Annual threat reports highlight faster intrusions and expanding cloud-focused attacker activity
CrowdStrike’s 2025 global threat reporting says financially motivated intrusions are accelerating, with average breakout time (lateral movement after initial access) dropping to 29 minutes and the fastest observed breakout time at 27 seconds; the report also describes attackers increasingly using social engineering, living-off-the-land techniques, and abuse of trusted systems to move across cloud, identity, enterprise, and unmanaged device boundaries, alongside a reported 37% year-over-year increase in cloud-focused attacks and a growing set of tracked adversaries (281 named groups plus additional activity clusters). Check Point Research’s 2025 retrospective similarly emphasizes that many 2025 operations relied on familiar techniques combined in new ways, highlighting themes such as early ToolShell exploitation assessed as Chinese-nexus activity against North American government targets and identity-centric intrusions (including AiTM credential theft) against US think-tank researchers.
Several other items in the set are not about these annual threat-report findings and instead cover separate topics: Romania’s cyber chief warning that ransomware incidents against critical infrastructure may align with Russian hybrid objectives; sector-level reporting that manufacturing remains heavily targeted by ransomware due to IT/OT interconnectivity and downtime pressure; and US law-enforcement/FBI reporting on a surge in ATM jackpotting losses and related indictments. Additional entries are primarily generic commentary, newsletters, or professional/educational content (e.g., quantum-preparedness opinion, Enigma/RSAC history piece, a weekly video briefing, a malware-newsletter link roundup, a recon how-to article, and a governance/career feature page) and do not substantively corroborate the specific annual threat-report story.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Mandiant publishes M-Trends 2026 report on attacker hand-off speed
On 2026-03-24, Mandiant published its M-Trends 2026 report, finding that the median time from initial compromise to attacker hand-off fell to 22 seconds in 2025. The report also said exploits remained the top initial infection vector, voice phishing rose sharply, and ransomware actors increasingly targeted backup, identity, and virtualization infrastructure.
Cisco Talos publishes 2025 Year in Review findings
On 2026-03-23, Cisco Talos published its 2025 Year in Review, reporting that adversary activity in 2025 increased in pace and scale. The report highlighted rapid exploitation of newly disclosed and long-known vulnerabilities, abuse of identity and trust systems, and targeting of centralized infrastructure and widely used software components for broader impact.
CrowdStrike publishes 2026 global threat report findings
On February 24, 2026, CrowdStrike publicly released findings from its annual global threat report, highlighting faster intrusions, increased cloud targeting, and growing activity linked to North Korea and China. Adam Meyers warned that attacker speed was the most concerning trend and predicted AI would accelerate zero-day discovery and exploitation in the coming months.
CrowdStrike reports more malware-free and zero-day-driven intrusions in 2025
The report said 82% of detected attacks in 2025 were malware-free, reflecting greater use of hands-on-keyboard techniques and legitimate tools. CrowdStrike also observed increased exploitation of zero-days in edge technologies and a 42% year-over-year rise in zero-days used before public disclosure.
Cloud intrusions and nation-state activity rise during 2025
CrowdStrike reported that cloud-focused intrusions increased 37% year over year in 2025, with activity attributed to nation-state groups surging 266%. The company said attackers often relied on valid or abused credentials to access trusted systems.
CrowdStrike observes faster attacker breakout times in 2025
According to CrowdStrike's annual global threat report, financially motivated attackers in 2025 reduced their average breakout time to 29 minutes, with the fastest observed breakout time falling to 27 seconds. The finding indicates attackers were moving through victim networks significantly faster than before.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
Attackers are handing off access in 22 seconds, Mandiant finds - Help Net Security
helpnetsecurity.com
Open source2025 Talos Year in Review: Speed, scale, and staying power
blog.talosintelligence.com
Open sourceCrowdStrike says attackers are moving through networks in under 30 minutes | CyberScoop
cyberscoop.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
2025 Threat Landscape Reports Highlight Identity-Based Intrusions and High-Impact Ransomware Losses
Multiple 2025 retrospective threat reports describe **identity compromise** as the dominant initial access vector, with attackers repeatedly exploiting predictable control gaps such as weak identity security, third-party access paths, and exposed/perimeter systems. Barracuda’s Managed XDR telemetry analysis (spanning trillions of events and hundreds of thousands of alerts) reported that **Microsoft 365 anomalous login** and **“impossible travel”** detections were among the most common signals, consistent with credential theft and account takeover activity; it also noted post-compromise behavior including suspicious privilege manipulation (e.g., adding users to high-risk Windows groups). Dataminr’s 2026 Cyber Threat Landscape Report similarly characterized 2025 as a structural shift toward **accelerated identity-based intrusions**, citing that a significant share of intrusions leveraged **valid credentials**, alongside growth in **infostealer malware** and AI-enabled social engineering, and increased exploitation of third-party weaknesses. The same reporting also emphasizes that while overall ransomware activity may have stabilized in volume, **loss severity increased**, with “mega-loss” incidents exceeding **$100M** and in some cases **$1B**, driven by multi-vector campaigns combining credential theft, data exfiltration, and disruption. Other items in the set are broader commentary rather than incident- or disclosure-driven intelligence: an opinion piece argues that the rapid expansion of AI-driven data center infrastructure raises systemic risk from ransomware, supply-chain compromise, and OT disruption, while a predictions article discusses 2026 security investment themes without tying to a specific campaign. A separate news roundup recaps multiple 2025 events (including third-party/SaaS integration compromises and other vulnerabilities) rather than providing new, single-story reporting, making it only loosely aligned with the identity-and-ransomware trend narrative.
Mar 21, 2026
Mixed threat reporting: APT campaigns, malware delivery via compromised web assets, and ransomware exploitation
The provided items do not describe a single cohesive cybersecurity event; they span multiple unrelated threat reports and opinion pieces. Notable incident-level reporting includes **APT28** activity in Western/Central Europe (“Operation MacroMaze”) using spear-phishing lures with Office macros that beacon via `INCLUDEPICTURE` to `webhook[.]site` and then execute VBScript/CMD/batch stages for persistence and follow-on payload delivery. Separately, **MuddyWater** (Iran/MOIS-linked) was reported running “Operation Olalampo” against organizations in the Middle East and Africa, delivering new custom malware (including a **Char** backdoor using a **Telegram bot** for C2) and, in some cases, attempting exploitation of public-facing servers in addition to phishing. Criminal activity and initial-access tradecraft were also covered across distinct stories: a DFIR case study described exploitation of **Apache ActiveMQ** `CVE-2023-46604` to gain RCE, conduct post-exploitation (Metasploit/Meterpreter, privilege escalation, LSASS access, lateral movement), and ultimately deploy **LockBit**-branded ransomware via RDP using previously stolen credentials (with indications the payload was built using the leaked builder and used *Session* for communications). Multiple reports described malware delivery via compromised web assets and social engineering, including **GrayCharlie** injecting malicious JavaScript into WordPress sites to push **NetSupport RAT**, **Stealc**, and **SectopRAT** via fake updates/ClickFix-style CAPTCHAs, and a separate **ClickFix** campaign delivering a custom C++ RAT (**MIMICRAT**) through fake Cloudflare verification prompts that trick users into running PowerShell. Additional, unrelated threat reporting included a **NuGet** supply-chain attack (typosquatted `NCryptYo` plus companion packages) targeting ASP.NET Identity data and enabling backdoored authorization rules, and malicious Chrome extensions using a “**Promise Bomb**” browser-crash technique to drive users to run fake “CrashFix” PowerShell steps. Several other items were generic commentary/roundups (data breach trends, quantum preparedness, Enigma history, NATO public opinion polling, recon how-to, and a malware-newsletter link list) and do not add event-specific intelligence.
Mar 21, 2026
Mixed Cybersecurity Roundup: AI-Enabled Crypto Fraud, DDoS Campaigns, and 2026 Risk Predictions
Reporting in this set is not a single coherent incident; it is a **mixed roundup** dominated by (1) **AI-enabled cryptocurrency fraud** and (2) **DDoS activity and botnet trends**, alongside several forward-looking or non-incident items. Chainalysis-linked coverage describes industrialized crypto crime, including an estimate of **$17B in 2025 crypto-scam losses** and a sharp rise in **AI-driven impersonation/deepfake tactics**, with links to organized crime networks and forced-labor scam compounds in **Cambodia and Myanmar**; separate reporting notes a **$26.44M theft from the Ethereum-based Truebit protocol**, with Truebit urging users to avoid a **compromised smart contract** while investigations continue. In parallel, threat reporting highlights large-scale DDoS: Cloudflare’s mitigation of a **29.7 Tbps** burst attributed to the **AISURU** botnet-for-hire (plus a **14.1 Bpps** event and an estimated **1–4M** infected hosts), and a concentrated **NoName057(16)/DDoSia** campaign against the **UK** (1,812 attack entries targeting 86 domains/87 IPs, heavily hitting government and some critical infrastructure, with port **443** most targeted). Spamhaus also reports a **24% increase** in botnet C2 activity in 2H 2025, with **RATs** comprising a large share of top botnet-associated malware. Several items are **not incident-driven** and should be treated as lower-signal for operational response: SC Media and Security Boulevard pieces largely provide **2026 predictions/opinion** on *agentic AI*, **non-human identities (NHIs)**, and deepfakes as governance/identity risks; Dark Reading and CIO discuss **regulatory/compliance** and **IT leadership** challenges; TechTarget lists **2026 conferences**; and two Substack posts are general **news roundup/essay** content (one recounting lessons from Ukraine’s cyber conflict, including the Kyivstar destructive attack narrative). For CISOs, the actionable takeaways across the incident-focused items are: expect continued growth in **AI-assisted social engineering and deepfake fraud** impacting financial loss and brand trust; maintain smart-contract incident playbooks for rapid user guidance; and harden DDoS readiness (capacity planning, upstream mitigation, and monitoring) given both **record-scale botnet bursts** and **geopolitically motivated DDoS** targeting government and critical infrastructure.
Mar 21, 2026