Quarterly Threat Intelligence

Q1 2026
Threat Report

An analysis of the most active threat actors, highest-impact CVEs, and emerging attack trends across Q1 2026 — compiled from open-source intelligence, vendor disclosures, and VAPTIC research.

Download PDF Read Online
14+
Threat Actors
27
CVEs Analysed
8
Industries Covered
Q1 2026 · January – March
VAPTIC Threat Intelligence Report
Q1 2026 — Published April 2026
+23%
Ransomware attacks vs Q4 2025
9.8
Highest CVSS score (critical)
58%
Attacks used phishing as entry
$4.9M
Average breach cost Q1 2026
Section 1

Top Threat Actors — Q1 2026

The most active and dangerous threat groups observed this quarter — based on confirmed incident attributions, OSINT, and vendor intelligence reports.

LockBit 3.0 / LockBit Reborn
Russia-affiliated · Ransomware-as-a-Service

Despite the February 2024 law enforcement disruption (Operation Cronos), LockBit affiliates have regrouped under new infrastructure. Q1 2026 saw 34 confirmed new victims across manufacturing, healthcare, and critical infrastructure.

Ransomware Double Extortion RaaS Manufacturing
Critical Threat Level
Scattered Spider (UNC3944)
English-speaking · Social Engineering Specialist

The group responsible for the 2023 MGM and Caesars attacks continues to target large enterprises using sophisticated vishing and MFA fatigue techniques. Q1 2026 saw three new hospitality sector breaches attributed to affiliates.

Vishing MFA Bypass Identity Attacks Hospitality
Critical Threat Level
Volt Typhoon
PRC State-sponsored · Critical Infrastructure

China's Volt Typhoon APT continues pre-positioning campaigns in US and European energy, water, and communications infrastructure. Notable for "living off the land" techniques that evade traditional AV and EDR solutions.

APT Living off the Land Critical Infrastructure Long-term Access
Critical Threat Level
ALPHV / BlackCat (Successors)
Russia-affiliated · Financial Sector Focus

Following the FBI disruption and $22M Change Healthcare ransom, ALPHV operators have re-emerged under new branding. Healthcare sector continues to be a primary target with attacks aimed at payment processing and patient record systems.

Healthcare Financial Triple Extortion Rust-based
High Threat Level
Section 2

Most Exploited CVEs — Q1 2026

Vulnerabilities actively exploited in the wild during Q1 2026, ranked by CVSS score and exploitation frequency. Patch these first.

CVE-2025-0282
Ivanti Connect Secure — Stack-based Buffer Overflow (RCE)
Ivanti · SSL VPN · Exploited by UNC5337 and CISA-confirmed in-the-wild exploitation from January 2025
9.0
CVSS 3.1
CVE-2025-21418
Windows Ancillary Function Driver — Privilege Escalation
Microsoft · Windows kernel · Actively exploited zero-day patched in February 2025 Patch Tuesday
7.8
CVSS 3.1
CVE-2024-55591
Fortinet FortiOS — Authentication Bypass (Admin Access)
Fortinet · FortiGate firewalls · Exploited by multiple ransomware groups for initial access to enterprise networks
9.6
CVSS 3.1
CVE-2025-24085
Apple CoreMedia — Use-After-Free (iOS Zero-Day)
Apple · iOS, iPadOS, macOS · Zero-day exploited against targeted individuals; patched in iOS 18.3
7.8
CVSS 3.1
CVE-2025-27364
MITRE Caldera — Remote Code Execution via Agent Upload
MITRE · Security testing platform · Exploited by threat actors who compromised misconfigured public-facing Caldera instances
9.8
CVSS 3.1
Section 3

Attack Trends — Q1 2026

Observed shifts in attacker behaviour, technique prevalence, and campaign targeting over the quarter.

Attack Vector by Month
58%
Jan
61%
Feb
64%
Mar
29%
Jan
24%
Feb
22%
Mar
Phishing / Social Eng.
Vulnerability Exploit
Ransomware Incidents QoQ
312
Q1'25
338
Q2'25
371
Q3'25
349
Q4'25
430
Q1'26
Prior Quarters
Q1 2026 (+23%)
Section 4

Industry Impact — Q1 2026

Percentage of confirmed incidents by sector. Healthcare and critical infrastructure continue to bear disproportionate attack volume relative to sector size.

Healthcare
24%
of all Q1 2026 ransomware incidents targeted healthcare providers or insurers
Manufacturing
19%
of incidents impacted OT/ICS manufacturing environments — up from 14% in Q4 2025
Financial Services
16%
targeted for BEC, account takeover, and payment fraud rather than ransomware
Education
13%
universities targeted for research IP theft and student data — frequently under-resourced security
Energy & Utilities
11%
primarily pre-positioning by state-sponsored APTs (Volt Typhoon) rather than financial crime
Other Sectors
17%
retail, government, legal, and professional services combined
Download the Full Q1 2026 Threat Intelligence Report (PDF)
38 pages · Includes IOCs, MITRE ATT&CK mappings, and sector-specific recommendations · Updated April 2026
Get Free Access
Build Your Defences
Turn threat intelligence into hands-on skills
Understanding threats is step one. Knowing how to detect, contain, and counter them is what the job requires. CEH v13 and Security+ at VAPTIC cover every technique documented in this report — in live labs.
Start Learning View Courses