BOSTON, Feb. 19, 2026 (GLOBE NEWSWIRE) -- Cynet, the unified, AI-powered cybersecurity platform empowering organizations to focus on what matters most, has released its 2H 2025 CyOps ECHO Report (Examination of Cyber Hostility and Operations), revealing how AI-driven attacks and organized “cyber cartels” are shrinking exploitation windows from days to hours. The report deconstructs actual attack chains investigated by Cynet’s CyOps incident response team with practical, actionable intelligence for channel partners and their customers.

AI as a Force Multiplier
In 2025, more than 40% of vulnerabilities added to the CISA KEV (Known Exploited Vulnerabilities) were confirmed zero days, and the number of zero-day vulnerabilities reached an all-time high as attackers moved toward AI-driven automation. Additionally, CyOps found that attackers leveraged AI to operationalize critical flaws within hours of disclosure. Key AI-driven tactics include:

• Advanced Social Engineering: Attackers are using AI to create hyper-realistic phishing campaigns like ClickFix that dynamically personalize themselves, manipulating users into clicking links or granting access in ways that look legitimate.
• Accelerated Malware Development: AI helps attackers build, modify, and improve malware much faster, enabling even less skilled criminals to create new variants of credential stealers and loaders like XaXa or Protector that evade detection.
• Near-Instant Exploitation: Attackers are using AI to automatically find vulnerable systems, generate exploit code, and launch attacks almost immediately after a flaw becomes public, as with the React2Shell and Oracle EBS vulnerabilities.
  
  

“Zero-day response is the new normal,” said MacKenzie Brown, Vice President of Threat Intelligence Strategy at Cynet. “When adversaries weaponize vulnerabilities in hours, traditional patching and scoring methods don’t hold up. The advantage goes to teams with actionable intelligence on exploitation likelihood and exposure, using signals such as EPSS, observed in-the-wild activity, and internet reachability.”

The Rise of Cyber Cartels
As international law enforcement agencies achieved historic victories in dismantling criminal infrastructure, threat actors responded by organizing into cyber cartels with corporate-level sophistication. Full-stack criminal enterprises now have defined roles, supply chains, customer support models, and performance incentives.

“Attackers are abandoning the ‘lone wolf’ model to hunt in packs with shared resources,” said Brown. “With groups like DragonForce coordinating alliances with LockBit and Qilin, sharing infrastructure and affiliate networks to improve resilience against takedowns, cybercrime is entering its private equity era.”

Identity: The New Perimeter
Threat actors are shifting away from noisy credential stuffing and password spraying in favor of quieter, permission-based abuse of trusted systems. Key identity-based attacks include:

• “Identity-Bending" Social Engineering: Attackers have moved away from complex exploits toward manipulating legitimate collaboration features, such as Microsoft Teams, to gain remote access.
• The Rise of "Zombie Sessions": Cartels are using token manipulation to create cloud sessions that persist even after a user logs out, bypassing the protection of standard multi-factor authentication (MFA).
• Industrialized Infostealers: Tools like XaXa and StealerX now operate with near-zero human intervention, harvesting session tokens and OAuth credentials at scale to facilitate immediate lateral movement.
  
  

“Attackers are abusing security as designed,” said Brown. “Simply put, where attackers used to need to hotwire the vehicle, they are beginning to realize the keys are left on the driver’s seat for them. Security success depends on how fast organizations can revoke trust at machine speed, and not on prevention alone.”

Real-World Incident Response Cases
These are live use cases handled by Cynet’s CyOps team as part of their 24x7 incident response operations.

• Threat Actors Elevating Social Engineering: Attackers are weaponizing trusted collaboration platforms to bypass traditional awareness controls. In this case, a manufacturing employee received what appeared to be a legitimate IT support call via Microsoft Teams. Using a trusted remote support tool, the attacker gained access, deployed webshells, and attempted to establish persistence, all without triggering traditional suspicion.

• Old Entry Point, Modern Execution: An unpatched perimeter device remains one of the fastest paths to full organization compromise. A retail organization was breached through an unpatched FortiGate firewall. Instead of custom malware, attackers leveraged built-in Windows tools to enumerate domain admins, modify registry keys for RDP access, and attempt WMI-based lateral movement, blending seamlessly into normal administrative activity.

Modern attackers don’t rely on malware alone. They increasingly weaponize legitimate tools and trusted platforms to blend into daily operations, making early detection, behavioral visibility, and 24x7 human oversight critical.

For more actionable threat intelligence, download the full 2H 2025 CyOps ECHO Report and subscribe to Cynet’s “Stories from the SOC” newsletter.

About Cynet
Cynet’s unified, AI-powered cybersecurity platform delivers a comprehensive suite of security capabilities in a single, simple solution backed by 24x7 SOC security experts. As a global cybersecurity company, Cynet is purpose-built to enhance protection for small-to-medium enterprises and empower partners to maximize margins while delivering world-class security. For more information, visit www.cynet.com.

About Cynet CyOps
CyOps is the 24x7 human engine behind Cynet’s unified, AI-powered cybersecurity platform. Acting as an always-on extension of your team, our in-house threat analysts and security experts monitor, investigate, and respond to threats in real-time.

Media Contact
Cynet Communications
press@cynet.com