IT threat evolution in Q1 2026. Non-mobile statistics
Kaspersky's Q1 2026 threat report highlights significant law enforcement actions against major ransomware operators, alongside the emergence of new ransomware groups like The Gentlemen. The quarter also saw active zero-day exploitation of Cisco Secure FMC (CVE-2026-20131) by the Interlock group, a rise in macOS-targeted crypto stealers and supply chain attacks via the Axios npm package, and persistent IoT botnet activity dominated by Mirai variants.
Authors: AMR
Source:Kaspersky
- cve
- npm_packageaxiosWidely used HTTP client for JavaScript targeted in a supply chain attack to deploy a backdoor on macOS devices.
Detection / HunterGoogle
What Happened
In the first quarter of 2026, cybersecurity researchers observed major shifts in the threat landscape, including successful law enforcement actions against several ransomware groups. Despite these crackdowns, new ransomware gangs emerged, and attackers continued to exploit vulnerabilities in network equipment like Cisco firewalls. Apple Mac users also faced new risks from fake video calls designed to steal cryptocurrency and compromised software packages. Organizations should ensure their network appliances are fully patched and remain vigilant against suspicious software updates and unsolicited communication.
Key Takeaways
- Law enforcement successfully disrupted the RAMP cybercrime forum and apprehended individuals linked to Phobos, BlackCat, and Yanluowang ransomware operations.
- The Interlock ransomware group actively exploited a zero-day vulnerability (CVE-2026-20131) in Cisco Secure FMC for initial access.
- Clop regained its position as the most prolific ransomware group, while a new actor, The Gentlemen, rapidly ascended the rankings.
- macOS devices faced increased targeting via fraudulent video call crypto-stealers, an iOS/macOS exploit chain linked to Operation Triangulation, and a supply chain attack via the Axios npm package.
- IoT attacks remain dominated by Mirai botnet variants, with a notable increase in SSH-based brute-force attacks compared to previous quarters.
Affected Systems
- Cisco Secure FMC
- macOS
- iOS
- IoT devices (SSH/Telnet exposed)
- Windows
Vulnerabilities (CVEs)
- CVE-2026-20131
Attack Chain
Threat actors utilized a variety of initial access vectors, including the exploitation of a zero-day vulnerability (CVE-2026-20131) in Cisco Secure FMC and supply chain compromise via the Axios npm package. Following initial access, attackers deployed ransomware, cryptocurrency miners, or macOS-specific backdoors and stealers like Amos. IoT devices were primarily compromised via SSH and Telnet brute-forcing to deploy Mirai botnet variants. Ransomware operators continued to rely on data exfiltration and leak sites for double extortion.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article provides statistical threat data and high-level trends but does not include specific detection rules or queries.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions are highly effective at detecting ransomware encryption behaviors, cryptocurrency miner resource usage, and macOS backdoor executions. Network Visibility: Medium — Network visibility can detect IoT brute-force attempts (SSH/Telnet) and exploit attempts against Cisco FMC, but encrypted C2 traffic may be harder to inspect. Detection Difficulty: Moderate — While ransomware and miners are relatively easy to detect behaviorally, zero-day exploitation on network appliances and supply chain compromises require advanced behavioral analytics and strict baseline monitoring.
Required Log Sources
- Network flow logs
- Endpoint process execution logs
- File creation logs
- Authentication logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unusual child processes spawning from Cisco Secure FMC web or management services, which may indicate exploitation of CVE-2026-20131. | Endpoint process execution logs | Initial Access | Low |
| Evaluate authentication logs for high volumes of failed SSH or Telnet login attempts targeting IoT devices or network appliances, indicative of Mirai botnet targeting. | Authentication logs | Initial Access | Medium |
| If you have visibility into macOS endpoints, consider hunting for unexpected execution of scripts or binaries following video conferencing application launches. | Endpoint process execution logs | Execution | Medium |
Control Gaps
- Lack of patching for edge network appliances
- Insufficient monitoring of third-party dependencies (npm)
Key Behavioral Indicators
- High CPU utilization by unknown processes (miners)
- Mass file modification or renaming (ransomware)
- Unexpected root privilege execution on Cisco FMC
False Positive Assessment
- Low
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Ensure Cisco Secure FMC appliances are patched against CVE-2026-20131 or apply vendor-recommended workarounds.
- Audit projects utilizing the Axios npm package for signs of compromise or unexpected backdoor deployments.
Infrastructure Hardening
- Disable Telnet and restrict SSH access on all IoT devices and network appliances to trusted IP ranges.
- Implement network segmentation to isolate IoT devices from critical corporate networks.
User Protection
- Deploy and ensure EDR coverage on all macOS endpoints to detect stealers and backdoors.
- Restrict the execution of unsigned scripts and binaries on macOS devices where supported by your tooling.
Security Awareness
- Educate users on the risks of fraudulent video calls and unsolicited technical support requests.
- Train developers on secure coding practices and the risks of software supply chain attacks.
MITRE ATT&CK Mapping
- T1190 - Exploit Public-Facing Application
- T1195.002 - Compromise Software Supply Chain
- T1486 - Data Encrypted for Impact
- T1496 - Resource Hijacking
- T1110 - Brute Force
- T1059.007 - Command and Scripting Interpreter: JavaScript