Barracuda has reported a rise in identity-based attacks and credential-stealing malware, with suspicious login activity, supply-chain tactics and weaponised PDFs featuring in recent investigations.
In February 2026, Barracuda’s Managed XDR team recorded an increase in suspicious login attempts using stolen credentials. The activity reflects a broader shift towards account takeover rather than direct exploitation of infrastructure.
One pattern in the findings showed that about one in 16 suspicious login attempts originated from Romania. Barracuda said this was unusual for the environments examined and noted that anomalous geolocation patterns can signal compromised accounts.
Credential-based intrusion has become a common entry point for wider cybercrime operations. Stolen usernames and passwords can provide access to cloud services, email and remote access tools, and valid credentials let attackers blend in with normal user activity.
Supply-chain risk
The analysis also identified a supply-chain campaign targeting users of the code editor Notepad++. It did not involve a compromise of the application itself.
Instead, attackers compromised the update mechanism and redirected selected targets to a malicious installer carrying a custom espionage backdoor. Supply-chain techniques like this can increase the likelihood of compromise because users often trust software updates and allow them to run with minimal scrutiny.
Notepad++ is widely used by developers, IT administrators and other technical staff. That can increase the potential impact because such users often have access to systems, scripts and credentials that are valuable to attackers.
Weaponised PDFs
Barracuda’s analysts also disrupted several campaigns that distributed weaponised PDF documents designed to steer victims towards installing infostealing malware.
The campaigns often used lures posing as legitimate software downloads, including free PDF editing tools. Barracuda said the downloads were secretly loaded with malware capable of harvesting credentials, browser cookies and other sensitive data.
Infostealers have become a staple of cybercriminal ecosystems because they can capture access tokens and session data as well as passwords. Depending on how targeted services are configured, that information can help attackers bypass some forms of authentication and speed up account takeover.
Stolen data is frequently used as an initial access route into corporate networks or sold to other criminal groups. Barracuda noted that buyers can include ransomware operators, which often rely on brokers to provide ready-made access into victim environments.
ANZ focus
The activity has affected organisations globally, including across Australia and New Zealand. Barracuda pointed to a shift towards credential-focused operations that reduce the need for noisy scanning and exploitation.
Matt Caffrey, senior solutions architect for ANZ at Barracuda Networks, said organisations in the region are seeing attackers place greater emphasis on identity.
Caffrey said, “Across ANZ we’re seeing attackers focus more on usernames and credentials rather than relying solely on traditional infrastructure attacks. Using infostealers and already compromised accounts, threat actors have found a quick way into corporate environments, often without triggering obvious alarms. That’s why organisations need stronger identity protection, better monitoring of login behaviour and layered security that can detect unusual activity before it turns into a breach.”
Security teams are increasingly treating identity telemetry as a core detection source, alongside endpoint and network data. Unusual login locations, impossible travel patterns, new devices and atypical access times can indicate account misuse. Security leaders have also urged caution around software update chains, particularly for developer tools and widely deployed utilities.
The techniques described reflect a broader trend of attackers combining social engineering, malware and trusted distribution paths. Weaponised documents and tampered installers can reduce the need for advanced exploitation by relying on user behaviour and existing trust relationships.
Barracuda expects attackers to continue using stolen credentials, infostealers and compromised accounts as preferred routes into organisations. Monitoring for suspicious logins and tightening control over update mechanisms will remain key focus areas for defenders.
