M-Trends 2026 reports a bifurcation in adversary behavior: cybercriminals optimized for rapid, high-impact operations and recovery denial while espionage groups and insiders prioritized extreme persistence by targeting unmonitored edge devices and native network functions. The report highlights rising median dwell time, the collapse of hand-off windows to seconds, the surge in voice phishing and SaaS token theft, and recommends defenders prioritize identity controls, extended log retention, and behavior-based detection. #BRICKSTORM #UNC3944
Keypoints
- Global median dwell time increased to 14 days in 2025, with espionage and North Korean IT worker incidents showing a median dwell time of 122 days.
- Exploits remained the top initial infection vector (32%), while highly interactive voice phishing rose to 11%, becoming a major access method.
- Initial-access partners now pre-stage secondary actors’ malware, collapsing the hand-off window from hours in 2022 to about 22 seconds in 2025.
- Ransomware operators shifted from encryption to recovery denial by targeting backups, identity services, and virtualization management planes (e.g., hypervisors and datastores).
- Espionage groups targeted edge and network devices (VPNs, routers) with zero-day exploitation and in-memory backdoors like BRICKSTORM, enabling long persistence and packet capture.
- Adversaries abused AI and LLMs in attacks (e.g., PROMPTFLUX, PROMPTSTEAL, QUIETVAULT) while defenders are urged to adopt continuous identity verification, behavioral detection, and extended log retention.
MITRE Techniques
- [T1190 ] Exploit Public-Facing Application – Used as a primary initial infection vector: (‘Exploits remained the most common initial infection vector for the sixth consecutive year, accounting for 32% of intrusions.’)
- [T1566 ] Phishing – Voice-based social engineering (vishing) increased and targeted help desks to bypass MFA: (‘highly interactive voice phishing saw a significant surge to 11%’ and ‘target IT help desks to bypass multifactor authentication (MFA)’)
- [T1539 ] Steal Web Session Cookie – Attackers harvested long-lived OAuth tokens and session cookies to pivot into SaaS environments: (‘harvesting long-lived OAuth tokens and session cookies’)
- [T1098 ] Account Manipulation – Misconfigured AD Certificate Services templates were abused to create persistent admin accounts that bypass password rotation: (‘exploiting misconfigured Active Directory Certificate Services templates to create admin accounts that bypass password rotation’)
- [T1490 ] Inhibit System Recovery – Ransomware groups targeted and deleted backup objects and recovery mechanisms to deny restoration: (‘actively deleting backup objects from cloud storage’)
- [T1040 ] Network Sniffing – Adversaries leveraged native packet-capturing on edge devices to intercept credentials and sensitive data in transit: (‘By leveraging native packet-capturing functionality on these devices, adversaries can directly intercept sensitive data and plaintext credentials as they transit the network’)
- [T1199 ] Trusted Relationship – Compromise of third-party SaaS vendors was used to steal keys and tokens and pivot into downstream customer environments: (‘By compromising third-party SaaS vendors, attackers steal hard-coded keys and personal access tokens, using those secrets to seamlessly pivot into downstream customer environments’)
- [T1078 ] Valid Accounts – Use of stolen or hard-coded credentials and tokens allowed adversaries to access downstream systems and SaaS integrations: (‘steal hard-coded keys and personal access tokens’)
- [T1055 ] Process Injection / In-memory Execution – Custom in-memory backdoors were deployed to network appliances to establish persistence that survives reboots: (‘custom, in-memory malware like the BRICKSTORM backdoor’)
Indicators of Compromise
- [Malware ] notable malicious tools observed – BRICKSTORM, QUIETVAULT, and other families such as PROMPTFLUX and PROMPTSTEAL
- [Ransomware Families ] groups and aliases tied to destructive operations – REDBIKE (Akira), AGENDA (Qilin)
- [Threat Actor Clusters ] tracked intrusions and persistent actors – UNC3944, UNC6201, UNC5807
- [Credentials / Secrets ] artifacts used to pivot and maintain access – long-lived OAuth tokens, session cookies, and hard-coded keys (used to access downstream SaaS environments)
- [Affected Products / Systems ] targeted infrastructure and appliances – VMware vSphere hypervisors and management planes, Dell RecoverPoint for Virtual Machines
Read more: https://cloud.google.com/blog/topics/threat-intelligence/m-trends-2026/