This audio is auto-generated. Please let us know if you have feedback.
Dive Brief:
- Identity has replaced malware as the biggest threat vector opening the door for ransomware attacks, Cloudflare said in an annual threat report published on Tuesday.
- Hackers’ increasing use of legitimate credentials, rather than malicious code, is making it harder for defenders to detect and contain their attacks.
- Cloudflare’s new report also discussed nation-state threat actors’ behavior and how artificial intelligence is changing attacks.
Dive Insight:
Ransomware began as a malware crisis, but, in recent years, attackers see greater opportunities in phishing attacks and the continuing prevalence of weak passwords. Ransomware attacks are now more likely than ever before to rely on stolen account credentials, which help hackers blend into legitimate traffic until they are ready to begin the extortion phase of their operation.
“The modern extortion landscape has shifted from a purely technical encryption challenge into a high-fidelity identity and access crisis,” Cloudflare researchers wrote in the report. “The weaponization of authorized credentials and internal collaborators has become the primary path for high-impact breaches, signaling a move beyond traditional malware toward the exploitation of legitimate access.”
Cloudflare said it had also seen an increase in attacks on “critical continuity” organizations, “with manufacturing and critical infrastructure now representing over 50% of all targeted attacks.” Ransomware gangs have found these organizations to be some of the most profitable targets, because they are often eager to resolve operational disruptions that are costing them revenue.
In its section on AI advancements, Cloudflare warned that the technology was pushing hackers to emphasize effectiveness over sophistication in their tool sets. The company expects that shift to “increase dramatically” as AI writes code that is rough around the edges but nonetheless gets the job done — for example, “using LLMs to bridge the gap between a bug and a functional exploit by automating semantic mapping.”
“The primary threat is no longer the rarity of the skill set, but the velocity of the outcome,” Cloudflare said. “The sheer volume of these automated, persistent campaigns matters more than the technical elegance of the code.”
In the financial-theft space, Cloudflare observed criminals attempting to steal roughly $123.5 million in 2025, with name impersonation being “the most lucrative tactic for threat actors.” The most common amount that criminals tried to steal in 2025 was around $49,000, which Cloudflare said was evidence of “a calculated strategy where fraudsters aim for amounts large enough to be profitable, yet small enough to potentially bypass more stringent executive approval thresholds.”
The company warned businesses to be on the lookout for thread-hijacking attacks, in which cybercriminals enter a legitimate conversation and begin requesting money, exploiting the trust relationships built into the existing dialog. “To automated systems, these requests appear as benign, everyday business activity,” Cloudflare said.
The company predicted that generative AI would help attackers “automate this thread hijacking at scale, allowing them to maintain this precise ~$49,000 sweet spot across thousands of concurrent conversations without the need for manual oversight.”
The Cloudflare report describes stark differences between the U.S.’s major cyber adversaries, from Russia’s “high-frequency, broad targeting model” to China’s stealthy pre-positioning on critical infrastructure networks. Iran is focused on using cyber intrusions to support “kinetic military objectives,” the report found, while North Korea is engaged in “human-centric operations” that exploit identity weaknesses and trust relationships.
In a section on nation-state hackers’ abuse of legitimate online platforms, Cloudflare described a China-linked group using Google Calendar for command-and-control (C2) operations, a Russia-linked group using text-paste sites as benign-looking sources of rotating C2 addresses and an Iran-linked group hosting C2 pages on Microsoft Azure web domains.
