Blackpoint Cyber’s newly released Annual Threat Report revealed a major shift in cybercriminal tactics as attackers increasingly compromise organizations by abusing trusted credentials, tools, and everyday workflows rather than exploiting software vulnerabilities.
“Throughout 2025, simple symbols of trust such as a valid username, a legitimate password, or a trusted tool became the adversary’s welcome mat,” says Gagan Singh, Blackpoint CEO. “If 2025 was the year attackers weaponized trust, then 2026 must be the year defenders redefine it.”
Key takeaways:
· Drawing on incident response data from the Blackpoint Security Operations Center, the report identifies a defining trend from 2025. Attackers increasingly bypass traditional defenses by logging in through legitimate credentials and repurposing the same tools organizations rely on to run their businesses.
- Attackers are increasingly living off the land by using SSL VPN gateways, remote monitoring and management tools, and legitimate Windows utilities to blend into normal IT activity.
- Fake CAPTCHA and ClickFix campaigns accounted for 57.5% of incidents observed by the Blackpoint SOC, exploiting routine user verification behavior to trigger remote code execution.
- The abuse of legitimate RMM tools represented 30.3% of incidents, while SSL VPN compromises accounted for 32.8% of identifiable activity.
- Adversary-in-the-Middle techniques allow attackers to hijack authenticated sessions and bypass traditional multi-factor authentication protections.
- Threat actors increasingly deploy Etherhiding, embedding malicious logic within decentralized blockchain smart contracts to manage compromised websites at scale.
- Manufacturing and industrial organizations accounted for 11.5% of incidents, reflecting the sector’s reliance on legacy infrastructure and its low tolerance for operational disruption.
