Ransomware operators are fundamentally altering their attack methodologies in response to declining payment rates and reduced profitability in the ransomware market. According to recent threat intelligence, attackers are moving away from established tools like Cobalt Strike in favor of native Windows utilities, marking a significant tactical shift in the ransomware landscape.

The changes come as payment rates have hit record lows, forcing threat actors to adapt their strategies to maintain operational effectiveness. Simultaneously, data theft operations have surged as criminals explore alternative monetization methods beyond traditional encryption-based extortion.

In parallel developments, the supply chain threat landscape continues to evolve with new campaigns targeting software repositories. The GlassWorm malware campaign has returned with coordinated attacks against hundreds of packages and repositories across GitHub, npm, and VSCode/OpenVSX extensions, demonstrating the persistent risk to software development environments.

The threat environment also includes sophisticated social engineering attacks against cybersecurity firms themselves. Recent targeting of Outpost24 involved a seven-stage phishing campaign that leveraged trusted brands and domains to attempt credential theft from C-suite executives, highlighting how even security-focused organizations remain vulnerable to advanced persistent threats.