M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds

Summary

Google published the M-Trends 2026 report based on over 500,000 hours of Mandiant incident response investigations in 2025, revealing that the median time between initial access and handoff to secondary threat groups has collapsed from 8 hours in 2022 to just 22 seconds in 2025. The report identifies exploits (32%), phishing (11%), and prior compromise (10%) as the most common initial infection vectors, with CVE-2025-31324 (SAP NetWeaver), CVE-2025-61882 (Oracle EBS), and CVE-2025-53770 (SharePoint) being the most frequently exploited vulnerabilities. Dwell time increased slightly to 14 days median in 2025, and new malware families surged to 714, with GoldVein and Akira ransomware leading observed families.

Full text

Google on Monday published the M-Trends 2026 report, which is based on information collected by its Threat Intelligence Group and insights from more than 500,000 hours of incident investigations conducted by Mandiant in 2025. One of the most notable findings of the industry benchmark report is that the time between initial access to an organization’s systems and the handoff to a secondary threat group has decreased from hours to seconds over the past few years. In 2022, the median time between initial access and the handoff exceeded 8 hours, but it has steadily decreased since 2023, reaching only 22 seconds in 2025. Mandiant researchers believe this indicates a “closer collaboration between initial access partners and secondary groups”. They also noted that in many cases the short time window can be the result of an automated process where initial access brokers deliver malware directly on behalf of the secondary groups rather than advertising the obtained access on cybercrime forums. The most common initial infection vector, accounting for 32% of cases, was exploits, followed by phishing (11%), prior compromise (10%), and stolen credentials (9%). Email phishing only accounted for 6% of the total, with this vector seeing a significant decline in recent years, down from 22% in 2022.Advertisement. Scroll to continue reading. The three vulnerabilities that were most often exploited for access were the SAP NetWeaver vulnerability CVE-2025-31324, the Oracle EBS flaw CVE-2025-61882, and the SharePoint flaw CVE-2025-53770 (ToolShell). Breaches were detected internally in 52% of cases, and victims learned about the intrusion from an external entity in 34% of cases. As for the dwell time, the number of days an attacker is present in the victim’s environment before being detected, the median was 14 days in 2025, a slight increase from 10 days in 2023 and 11 days in 2024. However, over the past decade the number has dropped significantly, from 146 in 2015. Mandiant has seen an increase in incidents that remained undetected for 1-6 months, which appears to be the result of North Korean IT workers and cyberespionage actors, who go to great lengths to evade detection. Roughly 30% of the attacks observed in 2025 were motivated by financial gain, and 40% of all incidents involved data theft. The most targeted sector in 2025 was high-tech, followed by financial, business services, and healthcare. As for malware, Google’s Threat Intelligence Group identified 714 new families last year, up from 632 in 2024. Of the new malware spotted in 2025, 146 targeted Linux and 55 targeted macOS.The malware family most frequently observed in 2025 was GoldVein, the downloader used by the Cl0p cybercrime group in the Oracle EBS campaign, followed by the Akira ransomware. Mandiant has also investigated cloud-related compromises and found that voice phishing was the most common initial vector, largely driven by ShinyHunters and Scattered Spider activity. Voice phishing accounted for 23% of intrusions, followed by third-party compromise (17%), stolen credentials (16%), email phishing (15%), and insider threats (14%). Exploits only accounted for 6% of cloud attacks. The full M-Trends report also covers regional trends. Related: Hacktivists, State Actors, Cybercriminals Target Global Defense Industry, Google Warns Related: Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Related: SecurityWeek Report: 426 Cybersecurity M&A Deals Announced in 2025 Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs US Confirms Handala Link to Iran Government Amid Takedown of Hackers’ SitesAisuru and Kimwolf DDoS Botnets Disrupted in International OperationMarquis Data Breach Affects 672,000 IndividualsCISA Warns of Attacks Exploiting Recent SharePoint VulnerabilityCisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware AttacksIranian Hackers Likely Used Malware-Stolen Credentials in Stryker BreachResearcher Discovers 4th WhatsApp View Once Bypass; Meta Won’t PatchUK Companies House Exposed Details of Millions of Firms Latest News RSAC 2026 Conference Announcements Summary (Pre-Event)Chip Services Firm Trio-Tech Says Subsidiary Hit by Ransomware Aqua’s Trivy Vulnerability Scanner Hit by Supply Chain AttackQNAP Patches Four Vulnerabilities Exploited at Pwn2Own Tycoon 2FA Fully Operational Despite Law Enforcement TakedownOracle Releases Emergency Patch for Critical Identity Manager VulnerabilityCritical Quest KACE Vulnerability Potentially Exploited in AttacksIn Other News: New Android Safeguards, Operation Alice, UK Toughens Cyber Reporting Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Webinar: Why Automated Pentesting Alone Is Not Enough April 7, 2026 Join our live diagnostic session to expose hidden coverage gaps and shift from flawed tool-level evaluations to a comprehensive, program-level validation discipline. Register People on the Move7AI has appointed Israel Barak as its first Chief Information Security Officer.Brian Harrell has been appointed Chief Security Officer at FirstEnergy.eSentire has named James C. Foster as Chief Executive Officer.More People On The MoveExpert Insights The Human IOC: Why Security Professionals Struggle with Social Vetting Applying SOC-level rigor to the rumors, politics, and 'human intel' can make or break a security team. (Joshua Goldfarb) How to 10x Your Vulnerability Management Program in the Agentic Era The evolution of vulnerability management in the agentic era is characterized by continuous telemetry, contextual prioritization and the ultimate goal of agentic remediation. (Nadir Izrael) SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Flipboard Reddit Whatsapp Whatsapp Email

Indicators of Compromise

• cve — CVE-2025-31324
• cve — CVE-2025-61882
• cve — CVE-2025-53770
• malware — GoldVein
• malware — Akira