A fundamental shift in how cyberattacks are carried out is well underway as threat actors now increasingly log in using stolen credentials rather than breaking through traditional defenses.

That’s according to a new report out today from Swiss artificial intelligence-powered managed extended detection and response company Ontinue AG. Its 2H 2025 Threat Intelligence Report finds that identity compromise has become the primary entry point into cloud environments and is changing how organizations must think about security as a result.

In 2026, attackers are now abusing valid credentials and trusted integrations to move through systems undetected instead of relying on malware or exploiting software vulnerabilities. A key driver of the trend is a significant rise in infostealer malware, including families such as LummaC2. Infostealer tools harvest browser-stored passwords, session cookies and authentication tokens before packaging them into data sets that are sold on underground marketplaces to other threat actors.

Listings of stolen credentials linked to LummaC2 alone were found to have surged 72% over the reporting period as access to corporate environments commoditized and can be purchased for thousands of dollars per account.

While credential theft led the report, ransomware was also found still to pose a major risk. More than 7,000 ransomware incidents were reported globally in 2025 and more than 120 active ransomware groups operated across industries.

The sort of ransomware campaigns being used today, however, are evolving to include variants that combine multiple forms of pressure on victims. Attackers were found to be increasingly deploying tactics such as data exfiltration, operational disruption, distributed denial-of-service attacks and direct intimidation to create layered extortion strategies designed to maximize leverage.

The report also identifies early signs that generative artificial intelligence is beginning to play a role in malware development. Analysis of recovered samples revealed coding patterns consistent with large language model assistance, including repetitive structures, verbose comments and polished user interfaces paired with insecure implementations.

Other findings include an expansion of risks tied to supply chains and software-as-a-service platforms, with threat actors increasingly targeting development pipelines and third-party providers to gain indirect access to multiple organizations.

“The reality organizations face today is that attackers are moving faster, leveraging stolen identities and automation to bypass traditional defenses,” said Ontinue Chief Security Officer Craig Jones. “Cyber resilience is no longer just about preventing breaches, it’s about proactive risk reduction, environment hardening by detecting threats quickly, responding decisively and maintaining operational continuity when incidents occur.”

Image: SiliconANGLE/Ideogram