Researchers Warn of Midterm Threats Targeting Campaigns, Fundraising Platforms, and Local Governments
Check Point warned that threat actors are already preparing to disrupt the 2026 U.S. midterm environment by targeting election-adjacent infrastructure rather than voting machines. The firm reported a surge in newly registered election-themed domains and exposed credentials tied to major political and government platforms including ActBlue, WinRed, gop.com, democrats.org, and usa.gov, creating opportunities for phishing, impersonation, fake donation pages, credential theft, and broader trust-eroding disruptions. Researchers identified Russia, Iran, and China as the principal state actors to watch, alongside risks from misinformation and foreign influence operations.
The report said AI is likely to amplify these threats by helping adversaries scale convincing phishing lures, cloned audio, manipulated images, and deepfake videos during politically sensitive periods. It also highlighted local governments as a weak point because of aging technology, limited budgets, and small security teams, pointing to ransomware incidents in Winona County, Minnesota, and Foster City, California. The warning comes as officials debate the future of the federal election security posture, including a budget proposal that would eliminate CISA’s election security program and concerns about reduced preparedness ahead of the midterms.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Trump administration proposes ending CISA election security program
The references say the Trump administration's fiscal 2027 budget proposal would eliminate CISA's election security program. The proposal raised concerns among lawmakers and state officials about reduced preparedness ahead of the 2026 midterms.
Check Point observes election-themed infrastructure activity in early 2026
Check Point reported substantial creation of election-themed internet infrastructure in early 2026, including newly registered domains tied to the 2026 U.S. midterm environment. The firm also found exposed credentials associated with platforms including ActBlue, WinRed, gop.com, democrats.org, and usa.gov.
Check Point warns of threats to 2026 midterm election-adjacent systems
Check Point warned that threat actors are already laying groundwork to disrupt the 2026 U.S. midterms by targeting campaign accounts, fundraising platforms, public websites, and local governments rather than voting machines. The report identified phishing, credential theft, AI-enabled deception, misinformation, and foreign influence operations as key risks, with Russia, Iran, and China named as principal state actors to watch.
Check Point tracks 5,000 election-themed domains and 17,000 leaked credentials
Between 2026-04-13 and 2026-05-14, Check Point observed roughly 5,000 newly registered domains containing terms such as “election” and “vote,” along with about 17,000 exposed credentials tied to political and government-related services. The company said the infrastructure and credential exposure created scalable opportunities for phishing, impersonation, fraud, and misinformation ahead of the U.S. midterms.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
AI-powered threats target 2026 election communications | brief | SC Media
scworld.com
Open sourceHackers are already laying groundwork to disrupt the 2026 midterms, research says - Malware News - Malware Analysis, News and Indicators
malware.news
Open sourceHackers are already laying groundwork to disrupt the 2026 midterms, research says - Nextgov/FCW
nextgov.com
Open source5K+ election domains registered ahead of US midterms
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Election Infrastructure Faces Persistent Intrusions Beyond Voting Periods
Investigators reported that election-related networks are being targeted as a **continuous operational environment**, not just during active voting periods. Analysis of cyber activity tied to the 2024 election cycle across the United States, United Kingdom, India, Indonesia, Mexico, South Africa, and the European Parliament found adversaries maintaining **long dwell times** and sustained footholds in electoral environments before and after peak election periods. The activity indicates attackers are increasingly focused on **pre-positioning** for future election cycles rather than only seeking immediate disruption. The reported attack surface extends well beyond election commissions to include political parties, campaign infrastructure, voter registration systems, third-party technology providers, and media organizations. Initial access commonly came through phishing, credential compromise, and exploitation of internet-facing services, followed by reconnaissance across the broader electoral ecosystem. The findings argue that election systems should be treated as **critical infrastructure** requiring year-round monitoring, coordination, resilience planning, and information sharing across public and private organizations.
Jun 10, 2026
US Cyber Command Disrupted Russian Election Influence Operations as Federal Defenses Eroded
US Cyber Command secretly targeted at least two Russian companies involved in covert online influence activity ahead of the 2024 US election, according to reporting that said the operation was part of a wider federal effort with the FBI, DHS, and other agencies to expose and disrupt foreign meddling aimed at voters in key swing states. The campaign reportedly pushed anti-Ukraine and anti-politician narratives, and officials said the US action slowed the Russian operation even though propaganda content continued through Election Day. The activity fits a longer pattern of Russian interference in US politics, following earlier US government findings that Moscow targeted election systems in 2016 and subsequent Justice Department charges against Russian individuals and companies tied to interference operations. Officials and former officials warn that many of the structures built after the 2016 election to counter foreign influence have since been dismantled, reduced, or paused, including functions at ODNI, the FBI, the State Department, and CISA. The rollback comes despite continued threats from Russian, Chinese, and Iranian-linked actors using fake websites, AI-enabled propaganda, and cyber activity affecting election infrastructure, raising concerns that the United States has less visibility and fewer coordinated defenses in place for future elections.
May 25, 2026
Mixed Cybersecurity Roundup: AI-Enabled Crypto Fraud, DDoS Campaigns, and 2026 Risk Predictions
Reporting in this set is not a single coherent incident; it is a **mixed roundup** dominated by (1) **AI-enabled cryptocurrency fraud** and (2) **DDoS activity and botnet trends**, alongside several forward-looking or non-incident items. Chainalysis-linked coverage describes industrialized crypto crime, including an estimate of **$17B in 2025 crypto-scam losses** and a sharp rise in **AI-driven impersonation/deepfake tactics**, with links to organized crime networks and forced-labor scam compounds in **Cambodia and Myanmar**; separate reporting notes a **$26.44M theft from the Ethereum-based Truebit protocol**, with Truebit urging users to avoid a **compromised smart contract** while investigations continue. In parallel, threat reporting highlights large-scale DDoS: Cloudflare’s mitigation of a **29.7 Tbps** burst attributed to the **AISURU** botnet-for-hire (plus a **14.1 Bpps** event and an estimated **1–4M** infected hosts), and a concentrated **NoName057(16)/DDoSia** campaign against the **UK** (1,812 attack entries targeting 86 domains/87 IPs, heavily hitting government and some critical infrastructure, with port **443** most targeted). Spamhaus also reports a **24% increase** in botnet C2 activity in 2H 2025, with **RATs** comprising a large share of top botnet-associated malware. Several items are **not incident-driven** and should be treated as lower-signal for operational response: SC Media and Security Boulevard pieces largely provide **2026 predictions/opinion** on *agentic AI*, **non-human identities (NHIs)**, and deepfakes as governance/identity risks; Dark Reading and CIO discuss **regulatory/compliance** and **IT leadership** challenges; TechTarget lists **2026 conferences**; and two Substack posts are general **news roundup/essay** content (one recounting lessons from Ukraine’s cyber conflict, including the Kyivstar destructive attack narrative). For CISOs, the actionable takeaways across the incident-focused items are: expect continued growth in **AI-assisted social engineering and deepfake fraud** impacting financial loss and brand trust; maintain smart-contract incident playbooks for rapid user guidance; and harden DDoS readiness (capacity planning, upstream mitigation, and monitoring) given both **record-scale botnet bursts** and **geopolitically motivated DDoS** targeting government and critical infrastructure.
Mar 21, 2026