Skip to main content
Explore our brands An Informa TechTarget Publication
close search
site logo

Cybercrime groups speed up initial access handoff through planning, coordination

A report by Google Threat Intelligence Group also shows voice-based phishing has surged amid a rise in social engineering tactics.

Published March 24, 2026
David Jones's headshot
Reporter
Team of hackers dressed in black work on computers in dark room.
Getty Images

Dive Brief:

  • Cybercriminals are becoming much faster at handing off initial access in targeted environments, with the window shrinking to just 22 seconds in 2025, according to a report Monday by Google Threat Intelligence Group and its incident response unit, Mandiant. That compares to about eight hours in 2022.
  • Exploits remained the leading initial access vector, with 32% of all methods, according to the report. However, voice-based phishing has surged as an initial access vector, rising to the second-leading means of entry, at 11%. Voice-based phishing was the top method for all cloud intrusions, at 23%.
  • Meanwhile, the global median dwell time rose to 14 days, driven largely by cyber espionage campaigns as well as North Korean IT worker scams, which saw median dwell times of 122 days.

Dive Insight:

The GTIG and Mandiant report is based on analysis of more than 500,000 hours of incident response work Mandiant provided in 2025. 

The report found that threat groups are becoming much more deliberate and integrated in how they work with each other. Analysis showed significant coordination and planning for actions during the window between initial access and a secondary actor taking advantage of that access. 

During ransomware and extortion incidents, threat groups are increasingly specializing in specific tasks during the attack life cycle, according to Mandiant researchers. 

“Often these threat actors establish partnerships with other threat groups where the initial access partner acts as a distribution cluster,” Scott Runnels, consulting leader at Mandiant–Google Cloud, told Cybersecurity Dive. “In these relationships, the secondary threat group’s malware is automatically deployed on a compromised system when the first threat group gains initial access — this is the handoff.” 

The report also shows how ransomware groups make it tougher for security teams to recover from attacks. Groups like Akira and Qilin deliberately target backup infrastructure, identity services and virtualization management to frustrate security teams trying to restore critical data. 

Such tactics make it more difficult for organizations to avoid paying extortion demands.

Filed Under: Strategy, Threats

Editors' picks

Company Announcements

View all | Post a press release
Why Edge RF Awareness Is Essential for the M2M Era
From Digital Global Systems
March 16, 2026
Digital Global Systems logo
CyberFOX AutoElevate Named a High Performer in G2’s Spring 2026 Report for Privileged Access M…
From CyberFOX
April 01, 2026
CyberFOX logo
AI Is Fueling Secrets Sprawl. GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secr…
From GitGuardian
March 17, 2026
GitGuardian logo
Realm.Security Rolls Out AI-Ready Security Data for the Modern SOC Ahead of RSA Conference
From Realm.Security
March 16, 2026
Realm.Security logo
Editors' picks
Latest in Strategy
This website is owned and operated by Informa TechTarget, a global network that informs, influences and connects the world's technology buyers and sellers.

© 2025 TechTarget, Inc. or its subsidiaries. All rights reserved. An Informa PLC company.
Privacy policy | Terms of use | Take down policy | Cookie Preferences / Do Not Sell