“Kaspersky solutions detected 33,352 attacks on SMB users in which malware or potentially unwanted applications for PCs were disguised as five popular AI services” — a startling tally for the first four months of 2026 that underlines how quickly criminal tactics follow legitimate technology trends.
AI lures accelerating: Claude, OpenClaw and a rising trojware problem
Kaspersky’s telemetry shows attackers are increasingly weaponizing the AI hype. From January to April 2026, researchers recorded 33,352 detections of malware or potentially unwanted applications (PUAs) masquerading as five popular AI tools — almost five times the number seen in the same period of 2025 and 39% higher than attacks disguised as office and collaboration tools tracked by the study. The report names Claude as a particularly popular lure and notes hundreds of blocked attacks that impersonated OpenClaw (previously Clawdbot/MoltBot).
Within those detections, Kaspersky identified more than 1,100 unique malware and PUA samples — a 21% increase year-on-year. The bulk of these are Trojware (Trojans and Trojan-like malware), which Kaspersky characterizes as files that hide malicious capabilities—downloading and running additional malware, stealing or corrupting data, or otherwise compromising systems.
Messaging and video-conferencing fakes: nearly 415,000 attacks
While AI-themed lures rose sharply, the most widespread individual category remained fake communication apps and conferencing software. Kaspersky blocked 414,736 attacks from January to April 2026 in which malware or PUAs for PCs posed as the communication apps covered in the research. That figure changed only marginally from the previous year, indicating persistent pressure on SMBs from this familiar vector.
Office and collaboration software continue to be abused as well: more than 24,000 attacks were detected in which malware or PUAs mimicked specific office applications. Kaspersky’s analysis notes that in 2026 AI-related baits outpaced the traditional office-and-collaboration lures, reflecting how publicity and hype make certain tools attractive covers for fraudsters.
Phishing, scams and email chains that exploit legitimate platforms
Kaspersky researchers document a range of scam and phishing techniques aimed at entrepreneurs and SMB corporate accounts. Fraudsters impersonated banks offering business accounts or loans, hosting scam pages that solicit sensitive personal and business data (name, email, phone, social security number, date of birth, address). The report also shows scammers promoting fake AI services “built for contractors” that promise invoice and scheduling features but deliver nothing after payment.
Business social accounts and messaging pages are targeted too: phishers sent fake alerts claiming that a platform’s review system flagged violations and required owners to fill an appeal form — including account passwords — and even supplied counterfeit appeal codes to lower vigilance.
Email remains central to these campaigns. Kaspersky highlights two patterns: phishers abusing legitimate third‑party platforms to bypass filters (for example, a OneDrive-styled notification that led to a phishing site) and two-stage schemes that use a legitimate Zoom Docs page to conceal a hidden phishing URL. Kaspersky also reports that in 2025 more than 144 million malicious and potentially unwanted email attachments were encountered — a 15% increase over the prior year — and that deceptively mundane subject lines (e.g., “the best quote for the items attached”) are used to deliver Trojans.
Initial access brokers and shifting dark‑web markets
Kaspersky’s Digital Footprint Intelligence team examined hundreds of dark‑web forum posts offering initial access to corporate infrastructures (via RDP, web shells, etc.) for January–April 2025 and 2026. Posts often list region, industry, revenue and access type; prices vary with revenue and privileges (admin accounts command higher prices).
- Geographic shifts included more posts for the Middle East (up 53%), Africa (up 40%) and Latin America (up 17%), while posts tied to Europe declined by 34% and APAC slipped 4%. Kaspersky notes that the Europe decline was partly explained by the closure of a forum during the study period.
- Posts with no region specified fell 56% year-on-year, a change Kaspersky suggests may reflect more targeted, unique offers by initial access brokers.
- Kaspersky defines small businesses as annual revenue up to US$50 million and medium as US$50 million–US$1 billion. At the start of 2026, the share of posts claiming access to allegedly compromised small businesses was larger than those for medium or large firms, and together small and medium organizations accounted for more than half of the analyzed posts.
What this means for technologists, procurement leaders, and employees
- Technologists and security teams: enforce access rules, keep access lists current, implement regular backups, deploy email security (Kaspersky recommends Kaspersky Security for Mail Server) and consider specialized monitoring such as Kaspersky Digital Footprint Intelligence to track leaked credentials and lookalike sites.
- Procurement leaders and SMB owners: validate sources and installation channels for new software, follow clear procedures for implementing third‑party tools, and — if budgets are limited — partner with an MSSP or adopt tiered solutions Kaspersky highlights, such as Kaspersky Small Office Security Premium for micro-businesses or Kaspersky Next Optimum for growing organizations.
- Employees and end users: raise vigilance around unsolicited pages and emails, check WHOIS and reviews before entering sensitive data, and participate in training and simulated phishing exercises (Kaspersky cites its Automated Security Awareness Platform as one option).
SMBs are no longer marginal targets or easy afterthoughts: they are both direct victims and a pathway to larger enterprises through trusted‑relationship attacks (Kaspersky notes the share of those attacks rose from 12.7% in 2024 to 15.5% in 2025). The combination of rapidly evolving AI-themed lures, persistent communication-app scams, prolific email-borne malware, and thriving initial-access marketplaces on the dark web creates an urgent, concrete risk picture for companies with limited security budgets. Will SMBs translate this data into tightened controls, training programs and monitored digital footprints before attackers exploit the next popular tool?
