Predicting 2026

Welcome to this week’s edition of the Threat Source newsletter. 

It’s become traditional at this time of year to make predictions about cybersecurity for the coming year. Obviously, no one has a crystal ball to predict the future, and if they did, they would be quietly making a fortune rather than sharing their insights in a newsletter. Any predictions about what lies ahead in the coming year should be taken with a generous pinch of salt. 

However, the exercise isn’t futile. Taking time to pause and reflect on the current threat landscape, the forces driving change, and how our own exposure is evolving can help us form reasonable guesses about what might happen during the forthcoming year. 

We’re living in a very tense geopolitical environment. We should expect continued use of infostealer malware and phishing campaigns as adversaries seek to map supply chains, and understand how organisations and governments may react to escalating aggression. As part of this activity, we’ll continue to see proxy actors conducting destructive attacks and financing their activities through extorting payment. Less sophisticated groups may also engage in website defacements or deploy disruptive malware in pursuit of political visibility or ideological goals. 

Suffice to say that we are living in tense and difficult times. In a globally connected world, no one is isolated from the effects of conflict, no matter how distant it may seem. 

At the same time, our use of technology continues to evolve, reshaping our threat exposure. Many organizations have already enthusiastically embraced generative AI. As AI systems are given more autonomy and broader access to internal systems, we can imagine that we will see breaches caused by poorly constrained or insufficiently governed AI agents. 

Many accidental or malicious insider attacks are caused by individuals having excessive permissions or unfettered access to data with little oversight. We can imagine AI agents provoking similar incidents, whether through flawed design, unintended behavior, or deliberate prompt manipulation by an attacker. 

While it is important to consider these newer and more exotic threats, we should not lose sight of the familiar ones. Unpatched systems, leaked credentials, accounts lacking multi-factor authentication, and poor network visibility continue to underpin many successful attacks. 

One thing is certain: Cybersecurity teams will remain busy throughout 2026.  There will be threat actors attempting to compromise our systems, there will be new techniques that they will use, but there will be many more attacks using techniques that we have seen before. 

It’s going to be a demanding year. Wishing good fortune and happy threat hunting to everyone.

The one big thing 

Cisco Talos is monitoring UAT-8837, which we assess with medium confidence is a China-nexus advanced persistent threat (APT) actor. They have been actively targeting critical infrastructure organizations in North America since at least 2025. They typically gain access by exploiting vulnerabilities or using stolen credentials, then use a mix of open-source tools to steal sensitive data and create multiple ways back into the network. UAT-8837 adapts quickly, constantly changing up their tools to evade detection. 

Why do I care? 

This group is focused on high-value targets and uses advanced, constantly evolving techniques that can bypass traditional defenses — even leveraging zero-day vulnerabilities. Their actions can lead to stolen credentials, persistent access, and potentially large-scale supply chain or infrastructure disruptions. 

So now what? 

Stay vigilant by keeping systems patched, monitoring for the specific tools and behaviors outlined in the report, and using up-to-date detection rules from sources like Talos. Proactively hunting for these IOCs and unusual user/account activity, combined with strong credential and privilege management, will be crucial to reducing risk from UAT-8837.

Top security headlines of the week 

BreachForums breached, exposing 324K cybercriminals 
In an ironic development, an individual using the moniker “James” published a database containing detailed information of hundreds of thousands of BreachForum users who believed they were operatinganonymously. (DarkReading) 

Target’s dev server offline after hackers claim to steal source code 
An unknown threat actor has claimed to have stolen a trove of Target’s internal source code and documentation and is selling it on dark web marketplaces. Multiple Target employees have now confirmed the authenticity of leaked source code sample set. (BleepingComputer) 

Predator spyware turns failed attacks into intelligence for future exploits 
New research reveals previously undocumented mechanisms that return information to developers on failed individual attacks. This means Predator can learn from its own failures so that future versions may be hardened against detection and analysis. (SecurityWeek) 

Instagram fixes password reset vulnerability amid user data leak 
Social media giant Meta confirmed an Instagram password reset vulnerability but denied being breached. Meta said the resolved vulnerability allowed third parties to send password reset requests to Instagram users. (SecurityWeek) 

Everest Ransomware claims breach at Nissan, says 900GB of data stolen
While no sensitive personal data is shown in the screenshots themselves, the folder names and file types imply access to operational systems and documents that could be used to map internal processes or extract more sensitive information. (Hack Read) 

Can’t get enough Talos? 

Talos Takes: Cyber certifications and you 
In the first episode of the year, Amy Ciminnisi, Talos’ Content Manager and new podcast host, steps up to the mic with Joe Marshall to explore certifications, one of cybersecurity’s overwhelming (and sometimes most controversial) topics. 

Humans of Talos: Brushstrokes and breaches with Terryn Valikodath 
Join us as Terryn shares what keeps him motivated during high-pressure incidents, the satisfaction he finds in teaching others during Cyber Range trainings, and the creative outlets that help him recharge. 

Microsoft Patch Tuesday for January 2026 
Microsoft has released its monthly security update for January 2026, which includes 112 vulnerabilities affecting a range of products, including 8 that Microsoft marked as “critical.”

Upcoming events where you can find Talos 

• JSAC (Jan. 21 – 23) Tokyo, Japan
• Cisco Live Amsterdam (Feb. 9 – 13) Amsterdam, Netherlands
• S4x26 (Feb. 23 – 26) Miami, FL  

Most prevalent malware files from Talos telemetry over the past week 

SHA256: 90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59 
MD5: c2efb2dcacba6d3ccc175b6ce1b7ed0a  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=90b1456cdbe6bc2779ea0b4736ed9a998a71ae37390331b6ba87e389a49d3d59  
Example Filename: APQCE0B.dll  
Detection Name: Auto.90B145.282358.in02 

SHA256: a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
MD5: 7bdbd180c081fa63ca94f9c22c457376  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=a31f222fc283227f5e7988d1ad9c0aecd66d58bb7b4d8518ae23e110308dbf91  
Example Filename: e74d9994a37b2b4c693a76a580c3e8fe_3_Exe.exe  
Detection Name: Win.Dropper.Miner::95.sbx.tg 

SHA256: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
MD5: 2915b3f8b703eb744fc54c81f4a9c67f  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507  
Example Filename: 9f1f11a708d393e0a4109ae189bc64f1f3e312653dcf317a2bd406f18ffcc507.exe  
Detection Name: Win.Worm.Coinminer::1201 

SHA256: 41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
MD5: 85bbddc502f7b10871621fd460243fbc  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=41f14d86bcaf8e949160ee2731802523e0c76fea87adf00ee7fe9567c3cec610  
Example Filename: 85bbddc502f7b10871621fd460243fbc.exe  
Detection Name: W32.41F14D86BC-100.SBX.TG 

SHA256: 47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
MD5: 71fea034b422e4a17ebb06022532fdde  
Talos Rep: https://talosintelligence.com/talos_file_reputation?s=47ecaab5cd6b26fe18d9759a9392bce81ba379817c53a3a468fe9060a076f8ca  
Example Filename: VID001.exe  
Detection Name: Coinminer:MBT.26mw.in14.Talos 

Cisco Talos Blog – ​Read More