AhnLab selected five threats to watch next year: ▲ the all-out spread of artificial intelligence (AI)-based attacks ▲ intensifying ransomware attacks and damage ▲ the sophistication of supply chain attacks ▲ the expanding threat to national critical infrastructure ▲ and rising Linux threats.
AhnLab said on the 27th that it announced its 2026 outlook for the top five cyberthreats, an analysis of major cyberthreats for next year that includes these points.
According to AhnLab, AI-based attacks are cited as the most powerful threat in 2026. Beyond using Generative AI to craft natural phishing messages or social engineering attacks, there is a high possibility that "adaptive attacks," which automatically generate and execute customized malware after analyzing a user's environment in real time, will spread. It is also expected to become more sophisticated to mass-produce fake sites disguised as chatbots or shopping malls with AI, or to run deepfake scams that mimic the voices and videos of real people. At the same time, attacks targeting AI models themselves, such as prompt injection and data poisoning, are projected to become more active.
Ransomware is expected to remain at peak levels next year. As large and small ransomware groups proliferate worldwide, both indiscriminate attacks and sophisticated targeted attacks are increasing, and as governments hold back on paying ransoms and profitability declines, small and midsize companies with weaker security capabilities are emerging as new targets. Some groups are also showing moves to cooperate with APT groups suspected of having state backing to carry out attacks with political and geopolitical aims.
In a structure where the majority of software development depends on open source, supply chain attacks are expected to evolve further. Because a single open-source package with inserted malicious code can simultaneously infect thousands of programs, attackers may infiltrate in various ways by hijacking legitimate developers' accounts or counterfeiting packages with similar names through "typosquatting." Cases are also emerging where the scope of attack is expanding beyond software to cloud and hardware supply chains, increasing the need for cross-border cooperation on supply chain security.
Attacks on national critical infrastructure are also expected to keep rising. Sectors such as healthcare and manufacturing, where digital transformation is advancing rapidly, have already seen a sharp increase in attack frequency, and next year the targets are likely to expand to social infrastructure such as railways, ports, aviation, and telecommunications. Analysts say the attack surface is widening as OT (operational technology) systems connect with IoT, IT, and the cloud in a "cyber-physical system (CPS)" structure.
As Linux-based environments become the standard for cloud and container infrastructure, attacks targeting them are also increasing noticeably. Because many data are connected to Linux servers, the scale of damage is large when they are compromised, and attack types are diverse, including botnets, coin miners, and ransomware. There is also an outlook that a strategy to directly attack the hypervisor and paralyze hundreds of virtual machines could become a reality in the future.
AhnLab advised corporations to strengthen ▲ PC, OS, and software security checks and patches ▲ monitoring of account authentication histories ▲ adoption of multi-factor authentication (MFA) ▲ understanding of the latest attack techniques based on threat intelligence ▲ regular supply chain checks ▲ and security training for executives and employees. For individuals, it emphasized the need to refrain from running unverified URLs and attachments, apply the latest security patches, download content through official channels, and use two-factor authentication.
Yang Ha-young, head of AhnLab Security Intelligence Center (ASEC), said, "In 2026, while attack patterns similar to this year will continue, attackers will exploit security gaps arising from changes in the IT environment and evolve to become more sophisticated," adding, "It is time for both organizations and individuals to preemptively check for unforeseen security blind spots and strengthen their response capabilities."