Cloudflare's network successfully blocks over 230 billion threats each day, highlighting the increasingly automated nature of cyber attacks. This significant volume reflects a transformation in the initiation and progression of breaches.
In its first cyber threat report for 2026, Cloudflare's threat research unit, Cloudforce One, analyzed data from 2025 and offered predictions for the year ahead. The report is based on telemetry from Cloudflare's network, which manages approximately 20% of global web traffic.
Blake Darché, head of threat intelligence at Cloudforce One, emphasized the need for organizations to adapt to the evolving threat landscape. “Threat actors are continuously altering their tactics, exploiting new vulnerabilities, and discovering ways to overwhelm their targets. To avoid being caught off guard, organizations must transition from a reactive approach to one driven by real-time, actionable intelligence,” he stated.
Stolen Session Tokens Take Precedence Over Credential Guessing
Infostealers, such as LummaC2, have shifted their focus from stealing stored passwords to extracting live session tokens from infected devices. These tokens allow attackers to access already-authenticated sessions, bypassing multi-factor authentication (MFA) entirely. The report noted that 54% of ransomware attacks in 2025 could be traced back to credential theft enabled by infostealers, as supported by Verizon’s 2025 Data Breach Investigations Report.
In May 2025, Cloudforce One joined a coordinated global effort to disrupt LummaC2's infrastructure. This operation involved deploying warning pages across malicious command-and-control domains. The team is now monitoring successor variants that are expected to significantly speed up the time between infection and ransomware deployment.
Notably, bots represented 94% of all login attempts observed on Cloudflare’s network. Among human login attempts, 46% involved credentials that had previously been compromised. These statistics illustrate the extensive scale of automated credential testing occurring across the internet.
Cloud Platforms Serve as Attack Infrastructure
Threat actors from various nation-state groups are increasingly using legitimate cloud services, such as AWS, Google Cloud, Azure, and software-as-a-service (SaaS) platforms like Google Calendar and Dropbox, to conduct malicious activities. This tactic blends attack traffic with normal enterprise usage, complicating detection efforts for security teams.
Cloudforce One categorizes this strategy as “Living off the XaaS,” or LotX. The report highlights that Chinese-affiliated groups utilize Google Calendar event descriptions to send encrypted commands to infected hosts, while Iranian-linked groups host command-and-control pages on Azure Web Apps.
Groups like Salt Typhoon and Linen Typhoon, both associated with China, continued their campaigns against North American telecommunications providers and government networks throughout 2025. The report links breaches at major companies like AT&T, Verizon, and Lumen to these operations, as well as a significant compromise of Microsoft SharePoint in July 2025. This targeting pattern suggests an intention to maintain persistent access to critical infrastructure for potential future disruptions.
Phishing at Scale Enabled by Email Authentication Gaps
An analysis of 450 million emails revealed alarming authentication failures: 43% did not pass SPF checks, over 44% lacked valid DKIM signatures, and 46% failed DMARC checks. These vulnerabilities enable Phishing-as-a-Service bots to exploit incomplete authentication chains, sending spoofed messages that appear to originate from trusted internal or branded sources.
The most commonly impersonated brands in phishing campaigns included Windows, SANS, Microsoft, Stripe, and Facebook. Researchers also intercepted over $123 million in business email compromise (BEC) theft attempts in 2025, with the average amount targeted being approximately $49,225. This figure suggests that fraudsters are strategically targeting amounts below executive approval thresholds to increase their chances of success.
Record Levels of DDoS Attacks in 2025
The total number of distributed denial-of-service (DDoS) attacks recorded by Cloudflare more than doubled in 2025, reaching 47.1 million. Network-layer attacks tripled compared to the previous year, and Cloudforce One documented 19 new world-record attacks. The largest attack, a 31.4 Tbps UDP flood launched by the Aisuru botnet in November 2025, was nearly six times the size of the largest attack recorded in 2024.
Most DDoS attacks in 2025 lasted less than 10 minutes, significantly narrowing the window for human-led mitigation efforts. The Aisuru botnet, along with its successor Kimwolf, is estimated to control between one to four million infected hosts. The report notes that over 550 command-and-control nodes associated with Kimwolf were null-routed in early 2026.
North Korean Operatives Infiltrating Remote Workforces
State-sponsored operatives linked to North Korea are reportedly securing jobs at Western organizations by using AI-generated deepfake profiles and U.S.-based laptop farms that create the illusion of domestic residency. Once employed, these individuals divert salary revenue back to the North Korean regime and potentially introduce malicious access to internal systems. Detection indicators include alerts for impossible travel logins, mouse-jiggling software, and video metadata artifacts consistent with real-time deepfake rendering.
In 2025, manufacturing and critical infrastructure sectors accounted for over 50% of ransomware-targeted attacks, driven by the high costs associated with operational downtime in these industries.
