{ "id": "d42efad2-8e2a-42ff-9c4b-9762668edc72", "created_at": "2026-04-29T02:20:27.608344Z", "updated_at": "2026-04-29T08:22:36.367696Z", "deleted_at": null, "sha1_hash": "27c08e0a03e65cea5d3652ff2168aaf8dd9657f9", "title": "Introducing the 2026 Cloudflare Threat Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 215392, "plain_text": "Introducing the 2026 Cloudflare Threat Report\r\nBy Cloudforce One\r\nPublished: 2026-03-03 · Archived: 2026-04-29 02:09:18 UTC\r\nIntroducing the 2026 Cloudflare Threat Report\r\n2026-03-03\r\n5 min read\r\nToday’s threat landscape is more varied and chilling than ever: Sophisticated nation-state actors. Hyper-volumetric\r\nDDoS attacks. Deepfakes and fraudsters interviewing at your company. Even stealth attacks via trusted internal\r\ntools like Google Calendar, Dropbox, and GitHub.\r\nAfter spending the last year translating trillions of network signals into actionable intelligence, Cloudforce One\r\nhas identified a fundamental evolution in the threat landscape: the era of brute force entry is fading. In its place is\r\na model of high-trust exploitation that prioritizes results at all costs. In order to equip defenders with a strategic\r\nroadmap for this new era, today we are releasing the inaugural 2026 Cloudflare Threat Report. This report\r\nprovides the intelligence organizations need to navigate the rise of industrialized cyber threats.\r\nThe new barometer for risk: Measure of Effectiveness (MOE)\r\nCloudforce One has observed a broader shift in attacker psychology. To understand how these methods win, we\r\nhave to look at the why behind them: the Measure of Effectiveness, or MOE.\r\nhttps://blog.cloudflare.com/2026-threat-report/\r\nPage 1 of 5\n\nIn 2026, the modern adversary is trading the pursuit of \"sophistication\" (complex, expensive, one-off hacks) in\r\nfavor of throughput. MOE is the metric attackers use to decide what to exploit next. It is a cold calculation of the\r\nratio of effort to operational outcome.\r\nWhy use an expensive zero-day exploit when a stolen session token (Identity) has a higher MOE?\r\nWhy build a custom server when a reputation shield (LotX) provides free, nearly untraceable infrastructure\r\nwith a high delivery rate?\r\nWhy write code manually when AI can automate the discovery of the connective tissue that links your most\r\nsensitive data?\r\nIn 2026, the most dangerous threat actors aren’t the ones with the most advanced code; it’s the ones who can\r\nintegrate intelligence and technology into a single, continuous system that achieves their mission in the shortest\r\ntime possible.\r\nKey findings from the 2026 Cloudflare Threat Report\r\nEight key trends — all driven by their MOE — will define the threat landscape in 2026:\r\n1. AI is automating high-velocity attacker operations. Threat actors use generative AI for real-time\r\nnetwork mapping, exploit development, and the creation of deepfakes, enabling low-skill actors to conduct\r\nhigh-impact operations.\r\n2. State-sponsored pre-positioning is compromising critical infrastructure resilience. Chinese threat\r\nactors, including Salt Typhoon and Linen Typhoon, are prioritizing North American telecommunications,\r\ncommercial, government, and IT services, anchoring their presence now for long-term geopolitical\r\nleverage.\r\n3. Over-privileged SaaS integrations are expanding the blast radius of attacks. As demonstrated by the\r\nGRUB1 breach of Salesloft, the connective tissue of third-party API integrations allows a single\r\ncompromised API to cascade into a breach affecting hundreds of distinct corporate environments.\r\n4. Adversaries are weaponizing trusted cloud tooling to mask attacks. Threat actors actively target\r\nlegitimate SaaS, IaaS, and PaaS tools such as Google Calendar, Dropbox, and GitHub to camouflage\r\nmalicious actions within benign enterprise activity. \r\n5. Deepfake personas are embedding adversarial operatives within Western payrolls. North Korea has\r\noperationalized the remote IT worker scheme, using deepfakes and fraudulent identities to embed state-sponsored operatives directly into Western payrolls for espionage and illicit revenue.\r\n6. Token theft is neutralizing multi-factor authentication. By weaponizing infostealers like LummaC2 to\r\nharvest active session tokens, attackers bypass traditional multi-factor authentication and move straight to\r\npost-authentication actions.\r\n7. Relay blind spots are enabling internal brand spoofing. Phishing-as-a-service bots are exploiting a blind\r\nspot where mail servers fail to re-verify a sender’s identity, allowing high-trust brand impersonations\r\nhttps://blog.cloudflare.com/2026-threat-report/\r\nPage 2 of 5\n\ndelivered directly to user inboxes.\r\n8. Hyper-volumetric strikes are exhausting infrastructure capacity. Hyper-volumetric distributed denial-of-service (DDoS) attacks, fueled by massive botnets like Aisuru, are breaking records on a regular basis,\r\nclosing the window for human response. \r\nDeep dive: How attackers are weaponizing cloud tooling\r\nNow let’s take a deeper look at one high-MOE tactic we identified: weaponized cloud tooling. Instead of using\r\nknown malicious servers, attackers are utilizing legitimate cloud ecosystems like Google Drive, Microsoft Teams,\r\nand Amazon S3 to mask their command-and-control (C2) traffic. This is known as “living off the land” (or off of\r\nanything-as-a-service): wearing the uniform of trusted providers, attackers make their activity nearly\r\nindistinguishable from benign corporate traffic. \r\nSaaS platforms are also being used by threat actors to host, launch, redirect, or scale attacks. For instance, services\r\nlike Amazon SES and SendGrid, designed for legitimate bulk email delivery, are frequently exploited to launch\r\nsophisticated phishing and malware distribution campaigns.\r\nHow some groups are applying these tactics\r\nWhile the exploitation of cloud resources is an established tradecraft, 2025 investigations highlighted an\r\naccelerated maturation in nation-state strategy: actors are continuing to shift from mere infrastructure abuse\r\ntoward pervasive living-off-the-land. We predict that for 2026, threat actors will attempt to standardize these\r\ntechniques as a strategic aim for their operational playbooks.\r\nHere are some of those threat actor groups, where they are based, and examples of their approaches.\r\nThreat\r\nActor\r\nCountry Technique Details Example\r\nFrumpyToad China\r\nLogic-based\r\nC2\r\nMoving \"inside the\r\nbox\" of reputable\r\nSaaS logic to evade\r\ndetection.\r\nWeaponizes Google Calendar for\r\ncloud-to-cloud C2 loop, reading and\r\nwriting encrypted commands directly\r\ninto event descriptions.\r\nPunyToad China\r\nEncrypted\r\ntunneling\r\nUtilizing legitimate\r\ndeveloper tools to\r\nbypass egress\r\nfiltering.\r\nUses tunneling capabilities and cloud\r\ncomputing to create resilient, living-off-the-cloud architectures, masking\r\nbackend origin IPs and prioritizing\r\nlong-term persistence.\r\nNastyShrew Russia\r\nPaste site\r\ndead drop\r\nresolvers\r\nUsing public \"paste\"\r\nsites to coordinate\r\nshifting\r\ninfrastructure.\r\nUses services like Teletype.in and\r\nRentry.co as dead drop resolvers\r\n(DDR); infected hosts poll these sites\r\nto retrieve rotating C2 addresses.\r\nhttps://blog.cloudflare.com/2026-threat-report/\r\nPage 3 of 5\n\nThreat\r\nActor\r\nCountry Technique Details Example\r\nPatheticSlug\r\nNorth\r\nKorea\r\nPaaS-ing the\r\nperimeter\r\nExploiting the\r\n\"reputation shield\" of\r\ncloud ecosystems to\r\nmask malicious\r\ndelivery.\r\nUsed Google Drive and Dropbox to\r\nhost XenoRAT payloads, leveraging\r\nGitHub for covert C2, successfully\r\nblending into legitimate enterprise\r\ntraffic.\r\nCrustyKrill Iran\r\nSaaS-hosted\r\nphishing\r\nBlending credential\r\nharvesting into\r\ncommon cloud\r\nhosting.\r\nHosts C2 pages on Azure Web Apps\r\n(.azurewebsites.net) and uses\r\nONLYOFFICE to host payloads,\r\ngiving their operations a veneer of\r\nlegitimacy.\r\nHow Cloudforce One unmasked the 2026 landscape\r\nEstablishing MOE requires more than just high-level observation. To truly unmask the 2026 landscape, this report\r\ndetails how Cloudforce One leverages a unique blend of internal expertise and global telemetry to uncover\r\ninsights that traditional security models miss. \r\nOur methodology is varied. For example: \r\nAs part of our AI-driven defense research, we tasked an AI coding agent with a self-vulnerability analysis,\r\nusing the agent to uncover its own security gaps. This \"dogfooding\" uncovered CVE-2026-22813 (9.4\r\nCVSS), a critical flaw in markdown rendering pipelines allowing for unauthenticated Remote Code\r\nExecution. \r\nOur deep dives into Phishing-as-a-Service (PhaaS) reveal that the barrier to entry has a vanished barrier to\r\nentry. Analysts observed attackers leveraging high-reputation domains (Google Drive, Azure, etc.) to\r\nbypass filters. Email telemetry found an identity gap, where nearly 46% of analyzed emails failed\r\nDMARC (an email authentication protocol), revealing a large surface area that PhaaS bots are rapidly\r\nexploiting.\r\nWe tracked the transition from stealthy exploitation to attempted blackout, uncovering a 31.4 Tbps\r\nbaseline for DDoS. Our telemetry also showed that, in the past 3 months, 63% of all logins involve\r\ncredentials already compromised elsewhere and that 94% of all login attempts now originate from bots.\r\nThrough every stage of this research, Cloudforce One has leveraged our massive global telemetry and frontline\r\nthreat intelligence to connect the dots across seemingly isolated incidents. Whether we are dogfooding our own AI\r\nagents to preempt zero-day exploits or tracking attacks launched by millions of bot-infected hosts tunneling\r\nthrough residential proxies, this unified visibility allows us to see the throughline between a single phished\r\ncredential and a multi-terabit blackout. \r\nThe path forward: Drive MOE to zero with autonomous defense\r\nhttps://blog.cloudflare.com/2026-threat-report/\r\nPage 4 of 5\n\nIdentifying these throughlines is only the first step. When threats move at machine speed, human-centric defense\r\nis no longer a viable shield. To counter \"offense by the system,\" defenders across the industry must pivot to a\r\nmodel of autonomous defense in order to drive the adversary’s MOE to zero.\r\nThis shift toward autonomous defense requires moving beyond manual checklists and fragmented alerts.\r\nOrganizations must harden the connective tissue of their networks, using real-time visibility and automated\r\nresponse capabilities. In this new era, the goal isn't just to build a better wall — it's to ensure your system can act\r\nfaster than the attacker, even when no one is watching.\r\nTo support this shift, today we are debuting a major upgrade to our threat events platform: evolving from simple\r\ndata access to a fully automated, visual command center for your security operations center. \r\nGet the 2026 Cloudflare Threat Report\r\nThrough our unmatched threat visibility and the expertise of our Cloudforce One researchers, we provide the\r\nintelligence you need to outpace industrialized cyber threats. To explore the full data set, deep-dive case studies,\r\nand tactical recommendations, read the complete 2026 Cloudflare Threat Report. \r\nAnd if you’re interested in learning more about our threat intelligence, managed defense, or incident response\r\nofferings, contact Cloudforce One experts.\r\nCloudflare's connectivity cloud protects entire corporate networks, helps customers build Internet-scale\r\napplications efficiently, accelerates any website or Internet application, wards off DDoS attacks, keeps hackers at\r\nbay, and can help you on your journey to Zero Trust.\r\nVisit 1.1.1.1 from any device to get started with our free app that makes your Internet faster and safer.\r\nTo learn more about our mission to help build a better Internet, start here. If you're looking for a new career\r\ndirection, check out our open positions.\r\nThreat IntelligenceCloudforce OneThreats\r\nSource: https://blog.cloudflare.com/2026-threat-report/\r\nhttps://blog.cloudflare.com/2026-threat-report/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.cloudflare.com/2026-threat-report/" ], "report_names": [ "2026-threat-report" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-29T06:58:57.821087Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard", "NastyShrew" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "f0eca237-f191-448f-87d1-5d6b3651cbff", "created_at": "2024-02-06T02:00:04.140087Z", "updated_at": "2026-04-29T06:58:56.803236Z", "deleted_at": null, "main_name": "GhostEmperor", "aliases": [ "RedMike", "OPERATOR PANDA", "FamousSparrow", "UNC2286", "Salt Typhoon" ], "source_name": "MISPGALAXY:GhostEmperor", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "191d7f9a-8c3c-442a-9f13-debe259d4cc2", "created_at": "2022-10-25T15:50:23.280374Z", "updated_at": "2026-04-29T06:58:57.705351Z", "deleted_at": null, "main_name": "Kimsuky", "aliases": [ "Kimsuky", "Black Banshee", "Velvet Chollima", "Emerald Sleet", "THALLIUM", "APT43", "TA427", "Springtail", "Earth Kumiho", "PatheticSlug" ], "source_name": "MITRE:Kimsuky", "tools": [ "Troll Stealer", "HTTPTroy", "schtasks", "certutil", "Amadey", "GoBear", "Brave Prince", "CSPY Downloader", "gh0st RAT", "AppleSeed", "Gomir", "NOKKI", "QuasarRAT", "Gold Dragon", "PsExec", "KGH_SPY", "Mimikatz", "BabyShark", "TRANSLATEXT" ], "source_id": "MITRE", "reports": null }, { "id": "e3492534-85a6-4c87-a754-5ae4a56d7c8c", "created_at": "2022-10-25T15:50:23.819113Z", "updated_at": "2026-04-29T06:58:57.818367Z", "deleted_at": null, "main_name": "Threat Group-3390", "aliases": [ "Threat Group-3390", "Earth Smilodon", "TG-3390", "Emissary Panda", "BRONZE UNION", "APT27", "Iron Tiger", "LuckyMouse", "Linen Typhoon" ], "source_name": "MITRE:Threat Group-3390", "tools": [ "Systeminfo", "gsecdump", "PlugX", "ASPXSpy", "Cobalt Strike", "Mimikatz", "Impacket", "gh0st RAT", "certutil", "China Chopper", "HTTPBrowser", "Tasklist", "netstat", "SysUpdate", "HyperBro", "ZxShell", "RCSession", "ipconfig", "Clambling", "pwdump", "NBTscan", "Pandora", "Windows Credential Editor" ], "source_id": "MITRE", "reports": null }, { "id": "d390d62a-6e11-46e5-a16f-a88898a8e6ff", "created_at": "2024-12-28T02:01:54.899899Z", "updated_at": "2026-04-29T06:58:58.140449Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Earth Estries", "FamousSparrow", "GhostEmperor", "Operator Panda", "RedMike", "Salt Typhoon", "UNC2286" ], "source_name": "ETDA:Salt Typhoon", "tools": [ "Agentemis", "Backdr-NQ", "Cobalt Strike", "CobaltStrike", "Crowdoor", "Cryptmerlin", "Deed RAT", "Demodex", "FamousSparrow", "FuxosDoor", "GHOSTSPIDER", "HemiGate", "MASOL RAT", "Mimikatz", "NBTscan", "NinjaCopy", "ProcDump", "PsExec", "PsList", "SnappyBee", "SparrowDoor", "TrillClient", "WinRAR", "Zingdoor", "certutil", "certutil.exe", "cobeacon", "nbtscan" ], "source_id": "ETDA", "reports": null }, { "id": "fcff864b-9255-49cf-9d9b-2b9cb2ad7cff", "created_at": "2025-04-23T02:00:55.190165Z", "updated_at": "2026-04-29T06:58:57.819377Z", "deleted_at": null, "main_name": "Salt Typhoon", "aliases": [ "Salt Typhoon" ], "source_name": "MITRE:Salt Typhoon", "tools": [ "JumbledPath" ], "source_id": "MITRE", "reports": null }, { "id": "c63ab035-f9f2-4723-959b-97a7b98b5942", "created_at": "2023-01-06T13:46:38.298354Z", "updated_at": "2026-04-29T06:58:56.168001Z", "deleted_at": null, "main_name": "APT27", "aliases": [ "EMISSARY PANDA", "TEMP.Hippo", "Red Phoenix", "ZipToken", "Iron Tiger", "Lucky Mouse", "GreedyTaotie", "Group 35", "Circle Typhoon", "Iron Taurus", "Earth Smilodon", "TG-3390", "Budworm", "BRONZE UNION", "Linen Typhoon", "G0027" ], "source_name": "MISPGALAXY:APT27", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6477a057-a76b-4b60-9135-b21ee075ca40", "created_at": "2025-11-01T02:04:53.060656Z", "updated_at": "2026-04-29T06:58:57.620229Z", "deleted_at": null, "main_name": "BRONZE TIGER", "aliases": [ "Earth Estries ", "Famous Sparrow ", "Ghost Emperor ", "RedMike ", "Salt Typhoon " ], "source_name": "Secureworks:BRONZE TIGER", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "b399b5f1-42d3-4b53-8c73-d448fce6ab43", "created_at": "2025-08-07T02:03:24.68371Z", "updated_at": "2026-04-29T06:58:57.507799Z", "deleted_at": null, "main_name": "BRONZE UNION", "aliases": [ "APT27 ", "Bowser", "Budworm ", "Circle Typhoon ", "Emissary Panda ", "Group35", "Iron Tiger ", "Linen Typhoon ", "Lucky Mouse ", "TG-3390 ", "Temp.Hippo " ], "source_name": "Secureworks:BRONZE UNION", "tools": [ "AbcShell", "China Chopper", "EAGERBEE", "Gh0st RAT", "OwaAuth", "PhantomNet", "PoisonIvy", "Sysupdate", "Wonknu", "Wrapikatz", "ZxShell", "reGeorg" ], "source_id": "Secureworks", "reports": null }, { "id": "5c13338b-eaed-429a-9437-f5015aa98276", "created_at": "2022-10-25T16:07:23.582715Z", "updated_at": "2026-04-29T06:58:57.870794Z", "deleted_at": null, "main_name": "Emissary Panda", "aliases": [ "APT 27", "ATK 15", "Bronze Union", "Budworm", "Circle Typhoon", "Earth Smilodon", "Emissary Panda", "G0027", "Group 35", "Iron Taurus", "Iron Tiger", "Linen Typhoon", "LuckyMouse", "Operation DRBControl", "Operation Iron Tiger", "Operation PZChao", "Operation SpoiledLegacy", "Operation StealthyTrident", "Red Phoenix", "TEMP.Hippo", "TG-3390", "ZipToken" ], "source_name": "ETDA:Emissary Panda", "tools": [ "ASPXSpy", "ASPXTool", "Agent.dhwf", "AngryRebel", "Antak", "CHINACHOPPER", "China Chopper", "Destroy RAT", "DestroyRAT", "FOCUSFJORD", "Farfli", "Gh0st RAT", "Ghost RAT", "HTTPBrowser", "HTran", "HUC Packet Transmit Tool", "HighShell", "HttpBrowser RAT", "HttpDump", "HyperBro", "HyperSSL", "HyperShell", "Kaba", "Korplug", "LOLBAS", "LOLBins", "Living off the Land", "Mimikatz", "Moudour", "Mydoor", "Nishang", "OwaAuth", "PCRat", "PlugX", "ProcDump", "PsExec", "RedDelta", "SEASHARPEE", "Sensocode", "SinoChopper", "Sogu", "SysUpdate", "TIGERPLUG", "TVT", "Thoper", "Token Control", "TokenControl", "TwoFace", "WCE", "Windows Credential Editor", "Windows Credentials Editor", "Xamtrav", "ZXShell", "gsecdump", "luckyowa" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1777429227, "ts_updated_at": 1777450956, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/27c08e0a03e65cea5d3652ff2168aaf8dd9657f9.pdf", "text": "https://archive.orkl.eu/27c08e0a03e65cea5d3652ff2168aaf8dd9657f9.txt", "img": "https://archive.orkl.eu/27c08e0a03e65cea5d3652ff2168aaf8dd9657f9.jpg" } }