A forecast said that next year, cyberattacks by state-backed hackers from North Korea, China and others will intensify. Various threat groups seeking revenue are expected to actively use artificial intelligence (AI) to continue ransomware attacks and data theft targeting corporations and institutions.
Google Cloud Threat Intelligence Group (GTIG) stated accordingly in the 2026 Cybersecurity Forecast Report published on the 5th. The report said, "Attacks that use AI will become the new norm in 2026," and "In particular, they will accelerate attacks such as social engineering that exploits human psychology to attempt information leakage or account takeover, information operations, and malware (malicious code) development, shifting cyber threat trends."
Starting next year, it expects a rise in customized attacks impersonating executives, employees and partners by actively using multimodal Generative AI, including voice, text and video deepfakes, going beyond simple text-based phishing (phishing·personal information fraud). The report predicted that these AI-based attacks will increase the success rate of voice phishing (telephone financial fraud) attacks and enable large-scale business email compromise (BEC) attacks.
It also predicted that ransomware and data exfiltration will remain the types of cybercrime that cause the greatest economic damage next year. The report said, "These attacks appear likely to be carried out under the leadership of major attack groups that exploit third-party vendors and zero-day vulnerabilities to conduct large-scale, cascading attacks."
It also expected that the risks of AI tools not approved by organizations (so-called shadow agents) will grow to a critical level. If employees deploy autonomous AI agents or AI tools without organizational approval, invisible and uncontrollable pipelines can be created, leading to leaks of sensitive data and compliance risks. As attacks targeting virtualization-based infrastructure (hypervisors) increase, internal and infrastructure security threats will also intensify, the report said.
As for state-backed threat actors, it projected that North Korea will expand attacks targeting cryptocurrency organizations to generate revenue, and will use advanced social engineering techniques such as luring targets through fake hiring assessments or deceiving high-value personnel using deepfake videos.
China-backed threat groups are expected to continue large-scale cyber operations next year. The report said, "Chinese threat actors will aggressively target edge devices, exploit zero-day vulnerabilities, and aim at third-party vendors."
In addition, amid geopolitical tensions, Iran is expected to intensify wiper-based operations (malware primarily intended to destroy data and systems), and Russia is expected to continue sophisticated espionage activities.
In the Asia-Pacific region, political espionage targeting diplomatic events and summits will increase, and vehicle-mounted fake base station (FBS) scams led by China-linked groups are expected to continue.
Korea and Japan are expected to expand regulatory responses, such as strengthening supply chain security obligations and introducing evaluation and rating systems, as part of responses to major security incidents. The report said, "Korea is overhauling its cyber defense posture in core sectors such as telecommunications after large-scale breaches, and these measures will lead to strengthened government oversight across the broad technological supply chain and mandatory investment to build robust security systems."