Kaspersky 2026 SMB Threat Report: Fake AI Tools Used in 33,000+ Attacks
Published
Key Takeaways
- AI Lures: Between January and April 2026, Kaspersky detected more than 33,000 attacks targeting SMBs disguised as popular AI tools.
- Messenger Threats: Some 415,000 attacks used fake communication apps, including messengers and video conferencing software, as lures in the same period.
- Dark Web Focus: SMBs and medium-sized businesses together account for more than half of all dark web posts offering initial access to corporate infrastructure.
Kaspersky has released its 2026 threat analysis for small and medium-sized businesses (SMBs) on Securelist, published ahead of International SMB Day on June 27. The report documents a sharp rise in attacks weaponizing trust in artificial intelligence platforms, with over 33,000 AI lure attacks in the first four months of 2026.
Fake AI Tools Drive a Surge in SMB Attacks
Between January and April 2026, Kaspersky detected 33,352 attacks on SMB users in which malware or potentially unwanted applications (PUAs) masqueraded as five popular AI services tracked by the researchers – ChatGPT, DeepSeek, Grok, Claude, and Gemini.
The figure is nearly five times that of 2025 and 39% higher than attacks disguised as office and collaboration tools.
The report also mentions more than 1,100 unique samples of Trojans, Trojan-like malware, and PUAs detected in the SMB sector impersonating these AIs, representing a 21% increase compared to the same period in 2025. Researchers also noted Claude and OpenClaw (formerly ClawdBot/MoltBot) ranked among the most exploited AI lures.
Communication apps remained the most widespread bait, with 414,736 attacks using fake messengers and video conferencing software, with more than 24,000 detected attacks disguised as specific office applications (Outlook, PowerPoint, Excel, Word, Figma, Google Drive).
Email threats combined distribution with abuse of legitimate services. Kaspersky observed fake OneDrive notifications, fabricated Facebook violations, a Zoom Docs phishing scheme, and fake Apple compliance notices designed to harvest credentials.
Dark Web Access and Trusted Relationship Attacks
SMBs together account for more than half of all dark web posts offering initial access to corporate infrastructure, the report said. These increased most for the Middle East (up 53%), Africa (up 40%), and Latin America (up 17%), while Europe dropped by 34%.
According to the Kaspersky Security Services Global Report, trusted relationship attacks rose from 12.7% in 2024 to 15.5% in 2025 as an initial vector.
Kaspersky experts note that it’s important to:
- Download apps from official sources,
- Verify which apps are available for which platforms.
A Malwarebytes report released today also highlights current risks posed by scam emails that appear to urge domain renewal payment amid alleged impending expiration.
In other recent news, Anthropic accused Alibaba of the largest Claude AI distillation attack. In 2025, cybercriminals exploited DeepSeek’s popularity to spread malware via mirror websites and Google Ads malvertising.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular