Espionage surges to 42% of all attacks in Q1 2026

From January to March 2025, espionage accounted for 38% of recorded targeted attacks. According to Threat Zone 2026, this figure stood at 37% for the full year 2025. The number keeps growing in 2026: during the first quarter alone, the share of espionage‑driven attacks rose to 42%.

These threat actors are typically characterized by long‑term, stealthy presence in compromised environments. BI.ZONE Compromise Assessment attributes more than 60% of all detected covert intrusion cases to cyber spy activity. Notably, such adversaries often experiment with tools and develop their own malware to improve the chances of successful compromise.

For example, between March to April 2026, BI.ZONE Threat Intelligence observed increased activity from Paper Werewolf. The cyber spies showcased newly developed tools in their campaigns.

One of the phishing campaigns targeted industrial and financial organizations. When victims opened an email attachment, they inadvertently launched the EchoGather remote access trojan. The RAT enabled attackers to collect system information from compromised hosts, load files to and from the C2 server, and execute commands. The entire process was disguised as a legitimate Adobe Acrobat Reader installation.

In the summer of 2025, Paper Werewolf also exploited WinRAR vulnerabilities in its campaigns. Adversaries distributed phishing emails with RAR attachments supposedly including important documents, which actually delivered malware. The threat actor exploited two vulnerabilities in WinRAR, enabling the covert installation of malware on victims’ devices upon archive extraction. At that time, the group targeted organizations in Russia and Uzbekistan.

Building an effective cybersecurity strategy requires an understanding of the methods and tools used by adversaries. Platforms such as BI.ZONE Threat Intelligence provide up‑to‑date details on current threats, attackers, tactics, techniques, tools, and exploited vulnerabilities.