Lumu, a cybersecurity firm specializing in Continuous Compromise Assessment, has released its 2026 Compromise Report, detailing four critical cybersecurity trends across anonymizers, droppers and downloaders, infostealers, and ransomware, while identifying North America as a primary target for sophisticated attacks.

The report indicates a significant strategic shift in cyberattack methods, moving from high-profile malware to stealthier techniques. Ricardo Villadiego, founder and CEO of Lumu, stated, “This year, we’ve seen a strategic shift in attack methods from high-profile malware to stealthier techniques. We no longer look for the enemy at the gate; we have to assume they are already inside. Attackers have mastered camouflaging their activity within legitimate tools and network noise, trading brute force for behavioral evasion, and favoring anonymizers, DNS tunneling, and AI-generated domains.” He added that the report serves as a guide for security leaders to understand these new, invisible threats, emphasizing persistent monitoring, seamless tool integration, and actionable threat intelligence.

Attackers are increasingly abandoning ‘loud’ breaches in favor of ‘low-and-slow’ evasion tactics, often employing Living-off-the-Land techniques by hiding within existing legitimate tools such as VPNs, traffic distribution systems, or encrypted DNS channels. Data from the MITRE ATT&CK framework supports this observation, showing that evasion is now prioritized. Command and Control (C2) has notably replaced Execution among the top three Tactics, Techniques, and Procedures (TTPs), indicating adversaries’ focus on maintaining a silent, persistent connection to networks rather than immediate destructive code execution.

Anonymization remained the most detected Indicator of Compromise (IoC) type throughout the year, with services like Tor and private VPNs being primary examples. The report also highlights Keitaro, a legitimate Traffic Distribution System used by marketers, as the most frequently detected dropper, weaponized by attackers to filter and route malware.

Regarding infostealers, Lumu sensors detected new and resilient Lumma infections in late July 2025, despite previous takedowns of the malware-as-a-service (MaaS) variant, Lumma Stealer. While Lumma remains dominant, the report notes a shift to include emerging financial credential stealers such as MagentoCore, Remo, and Ramnit.

The 2025 ransomware landscape was characterized by fragmented groups that emerged from larger, established gangs, with DeathRansom identified as the largest among these new entities.

North America is pinpointed as the global epicenter for high-value targets, attributed to its mature digital infrastructure. This makes it a prime location for sophisticated Ransomware-as-a-Service (RaaS) operations that prioritize significant payouts over attack volume. The top sectors impacted in North America include Telecommunications, Education, State and Local Government, Finance Services, and Professional Services.