Google has unveiled its M-Trends 2026 report, highlighting significant shifts in cybersecurity threats. Compiled from Google’s Threat Intelligence Group and over half a million hours of incident investigations by Mandiant in 2025, the report provides a comprehensive view of the evolving cyber landscape.
Accelerated Threat Transition
A key revelation from the report is the dramatic reduction in time from initial system access to handoff to secondary threat actors. This time has plummeted from hours to a mere 22 seconds over the past years. In 2022, this transition period averaged over 8 hours, but continuous declines have been observed since 2023.
Mandiant researchers attribute this swift transition to enhanced collaboration between initial access entities and secondary threat groups. Often, the rapidity is due to automated mechanisms where initial access brokers deploy malware directly for the secondary groups, bypassing traditional cybercrime forums.
Infection Vectors and Vulnerabilities
The report identifies exploits as the predominant initial infection vector, constituting 32% of cases. Following this are phishing at 11%, prior compromises at 10%, and stolen credentials at 9%. Notably, email phishing has decreased significantly, now accounting for just 6% of cases, compared to 22% in 2022.
Key vulnerabilities exploited include the SAP NetWeaver (CVE-2025-31324), Oracle EBS (CVE-2025-61882), and SharePoint (CVE-2025-53770) flaws. Internal detection of breaches occurred in 52% of cases, while 34% were identified externally.
Dwell Time and Attack Motivations
The median dwell time, indicating how long attackers remain undetected in a system, was 14 days in 2025, slightly rising from previous years. Despite this, it’s a notable decrease from 146 days reported in 2015. An increasing number of incidents, particularly involving North Korean actors, have remained undetected for 1-6 months.
In 2025, financial gain motivated roughly 30% of attacks, with data theft involved in 40% of incidents. The high-tech sector was the most targeted, followed by financial services, business services, and healthcare.
Google’s Threat Intelligence Group documented 714 new malware families in 2025, up from 632 in 2024. Among these, 146 targeted Linux systems, and 55 targeted macOS. The most prevalent malware family was GoldVein, utilized by the Cl0p group during the Oracle EBS campaign.
Cloud Security Trends
In cloud environments, voice phishing emerged as the primary initial attack vector, largely due to activities by ShinyHunters and Scattered Spider. It accounted for 23% of intrusions, followed by third-party compromises (17%), stolen credentials (16%), email phishing (15%), and insider threats (14%). Exploits were responsible for only 6% of cloud attacks.
The M-Trends 2026 report provides crucial insights into regional trends and the evolving tactics of cybercriminals, emphasizing the need for robust cybersecurity measures and timely responses.
