registries, or injecting malicious layers during the build process. Organizations that pull base images without verification inherit whatever the attacker embedded.
Cloud-Native Attack Chains
Cloud environments create attack chains that do not exist in traditional infrastructure. A single misconfiguration can cascade into full account compromise:
SSRF to IMDS to lateral movement: A Server-Side Request Forgery vulnerability in a cloud-hosted web application is used to query the Instance Metadata Service (IMDS) at 169.254.169.254, retrieving temporary IAM credentials. Those credentials provide access to S3 buckets, databases, and other AWS services — potentially across the entire account. This was the attack chain behind the Capital One breach, and it remains exploitable in organizations that have not migrated to IMDSv2 or properly scoped IAM roles.
Misconfigured IAM roles: Over-permissioned Lambda functions, EC2 instances with administrator-level IAM roles, and cross-account trust relationships that were configured broadly during initial cloud migration. Attackers enumerate IAM permissions after initial access and identify escalation paths through policy misconfigurations.
Ransomware Evolution: Double Extortion and Beyond
Ransomware in 2026 is a multi-stage operation, not a single event. Modern ransomware groups operate like professional services firms — with recruitment, specialization, quality assurance, and customer support:
- Double extortion: Data is exfiltrated before encryption. Even if the victim restores from backups, the threat of public data release creates a second leverage point. Triple extortion adds DDoS attacks or threats to notify the victim's customers directly.
- Backup targeting: Attackers specifically identify and destroy backup infrastructure before deploying ransomware. Veeam servers, offline backup tapes, cloud backup repositories — all are targeted. The encryption event only happens after the attacker is confident recovery is impossible without paying.
- Affiliate model sophistication: Ransomware-as-a-Service (RaaS) platforms provide initial access brokers, affiliate operators, and negotiation teams as separate specialized roles. The attacker who gains initial access is often not the same entity that deploys ransomware, creating a marketplace for compromised network access.
EDR Evasion: The Cat-and-Mouse Continues
As endpoint detection and response (EDR) tools become more sophisticated, attackers invest in bypassing them. The techniques are increasingly low-level:
Direct syscalls: Instead of calling Windows API functions (which EDR hooks), attackers invoke system calls directly — bypassing the user-mode hooks that most EDR products rely on for visibility. Tools like SysWhispers generate direct syscall stubs that avoid ntdll.dll entirely.
Kernel callback removal: Attackers with elevated privileges can remove the kernel callbacks that EDR drivers register to receive notifications about process creation, thread injection, and file operations. Without these callbacks, the EDR is effectively blind.
BYOVD (Bring Your Own Vulnerable Driver): Loading a signed but vulnerable kernel driver to gain kernel-level access, then using that access to disable EDR protection. Because the driver is legitimately signed, it loads without issue — and the vulnerability provides the attacker with arbitrary kernel read/write capability.
Attack Technique Evolution: 2020 vs 2023 vs 2026
| Category | 2020 | 2023 | 2026 |
|---|---|---|---|
| Initial Access | Exploit public-facing vulns, phishing with macros | Phishing with ISO/LNK, stolen credentials | AI-crafted phishing, AiTM MFA bypass, supply chain |
| Persistence | Scheduled tasks, registry run keys, custom backdoors | LOLBins, WMI subscriptions, DLL sideloading | Identity persistence (OAuth apps, federation), cloud-native persistence |
| Lateral Movement | PsExec, RDP, SMB with malware | WinRM, DCOM, pass-the-hash | Cloud IAM pivoting, identity token reuse, SaaS-to-SaaS |
| Defense Evasion | Packers, crypters, process injection | Unhooking, direct syscalls, AMSI bypass | BYOVD, kernel callback removal, EDR-aware tooling |
| Exfiltration | HTTP/HTTPS to C2 server | Cloud storage (S3, Azure Blob), DNS tunneling | Legitimate SaaS (OneDrive, Slack), encrypted channels blending with normal traffic |
| Impact | Single extortion ransomware | Double extortion, data theft | Triple extortion, backup destruction, supply chain propagation |
What This Means for Defenders
The evolution of attacker techniques has clear implications for security programs:
- Assume breach is not a philosophy — it is a testing methodology. If your security program has never tested what happens after an attacker gets initial access, you do not know whether your detection and response capabilities work. Assumed-breach penetration testing validates internal defenses against the techniques described in this post.
- Identity is the new endpoint. Invest in phishing-resistant MFA (FIDO2/WebAuthn), conditional access policies, session token monitoring, and identity threat detection. AiTM kits render SMS and push-based MFA ineffective.
- Behavioral detection over signatures. LOLBin abuse, identity-based attacks, and fileless techniques are invisible to signature-based detection. Your security stack must detect anomalous behavior — unusual authentication patterns, lateral movement sequences, privilege escalation events — not just known-bad indicators.
- Supply chain security is not optional. Pin dependencies, verify signatures, audit CI/CD permissions, and monitor for anomalous package updates. The next SolarWinds-scale event will target the developer toolchain.
Test Against Real-World Attacker Techniques
Lorikeet Security's penetration testing engagements simulate the techniques modern attackers actually use — not outdated playbooks. From assumed-breach internal testing to web application and cloud security assessments, we validate whether your defenses stop today's threats.
