By 2026, MSSPs will compete less on tooling and more on clarity, speed, and foresight. Security buyers want proof that their provider understands what threats matter now, how fast they can respond, and how security decisions reduce business risk.

At the center of this challenge sits threat intelligence. Not as a research output, but as an operational input shaping every security decision. 

What Clients Will Demand This Year: The Five Deciding Factors 

Winning deals in 2026 means excelling where others fall short. Prospects grill providers on these five areas before signing: 

• Relentless Threat Blocking: They want evidence you’re stopping attacks they can’t see coming. 

• Clean, Actionable Alerts: Too many false positives waste time and erode confidence. 

• Blazing-Fast Incident Response: Slow containment turns small incidents into headline breaches. 

• Forward-Leaning Threat Hunting: Reactive-only services feel outdated in a zero-trust world. 

• Undeniable ROI Visibility: Executives need clear proof of risks blocked and value delivered. 

Master these with actionable threat intelligence, and you’ll close more deals while your competitors hassle.

ANY.RUN’s Threat Intelligence Feeds contain real-time streams of malicious IPs, domains, and URLs pulled from millions of sandbox submissions, updated frequently to keep you ahead. TI Feeds are not background data. They are the operational core of detection, response, hunting, reporting, and proactive defense. 

Here are the five ways to stand out by employing real-time trustworthy threat data. 

1. Early awareness defines credibility 

Clients rarely see the attacks you stop. They only notice the ones you miss. One successful intrusion can erase years of good service and trigger immediate vendor reassessment. 

The difficulty lies in the speed of attacker adaptation. Malware changes quickly, infrastructure rotates, and indicators expire fast. Detection logic based on static or delayed intelligence struggles to keep pace. 

What mature threat intelligence enables: 

ANY.RUN’s TI Feeds deliver continuously updated indicators along with sandbox analyses documenting attacker behavior extracted from live malware execution. For MSSPs, this means: 

• Detection rules that evolve as threats evolve;

• Faster identification of emerging malware families; 

• Visibility into infrastructure used in active attacks; 

• Reduced reliance on outdated or recycled indicators. 

Instead of reacting to incidents reported elsewhere, your MSSP detects threats while competitors are still catching up. For clients, that difference is felt as safety, not statistics. 

2. Response matters more than perfection 

No MSSP can prevent every incident. What matters is how quickly and confidently you respond. Long investigations, unclear answers, and delayed containment create anxiety at the executive level. 

Most delays come from context gaps. Analysts must validate indicators, understand attackers’ intent, and assess scope before acting. That takes time when intelligence is fragmented. 

TI Feeds give response teams immediate access to: 

• Fresh, validated indicators of compromise: malicious IPs, domains, and URLs continuously updated from real malware analysis by over 15K SOC teams;

• Contextual metadata including links to sandbox analysis sessions that provide additional insight into threat behavior;

• Intelligence that supports instant containment decisions;

• Formats compatible with SIEMs and security platforms (STIX, MISP) for seamless integration into existing workflows;

• API-enabled delivery so intelligence can feed automated detection and monitoring systems in real time.

This allows MSSPs to move from alert to action in minutes, not hours. Over time, clients associate your service with decisiveness and control. That perception is critical for renewal conversations. 

3. Proactive security becomes expected 

By 2026, clients will not ask whether you offer threat hunting. They will assume you do. The real question will be whether your hunting produces meaningful results or just internal noise. 

Without fresh intelligence, hunting teams often chase weak signals or outdated hypotheses. That leads to low impact and poor client communication. 

With TI Feeds, MSSPs can anchor threat hunting in reality: 

•  Hunt for indicators tied to active attacker campaigns; 

•  Correlate client telemetry with known malicious behavior; 

•  Continuously refine hypotheses using new feed data; 

•  Demonstrate findings backed by observable attacker activity. 

This makes threat hunting repeatable, scalable, and easier to justify commercially. 

4. Reporting shapes executive perception 

Executives don’t want dashboards full of alerts. They want confidence that risk is being reduced and managed. Poor reporting creates the impression that security work is abstract or disconnected from business reality. 

In many cases, churn begins not after incidents, but after months of unclear reporting. 

TI Feeds allow MSSPs to report on outcomes, not effort: 

• Indicators with associated threat context help explain why a detected indicator matters; 

• Detection timestamps and threat labels reveal whether an indicator is recent and connected to active campaigns; 

• Consistent delivery of validated, actionable IOCs allows reports to reflect real threat activity, not noise. 

Reports become stories of protection delivered, not lists of events processed. This is where MSSPs justify their value in language decision-makers understand. 

5. Generic defense won’t hold clients 

Clients increasingly expect their security posture to evolve alongside attacker behavior. Generic controls applied uniformly across clients feel outdated and inattentive. The challenge is keeping defenses current without overwhelming analysts. 

By aligning TI Feeds with each client’s risk profile, MSSPs can: 

• Base decisions on high-confidence threat data, minimizing distraction from low-value or false signals; 

• Use enriched contextual data to explain how specific IOCs are connected to observed or emerging threats; 

• Update detection logic as campaigns evolve. 

Security stops being reactive and starts feeling anticipatory. Clients feel seen, protected, and prioritized. That emotional factor matters more than most technical metrics. 

Final Thought: What Clients Are Willing to Pay For 

MSSPs don’t lose clients because attackers exist. They lose clients because they fail to show awareness, speed, and progress. 

In 2026, Threat Intelligence Feeds are the foundation of competitive MSSP services. They power better detection, faster response, meaningful hunting, credible reporting, and proactive protection. The key metrics demonstrate this clearly:  

• Security teams report up to a 21‑minute reduction in MTTR per case, with automation-ready feeds accelerating triage and containment actions. 

• Up to 58% more threats identified after integrating TI Feeds into detection rules and playbooks. 

• Streamlined intelligence lets Tier 1 teams resolve more incidents independently, reducing escalations to senior analysts by 30%. 

The MSSPs that win will be those who turn intelligence into visible outcomes their clients can trust month after month.

About ANY.RUN 

Trusted by over 500,000 cybersecurity professionals and 15,000+ organizations in finance, healthcare, manufacturing, and other critical industries, ANY.RUN helps security teams investigate threats faster and with greater accuracy.     

Our Interactive Sandbox accelerates incident response by allowing you to analyze suspicious files in real time, watch behavior as it unfolds, and make confident, well-informed decisions.     

Our Threat Intelligence Lookup and Threat Intelligence Feeds strengthen detection by providing the context your team needs to anticipate and stop today’s most advanced attacks.     

Start a 2-week ANY.RUN trial → 

FAQ: Threat Intelligence Feeds for MSSPs 

The post 5 Ways MSSPs Can Win Clients in 2026 appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

We’re glad to present our regular quarterly report highlighting the most prominent malicious trends of the last three months of 2025, as observed by ANY.RUN’s community. 

Following the release of our annual report on key threats and milestones, this report offers a closer look at the threat landscape of the final chapter of 2025. 

The Malware Trends report Q4 features top malware types, families, phishing kits, TTPs, APTs, and other notable insights. 

You can turn to the previous Q3 report for reference. 

Key Takeaways 

• Threat activity remained steady, with sandbox usage up 6% quarter over quarter and over 1 billion IOCs collected, reflecting sustained investigative demand rather than volume spikes. 

• Stealers still dominate, even after a 16% decline, confirming credential theft as a primary attacker objective. 

• RATs and backdoors gained momentum, with RATs up 28% and backdoors up 68%, signaling a shift toward persistent access and modular malware. 

• XWorm and open-source RATs surged, with XWorm up 174%, showing attackers favor adaptable, widely shared toolsets over saturated stealer families. 

• Phishing continued to evolve, led by Tycoon and EvilProxy, underscoring the growing sophistication of PhaaS and 2FA bypass campaigns. 

Summary 

• Total sandbox sessions: 2,015,181  

• Malicious: 389,636  

• Suspicious: 75,113  

• IOCs: 1,015,431,934  

During the last quarter of 2025, overall threat investigation activity remained stable — no drastic growth in volume. The total number of sandbox analyses conducted in ANY.RUN’s Interactive Sandboxincreased slightly by 6%, surpassing 2 million since Q3. 

Over one billion indicators were gathered by our community during analysis sessions. A total of 389,636 samples were labeled as malicious, and 75,113 as suspicious. 

Top Malware Types: Highlights 

1. Stealer: 36,685  

2. RAT: 23,788 

3. Loader: 19,070  

4. Backdoor: 10,560  

5. Ransomware: 7,317  

6. Adware: 5,854  

7. Botnet: 5,149 

8. Trojan: 2,813  

9. Miner: 2,668  

10. Keylogger: 2,598 

Although the list of top malware types looks similar to Q3 at first glance, several notable changes in activity levels should be pointed out: 

• Stealer dominance persists despite a 16% drop. This signals that credential theft remains a priority for attackers targeting financial sectors. 

Widespread families: Lumma,  Stealc, Blank Grabber 

• RAT surged (+28%), overtaking Loaders’ second place. A clear indication of remote access tools gaining traction for persistent post-exploitation in enterprise environments. 

Widespread families: XWorm, Quasar RAT, AsyncRAT 

• Loader threats moved one place down despite a slight decrease in detections. 

Widespread families: Smoke Loader, PureCrypter, HijackLoader 

Backdoor‘s 68% activity growth reflects modular malware kits proliferating, enabling easier customization and evasion of traditional defenses. 

Adware moved up two places with a 31% rise in activity, while ransomware detections decreased by the same percentage. 

At the lower end of the list there are Botnet with 5K detections, Trojan with 2.8K, Miner with 2.6K, and Keylogger with 2.5K. 

Detect evasive threats with ANY.RUN’s Interactive Sandbox   

ANY.RUN’s Interactive Sandbox enables businesses and SOC teams to proactively identify cyber threats by analyzing files and URLs inside interactive Windows, Linux, Android VMs.  

• Stronger Protection for Businesses: Early detection and shorter MTTD minimize risks, safeguarding infrastructure and reputation. 

• Higher Efficiency & ROI: Faster investigations cut costs, reduce analyst load, and power quicker incident resolution. 

• Smarter Decision-Making: Flexible, enterprise-grade solution enhances visibility into threats, allowing for insight-driven action. 

Top Malware Families 

1. XWorm: 13,945  

2. AsyncRAT: 5,056  

3. Quasar: 4,711  

4. Vidar: 4,498  

5. Stealc: 4,432 

6. Remcos: 3,598  

7. Lumma: 3,399  

8. Blackmoon: 3,208 

9. AgentTesla: 3,136  

10. Mirai: 3,067 

This section indicates a number of drastic changes in intensity and volume of certain threats. Key observations include: 

XWorm, driven by its adaptability across industries like manufacturing and healthcare, showed a +174% surge. 

XWorm IOCs from Threat Intelligence Lookup 

• centre-instruction[.]gl[.]at[.]ply[.]gg 

• uk-compete[.]gl[.]at[.]ply[.]gg 

• 176[.]113[.]73[.]167 

Find more IOCs in TI Lookup with this query: 

threatName:”xworm” AND domainName:”” 

• AsyncRAT and Quasar grew by 46% and 27%, showing open-source RATs outpacing commercial stealers, fueled by underground sharing and rapid evolution. 

AsyncRAT IOCs from Threat Intelligence Lookup  

• xoilac[.]livecdnem[.]com 

• asj299[.]com 

• 94[.]154[.]35[.]160 

Find more IOCs in TI Lookup with this query: 

threatName:”asyncrat” AND domainName:”” 

Lumma’s fall from first to eighth place with a -65% plunge highlights attacker shifts to newer, less-detected families, reducing reliance on saturated stealer platforms. 

Lumma IOCs from Threat Intelligence Lookup  

• handpaw[.]click 

• mattykp[.]click  

• 159[.]198[.]70[.]75 

Find more IOCs in TI Lookup with this query: 

threatName:”lumma” AND domainName:”” 

Vidar and Stealc with 4K+ detections each re-emerged in Q4, indicating a sudden end-of-year growth. 

Another addition to the chart is Blackmoon with 3,208 detections. At the same time, AgentTesla and Remcos threats saw a reduction in detections and went from second and fourth places to tenth andseventh respectively. 

Ensure early threat detection via Threat Intelligence Feeds 

Gain a live view of the threat landscape with fresh, actionable IOCs delivered to you from investigations done across 15,000 companies. 

• Refine detection and response: Rich threat context and integration opportunities power your SOC for proactive defense. 

• Mitigate risks of breaches: Expanded threat coverage and visibility into threats help stay ahead of attackers without wasting time on false alarms. 

• Improve performance rates: Unique, noise-free indicators beat alert fatigue and promote early detection even for hidden and evasive threats. 

Top TTPs 

The top 10 most detected techniques, tactics, and procedures (TTPs) show significant shifts from quarter to quarter — a reminder that threat actors never stop refining and changing their methods. 

The number of detections for TTPs mostly grew: the first place is taken up by Subvert Trust Controls: Install Root Certificate, T1553.004 with 227,451 detections. In Q3, the first place was taken by a TTP with activity rate twice as small. 

Second place was still occupied by Masquerading: Rename Legitimate Utilities, T1036.003 with 105,539 detections (+9%). 

A new addition to the list, Command and Scripting Interpreter: Windows Command Shell , T1059.003, came third with 71,608 detections. 

1. Subvert Trust Controls: Install Root Certificate, T1553.004: 227,451 

2. Masquerading: Rename Legitimate Utilities, T1036.003: 105,539 

3. Command and Scripting Interpreter: Windows Command Shell, T1059.003: 71,608 

4. Command and Scripting Interpreter: PowerShell, T1059.001: 64,684 

5. Virtualization/Sandbox Evasion: Time Based Checks, T1497.003: 51,910 

6. Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder, T1547.001: 46,007 

7. System Services: Service Execution, T1569.002: 38,515 

8. Masquerading: Match Legitimate Resource Name or Location, T1036.005: 35,278 

9. Scheduled Task/Job: Scheduled Task, T1053.005: 21,460 

10. Signed Binary Proxy Execution: Rundll32, T1218.011: 19,236 

Collect Fresh Threat Intelligence with Threat Intelligence Lookup 

TI Lookup offers a searchable database of fresh Indicators 
of Compromise (IOCs), Attack (IOAs), and Behavior (IOBs) belonging to the latest cyber attacks on 15,000 companies. 

• Build proactive defense: Actionable threat intelligence drives targeted and insightful research for staying ahead. 

• Ensure rapid triage and response: Instant enrichment of indicators with behavioral context makes for fast and smart decisions. 

• Optimize workload: Rich threat data empowers Tier 1 analysts to work sustainably, reducing escalations to Tier 2. 

Phishing Activity in Q4 2025 

Overall phishing activity by uploads: 159,592 

Activity by phishing kits  

Phishkits: 

1. Tycoon: 41,046  

2. EvilProxy: 14,258  

3. Sneaky2FA: 7,272 

4. Mamba2FA: 3,904  

5. Salty2FA: 350  

Q4’s results align with our annual report’s conclusions: phishing is a prevalent type of cyber threat and Tycoon dominates in this category: 

• It remained at the top of the list with double the intensity of detections. Same with EvilProxy: it stayed second with 51% increase in volume. This underscores PhaaS maturation, with kits now bundling advanced 2FA bypass for high-value targets. 

• Sneaky2FA moved from fourth to third place with a whopping +138% rise in activity. 

• Salty2FA moved two places down, pointing to 2FA fatigue exploitation accelerating in enterprise phishing campaigns. 

• Mamba2FA, absent from the list in the previous quarter, took fourth place with 3.9K detections. 

Activity by cyber criminal groups 

1. Storm1747: 37,274  

2. TA569: 4,054 

3. TA558: 231 

4. Storm1575: 21 

5. APT36: 18 

Key observations regarding APT activity in Q4 2025: 

• Storm1747’s dominance continued with a 51% rise in activity, likely tied to phishing infrastructure evolution targeting finance across EU/NA regions. 

• TA558‘s jumped into top ranks with +83% detections, suggesting expanded operations, possibly leveraging modular loaders for broader campaign reach. 

• At the lower part of the list, we can see APTs’ displaying sharp 70-97% declines, likely due to the detection improvements or operational pauses. The focus shifted to more opportunistic actors. 

Top Protectors and Packers 

1. UPX: 12,576  

2. NetReactor: 4,300  

3. Themida: 3,244  

4. ASPack: 1,263  

5. Confuser: 2,204  

Top 5 most detected protectors and packers correspond with those of Q3. However, there are differences in terms of their intensity: 

• UPX remains dominant despite an 11% drop, remaining attackers’ go-to for simple, fast obfuscation across commodity malware. 

• NetReactor and Themida’s sharp declines (-49% and -37% respectively) signal detection improvements and attacker shift to newer .NET-focused protectors.  

• Confuser kept its fifth place with a 48% growth that reflects .NET malware boom. Attackers favor it for evading static analysis in enterprise-targeted payloads. 

Conclusion 

Q4 2025 shows a stable but evolving threat landscape. Key trends include persistent stealer activity, rising RATs and backdoors, and a dynamic phishing landscape. These insights underscore the importance of continuous monitoring and proactive threat analysis to stay ahead of emerging risks. 

About ANY.RUN 

ANY.RUN develops solutions for malware analysis and threat hunting. Its interactive malware analysis sandbox is used by over 500,000 cybersecurity professionals worldwide. It enables detailed investigation of threats targeting Windows, Android, and Linux systems with hands-on analysis and instant visualization of malware behavior. 

ANY.RUN’s threat intelligence solutions, including Threat Intelligence Lookup and Threat Intelligence Feeds, allow teams to quickly identify indicators of compromise, enrich alerts, and investigate incidents early on. As a result, analysts gain actionable insights, uncover hidden threats, and improve overall cybersecurity posture. 

Start a 2-week ANY.RUN trial → 

The post Malware Trends Q4 2025: Inside ANY.RUN’s Latest Threat Landscape Report  appeared first on ANY.RUN’s Cybersecurity Blog.

ANY.RUN’s Cybersecurity Blog – ​Read More

Cyble Vulnerability Intelligence researchers tracked 2,415 vulnerabilities in the last week, a significant increase over even last week’s very high number of new vulnerabilities. The increase signals a heightened risk landscape and expanding attack surface in the current threat environment. 

Over 300 of the disclosed vulnerabilities already have a publicly available Proof-of-Concept (PoC), significantly increasing the likelihood of real-world attacks. 

A total of 219 vulnerabilities were rated as critical under the CVSS v3.1 scoring system, while 47 received a critical severity rating based on the newer CVSS v4.0 scoring system.  

Even after factoring out a high number of Linux kernel and Adobe vulnerabilities (chart below), new vulnerabilities reported in the last week were still very high. 

What follows are some of the IT and ICS vulnerabilities flagged by Cyble threat intelligence researchers in recent reports to clients spanning December 9-16. 

The Week’s Top IT Vulnerabilities 

CVE-2025-59385 is a high-severity authentication bypass vulnerability affecting several versions of QNAP operating systems, including QTS and QuTS hero. Fixed versions include QTS 5.2.7.3297 build 20251024 and later, QuTS hero h5.2.7.3297 build 20251024 and later, and QuTS hero h5.3.1.3292 build 20251024 and later. 

CVE-2025-66430 is a critical vulnerability in Plesk 18.0, specifically affecting the Password-Protected Directories feature. It stems from improper access control, potentially allowing attackers to bypass security mechanisms and escalate privileges to root-level access on affected Plesk for Linux servers. 

CVE-2025-64537 is a critical DOM-based Cross-Site Scripting (XSS) vulnerability affecting Adobe Experience Manager. The vulnerability could allow attackers to inject malicious scripts into web pages, which are then executed in the context of a victim’s browser, potentially leading to session hijacking, data theft, or further exploitation. 

CVE-2025-43529 is a critical use-after-free vulnerability in Apple’s WebKit browser engine, which is used in Safari and other Apple applications. The flaw could allow attackers to execute arbitrary code on affected devices by tricking users into processing maliciously crafted web content, potentially leading to full device compromise. CISA has added the vulnerability to its Known Exploited Vulnerabilities (KEV) catalog. 

CVE-2025-59718 is a critical authentication bypass vulnerability affecting multiple versions of Fortinet products, including FortiOS, FortiProxy, FortiSwitchManager, and FortiWeb. The flaw could allow unauthenticated attackers to bypass FortiCloud Single Sign-On (SSO) login authentication by sending a specially crafted SAML message. The vulnerability has been added to CISA’s KEV catalog. 

Notable vulnerabilities discussed in open-source communities included CVE-2025-55182, a critical unauthenticated remote code execution (RCE) vulnerability affecting React Server Components; CVE-2025-14174, a critical memory corruption vulnerability affecting Apple’s WebKit browser engine; and CVE-2025-62221, a high-severity use-after-free elevation of privilege vulnerability in the Windows Cloud Files Mini Filter Driver. 

Vulnerabilities Discussed on the Dark Web 

Cyble Research and Intelligence Labs (CRIL) researchers also observed several threat actors discussing weaponizing vulnerabilities on dark web forums. Among the vulnerabilities under discussion were: 

CVE-2025-55315, a critical severity vulnerability classified as HTTP request/response smuggling due to inconsistent interpretation of HTTP requests in ASP.NET Core, particularly in the Kestrel server component. The flaw arises from how chunk extensions in Transfer-Encoding: chunked requests with invalid line endings are handled differently by ASP.NET Core compared to upstream proxies, enabling attackers to smuggle malicious requests. An authorized attacker can exploit this vulnerability over a network to bypass security controls, leading to impacts such as privilege escalation, SSRF, CSRF bypass, session hijacking, or code execution, depending on the application logic. 

CVE-2025-59287 is a critical-severity remote code execution (RCE) vulnerability stemming from improper deserialization of untrusted data in Microsoft Windows Server Update Services (WSUS). The core flaw occurs in the ClientWebService component, where a specially crafted SOAP request to endpoints like SyncUpdates triggers decryption and unsafe deserialization of an AuthorizationCookie object using .NET’s BinaryFormatter, allowing arbitrary code execution with SYSTEM privileges. Unauthenticated remote attackers can exploit this over WSUS ports (e.g., 8530/8531) to deploy webshells or achieve persistence, with real-world exploitation already observed. 

CVE-2025-59719, a critical severity vulnerability due to improper cryptographic signature verification, permitting authentication bypass in Fortinet FortiWeb through FortiCloud SSO. Attackers can submit crafted SAML response messages to evade login checks without proper authentication. This unauthenticated flaw has a high impact and has been actively exploited post-disclosure. 

ICS Vulnerabilities 

Cyble also flagged two industrial control system (ICS) vulnerabilities as meriting high-priority attention by security teams. They include: 

CVE-2024-3596: multiple versions of Hitachi Energy AFS, AFR, and AFF Series products are affected by a RADIUS Protocol vulnerability, Improper Enforcement of Message Integrity During Transmission in a Communication Channel. Successful exploitation of the vulnerability could compromise the integrity of the product data and disrupt its availability. 

CVE-2025-13970: OpenPLC_V3 versions prior to pull request #310 are vulnerable to this Cross-Site Request Forgery (CSRF) flaw. Successful exploitation of the vulnerability could result in the alteration of PLC settings or the upload of malicious programs. 

Conclusion 

The record number of new vulnerabilities observed by Cyble in the last week underscores the need for security teams to respond with rapid, well-targeted actions to patch the most critical vulnerabilities and successfully defend IT and critical infrastructure. A risk-based vulnerability management program should be at the heart of those defensive efforts. 

Other cybersecurity best practices that can help guard against a wide range of threats include segmentation of critical assets; removing or protecting web-facing assets; Zero-Trust access principles; ransomware-resistant backups; hardened endpoints, infrastructure, and configurations; network, endpoint, and cloud monitoring; and well-rehearsed incident response plans. 

Cyble’s comprehensive attack surface management solutions can help by scanning network and cloud assets for exposures and prioritizing fixes, in addition to monitoring for leaked credentials and other early warning signs of major cyberattacks. 

The post The Week in Vulnerabilities: More Than 2,000 New Flaws Emerge  appeared first on Cyble.

Cyble – ​Read More

The outgoing year of 2025 has significantly transformed our access to the Web and the ways we navigate it. Radical new laws, the rise of AI assistants, and websites scrambling to block AI bots are reshaping the internet right before our eyes. So, what do you need to know about these changes, and what skills and habits should you bring with you into 2026? As is our tradition, we’re framing this as eight New Year’s resolutions. What are we pledging for 2026?

Get to know your local laws

Last year was a bumper crop for legislation that seriously changed the rules of the internet for everyday users. Lawmakers around the world have been busy:

• Banning social media for teens
• Introducing strict age verification (think scanning your ID) procedures to visit certain categories of websites
• Requiring explicit parental consent for minors to access many online services
• Applying pressure through blocks and lawsuits against platforms that wouldn’t comply with existing child protection laws — with Roblox finding itself in a particularly bright spotlight.

Your best bet is to get news from sites that report calmly and without sensationalism, and to review legal experts’ commentary. You need to understand what obligations fall on you, and, if you have underage children, what changes for them.

You might face difficult conversations with your kids about new rules for using social media or games. It’s crucial that teenage rebellion doesn’t lead to dangerous mistakes, such as installing malware disguised as a “restriction-bypassing mod” or migrating to small, unmoderated social networks. Safeguarding the younger generation requires reliable protection on their computers and smartphones, alongside parental control tools.

But it’s not just about simple compliance with the laws. You will almost certainly encounter negative side effects that lawmakers didn’t anticipate.

Master new methods of securing access

Some websites choose to geoblock certain countries entirely to avoid the complexities of complying with regional regulations. If you are certain your local laws allow access to the content, you can bypass these geoblocks by using a VPN. You need to select a server in a country where the site is accessible.

It’s important to choose a service that doesn’t just offer servers in the right locations, but actually enhances your privacy — as many free VPNs can effectively compromise it. We recommend Kaspersky VPN Secure Connection.

Brace for document leaks

While age verification can be implemented in different ways, it often involves the website using a third-party verification service. On your first login attempt, you’ll be redirected to a separate site to complete one of several checks: take a photo of your ID or driver’s license, use a bank card, or nod and smile for a video, and so on.

The mere idea of presenting a passport to access adult websites is deeply unpopular with many people on principle. But beyond that, there’s a serious risk of data leaks. These incidents are already a reality: data breaches have impacted a contractor used to verify Discord users, as well as service providers for TikTok and Uber. The more websites that require this verification, the higher the risk of a leak becomes.

So, what can you do?

• Prioritize services that do not require document uploads. Instead, look for those utilizing alternative age verification methods, such as a micro-transaction charge to a payment card, confirmation through your bank or another trusted external provider, or behavioral/biometric analysis.
• Pick the least sensitive and easiest-to-replace document you have, and use only that one for all verifications. “Least sensitive” in this case means containing minimal personal data and not referencing other primary identifiers, such as a national ID number.
• Use a separate, dedicated email address and phone number in combination with that document. For the sites and services that don’t verify your identity, use completely different contact details. This makes it much harder for your data to be easily pieced together from different leaks.

Learn scammers’ new playbook

It’s highly likely that under the guise of “age verification”, scammers will begin phishing for personal and payment data, and pushing malware onto visitors. After all, it’s very tempting to simply copy and paste some text on your computer instead of uploading a photo of your passport. Currently, ClickFix attacks are mostly disguised as CAPTCHA checks, but age verification is the logical next step for these schemes. How to lower these risks?

• Carefully check any websites that require verification. Do not complete the verification if you’ve already done it for that service before, or if you landed on the verification page via a link from a messaging app, search engine, or ad.
• Never download apps or copy and paste text for verification. All legitimate services operate within the browser window, though sometimes desktop users are asked to switch to a smartphone to complete the check.
• Analyze and be suspicious of any situation that requires entering a code received via a messaging app or SMS to access a website or confirm an action. This is often a scheme to hijack your messaging account or another critical service.
• Install reliable security software on all your computers and smartphones to help block access to scam sites. We recommend Kaspersky Premium — it offers a secure VPN, malware protection, alerts if your personal data appears in public leaks, a Kaspersky Password Manager, Kaspersky Safe Kids, and much more.

Cultivate healthy AI usage habits

Even if you’re not a fan of AI, you’ll find it hard to avoid — it’s literally being shoved into each everyday service: Android, Chrome, MS Office, Windows, iOS, Creative Cloud… the list is endless. As with fast food, television, TikTok, and other easily accessible conveniences, the key is striking a balance between the healthy use of these assistants and developing a dangerous dependency.

Identify the areas where your mental sharpness and personal growth matter most to you. A person who doesn’t run regularly loses fitness. Someone who always uses GPS navigation gets worse at reading paper maps. Wherever you value the work of your mind, offloading it to AI is a path to losing your edge. Maintain a balance: regularly do that mental work yourself — even if an AI can do it well — from translating text to looking up info on Wikipedia. You don’t have to do it all the time, but remember to do it often enough. For a more radical approach, you can also disable AI services wherever possible.

Know where the cost of a mistake is high. Despite developers’ best efforts, AI can sometimes deliver completely wrong answers with total confidence. These so-called hallucinations are unlikely to be fully eradicated anytime soon. Therefore, for important documents and critical decisions, either avoid using AI entirely or scrutinize its output with extreme care. Check every number, every comma.

In other areas, feel free to experiment with AI. But even for seemingly harmless uses, remember that mistakes and hallucinations are a real possibility.

How to lower the risk of leaks. The more you use AI, the more of your information goes to the service provider. Whenever possible, prioritize AI features that run entirely on your device. This category includes things like the protection against fraudulent sites in Chrome, text translation in Firefox, the rewriting assistant in iOS, and so on. You can even run a full-fledged chatbot locally on your own computer.

AI agents need close supervision. The agentic capabilities of AI — where it doesn’t just suggest but actively does work for you — are especially risky. Thoroughly research the risks in this area before trusting an agent with shopping or booking a vacation. Use modes where the assistant asks for your confirmation before entering personal data, let alone doing any shopping.

Audit your subscriptions and plans

The economics of the internet are shifting right before our eyes. The AI arms race is driving up the cost of components and computing power, tariffs and geopolitical conflicts are disrupting supply chains, and baking AI features into familiar products sometimes comes with a price hike. Practically any online service can get more expensive overnight, sometimes by double-digit percentages. Some providers are taking a different route, moving away from a fixed monthly fee to a pay-per-use model for things like songs downloaded or images generated.

To avoid nasty surprises when you check your bank statement, make it a habit to review the terms of all your paid subscriptions at least three or four times a year. You might find that a service has updated its plans and you need to downgrade to a simpler one. Or a service might have quietly signed you up for an extra feature you’re not even aware of — and you need to disable it. Some services might be better switched to a free tier or canceled altogether. Financial literacy is becoming a must-have skill for managing your digital spending.

To get a complete picture of your subscriptions and truly understand how much you’re spending on digital services each month or year, it’s best to track them all in one place. A simple Excel or Google Docs spreadsheet works, but a dedicated app like Subscrab is more convenient. It sends reminders for upcoming payments, shows all your spending month-by-month, and can even help you find better deals on the same or similar services.

Prioritize the longevity of your tech

While the allure of powerful new processors, cameras, and AI features might tempt you to buy a new smartphone or laptop in 2026, it’s very likely this purchase will last you several years. First, the pace of meaningful new features has slowed, and the urge to upgrade frequently has diminished for many. Second, gadget prices have risen significantly due to more expensive chips, labor and shipping, making major purchases harder to justify. Furthermore, regulations like those in the EU now require easily replaceable batteries in new devices, meaning the part that wears out the fastest in a phone will be simpler and cheaper to swap out yourself.

So, what does it take to make sure your smartphone or laptop reliably lasts those years?

• Physical protection. Use cases, screen protectors, and maybe even a waterproof pouch.
• Proper storage. Avoid extreme temperatures, don’t leave it baking in direct sun or freezing overnight in a car at –15°C.
• Battery care. Avoid regularly draining it to single-digit percentages.
• Regular software updates. This is the trickiest part. Updates are essential for security, protecting your phone or laptop from new types of attacks. However, updates can sometimes cause slowdowns, overheating, or battery drain. The prudent approach is to wait about a week after a major OS update, check feedback from users with your exact model, and only install it if the coast seems clear.

Secure your smart home

The Smart Home is giving way to a new concept: the Intelligent Home. The idea is that neural networks will help your home make its own decisions about what to do and when, all for your convenience — without needing pre-programmed routines. Thanks to the Matter 1.3 standard, a smart home can now manage not just lights, TVs, and locks, but also kitchen appliances, dryers, and even EV chargers! Even more importantly, we’re seeing a rise in devices where Matter over Thread is the native, primary communication protocol, like the new IKEA KAJPLATS lineup. Matter-powered devices by different vendors can see and communicate with each other. This means you can, say, buy an Apple HomePod as your smart home central hub and connect Philips Hue bulbs, Eve Energy plugs, and IKEA BILRESA switches to it.

All of this means that smart and intelligent homes will become more common — and so will the ways to attack them. We have a detailed article on smart home security, but here are a few key tips relevant in light of the transition to Matter.

• Consolidate your devices into a single Matter fabric. Use the minimum number of controllers, for example, one Apple TV + one smartphone. If a TV or another device accessible to many household members acts as a controller, be sure to use password security and other available restrictions for critical functions.
• Choose a hub and controller from major manufacturers with a serious commitment to security.
• Minimize the number of devices connecting your Matter fabric to the internet. These devices, referred to as Border Routers, must be well-protected from external cyberattacks, for example, by restricting their access at the level of your home internet router.
• Regularly audit your home network for any suspicious, unknown devices. In your Matter fabric, this is done via your controller or hub, and in your home network via your primary router or a feature like Smart Home Monitor in Kaspersky Premium.

Kaspersky official blog – ​Read More