Listen to the article
Security researchers observe a broadening of exploit kit activity in early 2026, with fresh payloads targeting Microsoft Office, Windows, and Linux, amidst rising vulnerabilities and AI-driven threat detection challenges.
Security researchers say exploit kits aimed at ordinary user systems broadened again in the first quarter of 2026, with fresh payloads appearing for Microsoft Office, Windows and Linux. Kaspersky’s Securelist team said the expansion came alongside a continuing rise in the number of registered vulnerabilities, a trend it expects may be accelerated by AI tools that help uncover flaws more quickly.
The report argues that the most heavily abused bugs remain familiar ones: older Office and archive-handling weaknesses continue to dominate detection statistics, even as newer flaws are added to attacker toolsets. Among the recent Windows targets were three logic bugs in Microsoft Office and the Internet Explorer MSHTML engine that researchers said were chained together in a single attack sequence, although they expect that combination to prove unstable in the longer term.
That picture is broadly consistent with Microsoft’s own warning in February that hackers were actively exploiting critical zero-days in Windows and Office in one-click attacks designed to deliver malware or gain access with minimal user interaction. Separate reporting on the same campaign described APT28, a Russia-linked group, using weaponised documents and multilingual lures against victims in Central and Eastern Europe, with exploitation continuing even after Microsoft issued emergency fixes in late January.
On Linux, the most commonly detected exploits in the quarter targeted older but still effective privilege-escalation bugs, including Dirty Pipe and several kernel and Netfilter flaws. Kaspersky said detections fell from the previous quarter, but remained higher than in the same period a year earlier, underscoring how patching delays can leave systems exposed long after vulnerabilities become public.
The report also points to a partial refresh of attacker tradecraft in APT activity. High-profile flaws from 2025 remained in circulation, but campaigns in early 2026 also made use of newly disclosed weaknesses in Microsoft Office, edge-network appliances and remote-access tools. At the same time, the most frequently seen command-and-control frameworks shifted, with Metasploit moving back to the top spot while Sliver, Havoc, Covenant and Mythic remained prominent.
Among the quarter’s most notable newly published issues, Kaspersky highlighted privilege-escalation bugs in Desktop Window Manager and Remote Desktop Services, an Office flaw that could be triggered through LNK files, and several problems affecting AI-related software such as OpenClaw, LangChain and OpenCode. The common thread, the report says, is that attackers are increasingly using authentication bypasses and other logic flaws to gain initial access before defenders can respond. Its conclusion is familiar but blunt: faster patching, tighter vulnerability management and continuous monitoring remain the best defence against exploit-led intrusions.
Source Reference Map
Inspired by headline at: [1]
Sources by paragraph:
Source: Fuse Wire Services
Access Our Exclusive Research
In-depth analysis and actionable data to keep you ahead of the curve.
Never Miss an Update. Get our latest research delivered straight to your inbox.