SecurityBrief UK - Technology news for CISOs & cybersecurity decision-makers
United Kingdom

Guides

#
cloud security
#
cybersecurity
#
endpoint protection
#
firewalls
#
ransomware

Search

Shadowy figure at computer surrounded by digital code and padlocks cybercrime threats
#
Malware
#
Ransomware
#
DevOps

Cybercriminals to weaponise AI & exploit open-source risks in 2026

Sat, 22nd Nov 2025
Author image
By Sean Mitchell, Publisher

The cyber security threat landscape is expected to shift in 2026 as attackers begin to leverage artificial intelligence, exploit weaknesses in open-source software management, and deploy contrasting operational tactics. These trends arise from developments seen in 2025, including the evolution of nation-state methods and the growing impact of financially motivated cyber groups.

AI weaponisation

Certain artificial intelligence tools, initially developed for penetration testing, are anticipated to become prevalent on cybercriminal forums in the coming year. Cracked versions of these AI-powered security tools are forecast to enable attackers to discover and exploit vulnerabilities with unprecedented speed.

The past year witnessed AI-driven pen-testing tools gaining traction, as organisations sought ways to secure complex systems. These tools have been shown to outperform human experts in identifying weaknesses, as demonstrated by the Xbow tool, which outpaced competitors on major bug bounty platforms and discovered new vulnerabilities. At the same time, evidence from online forums indicates that cybercriminals are already recruiting developers to build illicit AI tools. The precedent set by Cobalt Strike-widely abused after appearing online in cracked form-suggests a similar path for these emerging AI products.

Once these advanced tools are widely available, attacks could unfold quickly, allowing threat actors to move from initial access to ransomware deployment in minutes. The accessibility of such technology has the potential to increase the sophistication and numbers of attackers agencies face.

Open-source risks

The security of open-source software became a notable concern in 2025, when highly depended-upon packages and maintainers were targeted by cybercriminals. Of nearly 12 million open-source projects, more than half are managed by a single volunteer, presenting a critical risk. Should attackers compromise these individuals, organisations could inadvertently include malicious code in their own applications through trusted software updates.

High-profile incidents in 2025 saw maintainers with large user bases fall victim to phishing schemes that enabled criminals to publish malicious code to widely used repositories. Automated software update pipelines can then pull in compromised packages, allowing attackers to steal sensitive credentials, insert malware, or disrupt business operations across many organisations simultaneously.

This trend is expected to escalate, with financially motivated groups targeting repository maintainers directly. Rather than selling stolen credentials, these groups may use their access to distribute malware at scale, monetising compromised accounts for data theft and extortion. One incident could potentially impact hundreds of applications and millions of users.

Noise and stealth

Operational strategies among ransomware and financially driven adversaries are predicted to diverge further in the coming year. Emerging groups are likely to favour public, high-profile tactics in order to build reputations and attract affiliates quickly. In contrast, established groups are expected to operate quietly, prioritising longevity and minimising the risk of law enforcement intervention.

In 2025, groups such as DragonForce exemplified an aggressive, visible approach, expanding rapidly by publicising their activities and recruiting widely. Their campaign volume grew in a single quarter from 26 to 57 victims. Such tactics also carry risks, as demonstrated by groups that faced rapid law enforcement actions following headline-generating breaches and extortion campaigns. Meanwhile, longer-established actors including Qilin and Akira maintained a lower profile, avoiding online disputes and public engagement while consistently ranking among the top ransomware perpetrators.

"We anticipate this divergence will intensify in 2026. Emerging groups will view weaponised noise as essential for rapid credibility-building in crowded markets, accepting law enforcement risks for immediate recruitment gains. However, this creates dangerous blind spots for defenders. Security teams will struggle with prioritisation as headline-grabbing groups overshadow methodical actors. Resources will misalign toward reactive postures rather than addressing consistent TTPs that span both noisy and quiet operations. We expect that in 2026, the attention economy of ransomware will force defenders to resist chasing headlines and instead focus on foundational TTPs that counter threats across the operational spectrum," said the ReliaQuest Threat Research team.
Related stories
Check Point unveils AI-ready continuous exposure management
GlobalLogic, Elektrobit deepen software-defined car push
AI agents race ahead of governance, security & trust
Fears UK under-16 social media ban will hurt creators
NCC Group, Delinea partner on managed PAM for AI era

Top stories

UK bill accelerates shift to offensive cyber security
Cyderes names Lana Knop Chief Product Officer for AI push
CrowdStrike gains ISO AI governance boost for Falcon
MOTHER AI unveils UK-built sovereign language model
Integrated Quantum unveils quantum-resilient AI data layer