Report: The striking collapse of the handoff window
The growing specialization within the cybercrime ecosystem is striking. In 2022, the median time between an initial access event and the handoff to a secondary threat group was over 8 hours. By 2025, that window shrank to a median of just 22 seconds. Additionally, the median time to exploit vulnerabilities has dropped to around -7 days.
These are just two noteworthy findings in the latest M-Trends report from Mandiant. The research summarizes insights from over 500,000 hours of incident investigations conducted in 2025, along with research from the Google Threat Intelligence Group (GTIG).
Threat groups aiming for initial access are bypassing underground markets to partner with secondary groups directly. By pre-staging their preferred malware during the initial infection, the secondary group can launch high-impact attacks as soon as they first interact with the network.
Another find is that ransomware groups are no longer just encrypting data; they are destroying the ability to recover by systematically attacking backup infrastructure, identity services, and virtualization, creating a "recovery deadlock" that forces negotiations.
Additionally, attackers are exploiting the "Tier-0" nature of hypervisors to bypass guest-level defenses, directly targeting the virtualization storage layer for data theft and encrypting entire hypervisor datastores that can make all related virtual machines unusable at once.
For the sixth year in a row, exploits remained the most common initial infection method (51% of intrusions). However, interactive voice phishing increased to 11 percent, becoming the second most common vector worldwide. Specifically for cloud compromises, voice phishing was the top initial infection method at 23 percent.
The report's authors show how these techniques cause cascading impacts. Threat actors are bypassing defenses by harvesting long-lasting OAuth tokens and session cookies. By compromising third-party SaaS vendors, attackers steal hard-coded keys and personal access tokens, then use those secrets to move into and attack customer environments, enabling large-scale data theft.
As illustrated by these latest findings, cybercriminals aim for speed. However, espionage groups aim for extreme persistence. Skilled threat groups deliberately target edge and core network devices, which often lack traditional security support. The mean time to exploit vulnerabilities (MTTE) has dropped to around -7 days. This means that exploitation often happens before a patch is available.
By deploying custom, in-memory malware like the BRICKSTORM backdoor directly, attackers can turn these critical gateways into persistent, hidden points for monitoring traffic and lateral movement. With dwell times like the nearly 400 days seen with BRICKSTORM, standard 90-day log retention policies leave organizations blind to how the intrusion started and its full scope.
Ongoing research from Google's Threat Intelligence Groups shows that threat actors are increasingly using AI, especially early during attacks. Attackers are abusing AI within compromised environments, but the most successful intrusions still come from human and systemic failures.