ThreatDown — 2026 State of Malware: AI Drives Machine-Scale Cyberattacks
AI Relevance: Malwarebytes documents the first confirmed cases of AI-orchestrated cyberattacks and predicts MCP-based autonomous ransomware pipelines will define cybercrime in 2026.
- ThreatDown (Malwarebytes) released its 2026 State of Malware report on February 3, finding that cyberattacks are shifting from human-driven intrusions to AI-orchestrated operations at machine scale.
- 2025 delivered the first confirmed cases of AI-orchestrated attacks, alongside deepfake-enabled social engineering and AI agents that outperformed elite humans in vulnerability discovery.
- AI agents now compress patch-to-exploit timelines to minutes, enabling small crews or solo operators to run reconnaissance, lateral movement, and extortion at scale previously reserved for large intrusion teams.
- An autonomous vulnerability-reporting agent (XBOX) topped HackerOne's bug-bounty leaderboard—the first AI model to do so.
- A 2025 MIT study demonstrated an AI model using the Model Context Protocol (MCP) achieving domain dominance on a corporate network in under an hour with zero human intervention, evading EDR through real-time tactic adaptation.
- Malwarebytes predicts that MCP-based attack frameworks will become a defining capability of cybercriminals targeting businesses in 2026.
- Remote encryption accounted for 86% of ransomware activity in 2025—attackers encrypt data across networks without running malware locally, often launching from unmanaged or shadow IT systems.
- Ransomware attacks rose 8% year-over-year in 2025, the worst year on record, impacting organizations in 135 countries.
- Attackers optimise for speed, stealth, and timing: striking at night or on holidays, using legitimate IT tools, and disabling security/backups before encryption begins.
Why it matters
- The report marks the pivot point where AI-assisted cybercrime moves from theoretical to documented reality. The combination of AI agents, MCP tool chaining, and autonomous exploit generation creates an attacker capability multiplier that outpaces most defensive postures.
- Remote encryption from unmanaged endpoints represents a blind spot that traditional EDR cannot cover—no local malicious process to quarantine.
- The collapse of patch-to-exploit timelines means 30-day patching cycles are now dangerously slow.
What to do
- Close unmanaged endpoints: Inventory and secure all devices on your network, including shadow IT and IoT.
- Harden identity systems: MFA everywhere, credential hygiene, and monitoring for living-off-the-land tool abuse.
- Protect recovery paths: Ensure backups are immutable and isolated from production networks.
- Adopt continuous monitoring: 24/7 SOC or MDR coverage—attacks that move in minutes require minute-level response.
- Accelerate patching: Prioritise internet-facing assets and AI infrastructure components.