Artificial Intelligence & Machine Learning
,
Cyberwarfare / Nation-State Attacks
,
Fraud Management & Cybercrime
Analyst Warns AI-Fueled Malware Poised to Reshape Global Cyber Risk in 2026(@chrisriotta) •
December 29, 2025
2025 was a defining year for the global cyberthreat landscape, marked by the accelerating convergence of nation-state conflict, cybercrime cartels and rapidly maturing artificial intelligence tools. Defenders spent much of the year grappling with record levels of zero-day exploitation, increasingly destructive intrusions and a growing overlap between criminal activity and state-directed operations.
See Also: Ping Identity: Trust Every Digital Moment
As organizations look ahead to 2026, many of the trends that emerged this year appear poised to intensify.
Tom Kellerman, vice president of cyber risk at HiTrust and a longtime government and industry advisor, said the past year has reshaped how attackers think about access, persistence and impact. In an end-of-year interview with Information Security Media Group, Kellerman outlined why hybrid attacks, activist-driven cyber campaigns and the resurgence of destructive malware could define the year ahead, particularly as AI lowers technical barriers for a wider range of threat actors.
The following question-and-answer interview has been lightly edited and condensed for clarity and length.
Information Security Media Group: Tom, before we get into your predictions for 2026, I want to start with 2025. From your vantage point, what were the cyber risks and challenges that really defined the year?
Tom Kellerman: First and foremost, I think we’ve seen this dramatic increase on island hopping in 2025. It’s important to know that island hopping is a targeted event. It’s not a supply chain attack. This is when the adversary attempts to hijack your digital presence, your tech stack and use it to attack your customers. View it more as a home invasion than a burglary, and this has happened through the typhoon campaigns, where most of the major telecoms were compromised.
ISMG: Where did those intrusions lead once adversaries gained that initial vantage point?
TK: From that vantage, essentially, the Chinese spies targeted critical infrastructures in the federal government. So, you know, the game has changed. Worst case scenario in today’s world is written by an adversary using your home, your environment, your tech stack, to attack your customers and defending from within – and tackling that is your number one priority.
ISMG: How did AI factor into that shift over the past year?
TK: The advent of AI, specifically agentic AI, and the utility of such throughout most corporations and organizations, is creating a perfect storm for backdoors. This is coupled with the fact that many adversaries are using AI to discover zero-days, and so we’re seeing an epidemic of zero-days in the wild, which are becoming more pernicious, more prevalent and the perfect back doors into environments that used to be secure.
ISMG: You’ve warned that attacks are also getting more destructive. What changes in defender behavior does that demand?
TK: I would also highlight the nature in which attacks are becoming more destructive. The adversaries are more prone to leverage counter incident response against offenders. So how you react to adversaries in today’s world, you should do so in a very clandestine manner. It’s much like if someone were to break into your house – is it the proper way to actually turn on the light and say you have a gun? What’s to stop said adversary from setting the house on fire?
ISMG: Plant a flag in 2026 for me. What is your biggest prediction?
TK: I would predict, given this nature of discovery of zero-days in a more destructive adversary, that 2026 is really going to be the year of worms. We’re going to see worms again. Worms are making a comeback, and we need to pay close attention to that, especially once they can replicate and spread faster than ever, given the utility of AI.
ISMG: You’ve mentioned in our past conversations a “free fire zone” in cyber. What do you mean by that?
TK: You’re seeing more nation-state activity out there. You’re also seeing more collaboration between, I would say, the axis of evil in cyberspace. More importantly, you’re seeing exchange of drones and cyber warfare capabilities between all four actors, and that is leading into, I guess, a free fire zone, a multiplicity of actors in cyber where you have cyber militias, per se – patriotic hackers within those countries that are acting out against Western critical infrastructure.
ISMG: And when you look at non-state threats heading into 2026, which groups are you watching most closely?
TK: This burgeoning East Asia ISIS movement has a lot of cyber sophistication in it, and I’m concerned that ISIS in East Asia will begin to leverage hybrid attacks – like crippling 911, or emergency services prior to leveraging a physical, kinetic attack. And then there is a group called “764” – a bunch of nihilists. I think they’re not going to just stop with convincing kids to kill themselves. I do think that when they begin to use AI and deep fakes and other things, they could literally create near-mercenaries of their victims.
ISMG: What does that look like operationally for real-world targets?
TK: If a threat actor hacks a kid’s device and they’re on their family network, the family is that of a CEO for a large corporation, I’m going to go right through the home network, into the CEO’s laptop, into said corporation. You have serious problems.
ISMG: As defenders head into 2026, what is the single biggest mistake you think organizations still make when thinking about cyber risk?
TK: I think a lot of people still believe the worst-case scenario is theft. It’s not. Worst-case scenario in today’s world is an adversary using your home, your environment, your tech stack, to attack your customers. When you don’t pay attention to the fact that the game has changed, you end up defending the perimeter instead of defending from within, and that’s where organizations are getting hurt.
