Blogs

Blog

Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report

In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.

The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.

Flashpoint’s 2026 Global Threat Intelligence Report

Flashpoint’s 2026 Global Threat Intelligence Report (GTIR) was developed to anchor security leaders — from threat intelligence and vulnerability management teams to physical security professionals and the CISO’s office — with the data required to navigate this year’s greatest threats, rife with infostealers, vulnerabilities, ransomware, and malicious insiders.

Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:

• AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
• 3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
• From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
• Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.

These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:

1. A Clear Understanding of the New Convergence Between Identity and AI
   Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
   
2. Intelligence on the “Franchise Model” of Global Extortion
   Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
   
3. A Blueprint for Proactive Defense and Risk Mitigation
   Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.

“As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”

Josh Lefkowitz, CEO & Co-Founder at Flashpoint

The Top Threats at a Glance

Our latest report identifies four driving themes shaping the 2026 threat landscape:

2026 Is the Era of Agentic-Based Cyberattacks

Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.

“2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.”

Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint

Identity Is the New Exploit

Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.

The Patching Window Is Rapidly Closing

Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.

Ransomware Is Hacking the Person, Not the Code

As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.

Build Resilience in a Converged Landscape

The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.

Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.

Blogs

Blog

What to Know About the Notepad++ Supply-Chain Attack

In this post we examine the mechanics of the CVE-2025-15556 supply-chain attack and provide actionable steps to secure your environment.

The cybersecurity community is still grappling with a sobering realization: one of the most ubiquitous tools in the developer’s toolkit, Notepad++, was hiding a critical vulnerability for over six months. Being so deeply embedded in daily workflows, many organizations did not realize they were vulnerable until a recent security update pulled back the curtain on a sophisticated Chinese state-sponsored campaign, dubbed “Lotus Blossom.”

Investigations have confirmed that the issue wasn’t just a coding error, it was a compromise at the hosting provider level. This means that for much of 2025, even organizations that followed best practices were still potentially open to backdoors from Chinese advanced persistent threat (APT) groups. Here is what you need to know to secure your environment.

Understanding the Notepad++ Vulnerability (CVE-2025-15556)

The vulnerability, tracked as CVE-2025-15556 (VulnDB ID: 430205), exploits a critical flaw in the Notepad++ updater component, WinGUP. In versions prior to the February 2026 patch, the updater failed to verify the file integrity signatures of downloaded installers.

By exploiting this lack of verification, threat actors are able to:

• Intercept legitimate update requests originating from WinGUp servers
• Redirect traffic to malicious servers via Man-in-the-Middle (MitM) attacks or DNS cache poisoning
• Deliver trojanized executables (disguised as update.exe) that appeared to be legitimate software patches

Leveraging this vulnerability, attackers have gained a persistent presence in high-value sectors. According to reports from Kaspersky, the impact has spanned government and telecommunications, critical infrastructure, and financial services.

How CVE-2025-15556 Works

The state-sponsored Lotus Blossom campaign was executed in three attack chains, between July and October 2025. Each phase evolved to evade detection by changing file sizes, IP addresses, and delivery methods.

Phase	Timeline (2025)	Execution Method	Payload
Chain #1	July – August	1MB NSIS installer (update.exe)	Multi-stage attack launching a Cobalt Strike beacon via ProShow.exe.
Chain #2	September	140KB NSIS installer (update.exe)	Rotated C2 URLs to maintain stealth while dropping a Cobalt Strike beacon.
Chain #3	October	Backdoor Deployment	Dropped BluetoothService.exe, log.DLL, and shellcode to establish the Chrysalis backdoor.

Mapping CVE-2025-15556 to MITRE ATT&CK

Flashpoint has mapped Lotus Blossom TTPs (tactics, tools, and procedures) to the MITRE ATT&CK framework. Flashpoint analysts have identified the following techniques:

Execution

Technique Title	ID	Recommendations
User Execution: Malicious File	T1204.002	M1040: Behavior Prevention on Endpoint M1038: Execution Prevention M1017: User Training
Native API	T1106	M1040: Behavior Prevention on Endpoint M1038: Execution Prevention
Command and Scripting Interpreter: Windows Command Shell	T1059.003	M1038: Execution Prevention

Persistence

Technique Title	ID	Recommendations
Hijack Execution Flow: DLL	T1574.002	M1013: Application Developer Guidance M1047: Audit M1038: Execution Prevention M1044: Restrict Library Loading M1051: Update Software
Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder	T1547.001	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Create or Modify System Process: Windows Service	T1543.003	M1047: Audit M1040: Behavior Prevention on Endpoint M1045: Code Signing M1028: Operating System Configuration M1018: User Account Management

Defense Evasion

Technique Title	ID	Recommendations
Masquerading	T1036	M1049: Antivirus/Antimalware M1047: Audit M1040: Behavior Prevention on Endpoint M1045: Code Signing M1038: Execution Prevention M1022: Restrict File and Directory Permissions M1018: User Account Management M1017: User Training
Obfuscated Files or Information	T1027	M1049: Antivirus/Antimalware M1047: Audit M1040: Behavior Prevention on Endpoint M1017: User Training
Obfuscated Files or Information: Dynamic API Resolution	T1027.007	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Deobfuscate/Decode Files or Information	T1140	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Process Injection	T1055	M1040: Behavior Prevention on Endpoint M1026: Privileged Account Management
Reflective Code Loading	T1620	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Execution Guardrails: Mutual Exclusion	T1480.002	M1055: Do Not Mitigate
Indicator Removal: File Deletion	T1070.004	*MITRE currently does not list any mitigation guidance to combat this attack technique.

Discovery

Technique Title	ID	Recommendations
File and Directory Discovery	T1083	*MITRE currently does not list any mitigation guidance to combat this attack technique.
Ingress Tool Transfer	T1105	M1031: Network Intrusion Prevention

Collection

Technique Title	ID	Recommendations
Data from Local System	T1005	M1057: Data Loss Prevention

Command and Control

Technique Title	ID	Recommendations
Application Layer Protocol: Web Protocols	T1071.001	M1031: Network Intrusion Prevention
Encrypted Channel	T1573	M1031: Network Intrusion Prevention M1020: SSL/TLS Inspection

Exfiltration

Technique Title	ID	Recommendations
Exfiltration Over C2 Channel	T1041	M1057: Data Loss Prevention M1031: Network Intrusion Prevention

Protecting Against CVE-2025-15556

Proactive defense requires not only reactive patching of CVE-2025-15556, but also active threat hunting using the TTPs identified by Flashpoint analysts. Flashpoint recommends the following actions:

1. Immediate Update: Ensure all instances of Notepad ++ are updated to v8.9.1 or higher immediately. This version enforces the signature verification that was missing in previous releases.
2. Audit System Paths: Scan for malicious file paths used for persistence.
3. Network Defense: Monitor and block traffic to malicious domains.
4. Endpoint Hardening: Implement Behavior Prevention on Endpoints (M1040) and Audit (M1047) to detect unauthorized registry run keys or new system services.

Outpace Threat Actors Using Flashpoint

Software trust is only as strong as the infrastructure behind it. As organizations respond to these recent updates, having best-in-class vulnerability intelligence and direct visibility into threat actor TTPs is the best defense.

Leveraging Flashpoint vulnerability intelligence, organizations can move beyond CVE and NVD, by gaining deeper technical analysis and MITRE ATT&CK mapping to defend against sophisticated threat actors. Request a demo to learn more.

Begin your free trial today.

Blogs

Blog

N-Day Vulnerability Trends: The Shrinking Window of Exposure and the Rise of “Turn-Key” Exploitation

In this post we explore the data-driven shrinkage of the Time to Exploit (TTE) window from 745 days to just 44, and examine why N-day vulnerabilities have become the “turn-key” weapon of choice for modern threat actors.

The race between defenders and threat actors has entered a new, more volatile phase: the rapidly accelerating exploitation of N-day vulnerabilities. Different from zero-days, N-day vulnerabilities are known security flaws that have been publicly disclosed but remain unpatched or unmitigated on an organization’s systems.

Historically, enterprises operated under the assumption of a “patching grace period,” the designated window of time allowed for a vendor to test and deploy a fix before a system is considered non-compliant or at high risk. However, this window is effectively collapsing, with Flashpoint finding that N-days now represent over 80% of all Known Exploited Vulnerabilities (KEVs) tracked over the past four years.

The Collapse of the Time to Exploit (TTE) Window

The most sobering trend for security operations (SecOps) and exposure management teams is the dramatic reduction in Time to Exploit (TTE). In 2020, the average TTE, the time between a vulnerability’s disclosure and its first observed exploitation, was 745 days. By 2025, Flashpoint found that this window has now plummeted to an average of just 44 days.

	2025	2024	2023	2022	2021	2020
Average TTE	44	115	296	405	518	745

This contraction represents a strategic shift in adversary tempo. Attackers are no longer waiting for complex, bespoke exploits; they are moving at breakneck speeds to weaponize public disclosures.

N-Days Provide a “Turn-Key” Exploit Advantage

Adversaries have gained a significant advantage through the rapid weaponization of researcher-published Proof-of-Concept (PoC) code. When a fully functional exploit is released alongside a vulnerability disclosure, it becomes a “turn-key” solution for attackers. By combining these ready-made exploits with internet-wide scanning tools like Shodan or FOFA, even unsophisticated threat actors can conduct mass exploitation across large segments of the internet in hours.

A prime example of this path of least resistance approach was observed in the leaked internal chat logs of the BlackBasta ransomware group. Analysis revealed that of the 65 CVEs discussed by the group, 54 were already known KEVs. Rather than spending resources on original zero-day research, threat actors are simply leveraging known, yet unpatched and exploitable vulnerabilities for their campaigns.

Defensive Software is a Primary Target for N-Days

The very software designed to protect enterprise firewalls, VPN gateways, and edge networking devices is consistently the most targeted category for both N-day and zero-day exploitation.

Because cybersecurity devices must be internet-facing to function, they provide a constant, unauthenticated attack surface. In 2025 alone, Flashpoint observed 37 N-days and 52 zero-days specifically targeting security and perimeter software. The requirement for these systems to remain open to external traffic means they will continue to be disproportionately targeted by advanced persistent threat (APT) groups and cybercriminals alike.

Attributing N-Day Attacks

While tracking the “how” of an attack is critical, tracking who is responsible remains a fragmented challenge for the industry. Attribution is often hampered by naming fatigue, where different vendors assign their own designated unique monikers to the same actor. For instance, the widely known threat actor group Lazarus has over 40 distinct designations across the industry, including “Diamond Sleet,” “NICKEL ACADEMY,” and “Guardians of Peace”.

Despite these naming complexities, global activity patterns remain clear. China remains the most active nation-state actor in the vulnerability exploitation space, consistently outpacing Russia, Iran, and North Korea in both the volume and scope of their campaigns.

Obstacles for Enterprise Security: Asset Blindness and the CVE Dependency Trap

Why are organizations struggling to keep pace? The primary factor isn’t a lack of effort, but a lack of visibility.

1. The Asset Inventory Gap

The single greatest breakthrough an enterprise can achieve is not a new AI tool, but a complete asset inventory. Most large organizations are lucky to have an accurate inventory of even 25% of their total assets. Without knowing what you own, vulnerability scans can take days or weeks to return results that the adversary is already using to probe your network.

2. The CVE Blindspot

Most traditional security tools are CVE-dependent. However, thousands of vulnerabilities are disclosed every year that never receive an official CVE ID. These “missing” vulnerabilities represent a massive blindspot for standard scanners. Intelligence-led exposure management requires looking beyond the CVE ecosystem into proprietary databases like Flashpoint’s VulnDB, which tracks over 105,000 vulnerabilities that public sources miss.

Move Towards Intelligence-Led Exposure Management Using Flashpoint

To survive in an era where weaponization can happen in under 24 hours, organizations must shift from reactive patching to a threat-informed and proactive security approach. This means:

• Prioritizing by Exploitability and Threat Actor Activity: Focus on vulnerabilities that are remotely exploitable and have known public exploits, rather than just high CVSS scores.
• Adopting an Asset-Inventory Approach: Moving away from slow, periodic scans in favor of continuous asset mapping that allows for immediate triage.
• Operationalizing Intelligence: Embedding real-time threat data directly into SOC and IR workflows to reduce the “mean time to action”.

The goal of exposure management is to look at your organization through the adversary’s lens. By understanding which N-days threat actors are actually discussing and weaponizing in the wild, defenders can finally start to close the window of exposure before a potential compromise can occur.

Flashpoint’s vulnerability threat intelligence can help your organization go from reactive to proactive. Request a demo today and gain access to quality vulnerability intelligence that enables intelligence-led exposure management.

Request a demo today.