Lumen Technologies has unveiled its 2026 Lumen Defender Threatscape Report, and notably, the findings reveal a major transformation in cyberattack techniques. Increasingly, attackers are no longer relying solely on endpoint-based strategies. Instead, they are actively leveraging malware-backed proxy networks to conceal their operations and blend malicious traffic into normal internet activity.
To begin with, the report highlights a clear shift toward attacks staged deeper within internet infrastructure. According to Black Lotus Labs, cybercriminals are now compromising small office and home office routers, IoT devices, and virtual systems. As a result, they can disguise harmful activity within legitimate network flows, making detection far more difficult.
Moreover, this trend is especially critical in the Asia Pacific region. Due to rapid digital transformation, widespread device connectivity, and increasing adoption of artificial intelligence, organizations now face a significantly expanded attack surface. In addition, many enterprises operate across distributed ecosystems, including branch offices, industrial networks, and partner systems. Consequently, attackers find more entry points, particularly at the network edge.
Another key finding shows that threat actors are using generative AI to accelerate their operations. Specifically, they rebuild and rotate malicious infrastructure faster than ever before. Therefore, the window between system exposure and exploitation continues to shrink, putting organizations under greater pressure to respond quickly.
At the same time, attackers are focusing heavily on internet-facing devices such as routers, VPN gateways, and firewalls. These systems often provide privileged access and operate outside traditional endpoint security controls. Furthermore, they offer limited forensic visibility, making them attractive targets for sophisticated campaigns.
Lumen also underscores the rise of so-called residential proxy networks. In this approach, cybercriminals and even state-sponsored actors exploit home and small business devices as relay points. As a result, malicious traffic appears to originate from legitimate residential users, allowing attackers to bypass geographic and trust-based security filters.
In parallel, attribution in cyberattacks is becoming increasingly complex. The report notes that espionage groups are now hijacking criminal infrastructure to mask their activities. Consequently, they blend state-backed operations with broader cybercriminal noise, making it harder for defenders to identify the true source.
Additionally, separate research conducted by IDC—sponsored by Lumen—identifies the top AI-driven threats in APAC. These include AI-powered phishing and impersonation, prompt-based attacks on large language models, and ransomware capable of real-time negotiation.
Wai Kit Cheah, APAC CISO & Connected Ecosystem Leader at Lumen, said the regional landscape reflects a broader shift in attacker behavior.
“Asia Pacific organisations are navigating a threat landscape that is growing in both scale and sophistication, with attackers operating well upstream of traditional defences,” Cheah said. “The 2026 Defender Threatscape Report reinforces that effective defence now begins before the attacker reaches the enterprise. Network-layer visibility upstream gives security teams the ability to detect and disrupt adversaries earlier and at scale.”
Furthermore, the report introduces the concept of a “heist crew” model, where cybercriminal groups operate with high coordination. Instead of relying on a single malware strain, these groups combine proxy networks, automation, and service-based models to scale their attacks efficiently.
Backed by extensive monitoring, Black Lotus Labs analyzes over 200 billion NetFlow sessions daily and tracks tens of thousands of command-and-control servers. Based on this intelligence, Lumen participated in multiple disruption efforts in 2025, successfully neutralizing thousands of malicious IPs.
The report also references notable threats such as Raptor Train, a large-scale IoT botnet, Kimwolf, a rapidly expanding DDoS botnet, and Rhadamanthys, a malware-as-a-service platform with thousands of victims.
Chris Kissel, IDC Vice-President, Security & Trust, emphasized the importance of early detection.
“Threat intelligence is needed to find the adversary as early as possible and as close to the point of origination as possible,” Kissel said. “Lumen’s massive infrastructure and the quality of Black Lotus Labs provide optimal visibility of the IP backbone, greatly reducing the odds of successful cyber-attack campaigns.”
Recommended Cyber Technology News:
- Flashpoint Says Emojis Used in Covert Cyber Threats
- OpenSSL Fix Addresses RSA Vulnerability Leading to Data Exposure
- Wynn Resorts Breach by ShinyHunters Hits 21,000 Staff
To participate in our interviews, please write to our CyberTech Media Room at info@intentamplify.com
