Hacker Pranks – Fake Hacking Simulations & Tech Pranks

**Attackers are Speeding Up Their Operations, Mandiant Finds**

Cybersecurity firm Mandiant has released its M-Trends 2026 report, which provides insights into the latest trends and threats in the cybersecurity landscape. According to the report, attackers are becoming increasingly efficient in their operations, with a median time of just 22 seconds between initial compromise and hand-off. This represents a significant decrease from the previous year's median time of over eight hours.

Mandiant's M-Trends 2026 report draws on more than 500,000 hours of incident response work conducted in 2025. The data reveals that attackers are speeding up their internal hand-offs, shifting away from email phishing, and targeting backup and virtualization infrastructure with greater precision. Voice phishing has become a major concern, appearing as the second-most common initial infection vector in 2025.

**Exploits Remain the Leading Entry Point for Attackers**

For the sixth consecutive year, exploits remained the leading entry point for attackers. According to Mandiant's report, 32% of all incidents involved exploits, followed closely by voice phishing at 11%. Email phishing, which was once the dominant social engineering vector, has seen a significant decline in recent years.

**The Access Hand-Off is Getting Faster**

Mandiant's report highlights the growing trend of attackers using a division-of-labor model to gain initial access and then transfer it to another group for follow-on operations. This pattern appeared in 9% of Mandiant investigations in 2025, up from just 4% in 2022.

**Global Dwell Time Rises to 14 Days**

The median dwell time for attacks has increased to 14 days, driven largely by long-term espionage intrusions and North Korean IT worker operations. These groups have a median dwell time of 122 days or roughly four months. Organizations that detected intrusions internally did so in about nine days, while external notification cases took substantially longer - a median of 25 days.

**Ransomware-Related Intrusions on the Rise**

Ransomware-related intrusions accounted for 13% of Mandiant investigations in 2025. Operators have moved beyond dual-threat encryption-and-theft operations to systematically denying organizations the ability to recover, targeting identity services, virtualization management planes, and backup infrastructure.

**Most Commonly Exploited Vulnerabilities**

The most frequently exploited vulnerabilities in 2025 were all zero-days targeting internet-facing enterprise application servers. CVE-2025-31324, an improper authorization flaw in SAP NetWeaver's Visual Composer component, was the most commonly exploited vulnerability.

**Edge and Core Network Devices a Growing Target**

Edge and core network devices have become primary targets for sustained campaigns. These devices often run proprietary operating systems incompatible with enterprise endpoint detection and response tools, creating visibility gaps that sophisticated actors exploit to perform reconnaissance, lateral movement, privilege escalation, and data collection from the device itself.

**Threat Clusters Incorporating AI Tools**

Mandiant investigated a supply chain compromise involving the QUIETVAULT credential stealer, which checks for AI command-line tools on compromised machines. Malware families including PROMPTFLUX and PROMPTSTEAL actively query large language models during execution to support evasion. State-sponsored and financially motivated actors are using LLMs to shift from mass email campaigns toward personalized, rapport-building social engineering.

**Scale: Threat Clusters and Malware Families Keep Growing**

The high-tech sector led all industries in share of Mandiant investigations in 2025, surpassing financial services for the first time. GTIG tracked 714 new malware families in 2025, bringing the total to over 6,000. More than 660 new threat clusters were tracked, pushing the overall total past 5,000.

**Conclusion**

The M-Trends 2026 report from Mandiant provides valuable insights into the latest trends and threats in the cybersecurity landscape. Attackers are becoming increasingly efficient in their operations, with a median time of just 22 seconds between initial compromise and hand-off. The report highlights the growing importance of edge and core network devices as targets for sustained campaigns. As the threat landscape continues to evolve, it is essential for organizations to stay vigilant and adapt their security strategies accordingly.

**Related Resources**

* **Webinar: The True State of Security 2026** * **M-Trends 2026 Report** * **Cybersecurity Threat Intelligence Services**

HACKER_BLOG

ATTACKERS ARE HANDING OFF ACCESS IN 22 SECONDS, MANDIANT FINDS

AI-assisted Slopoly malware powers Hive0163’s ransomware campaigns

Anamarija Pogorelec

HACKER_BLOG

ATTACKERS ARE HANDING OFF ACCESS IN 22 SECONDS, MANDIANT FINDS

AI-assisted Slopoly malware powers Hive0163’s ransomware campaigns

Anamarija Pogorelec

RELATED POSTS

Patch now: TP-Link Archer NX routers vulnerable to firmware takeover

CISA Adds One Known Exploited Vulnerability to Catalog

TP-Link warns users to patch critical router auth bypass flaw

Wait! Don't Go!