Acceleration of initial access handoff to secondary threat groups observed in 2025 incidents
Summary
Hide ▲
Show ▼
Analysis of 2025 incident data shows a dramatic reduction in the median time between initial system compromise and handoff to secondary threat groups, shrinking from hours to just 22 seconds. This shift reflects increased operational integration between initial access brokers and follow-on intrusion groups, with automation likely facilitating direct delivery of payloads. The trend underscores a maturing cybercrime ecosystem where access commodification and specialization accelerate attack timelines. The median dwell time for intrusions increased to 14 days in 2025, despite long-term declines over the past decade, driven in part by advanced evasion techniques attributed to North Korean cyberespionage actors and IT workers.
Timeline
-
23.03.2026 17:00 1 articles · 4h ago
Initial access handoff time to secondary threat groups drops to 22 seconds in 2025 incidents
Analysis of 2025 incident response data shows the median time between initial access and handoff to secondary threat groups has decreased from hours to 22 seconds, reflecting automation and closer operational ties between initial access brokers and follow-on intrusion groups. The report attributes this acceleration to direct payload delivery workflows replacing traditional cybercrime forum-based access sales.
Show sources
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — www.securityweek.com — 23.03.2026 17:00
Information Snippets
-
Median time between initial access and handoff to secondary groups decreased from over 8 hours in 2022 to 22 seconds in 2025.
First reported: 23.03.2026 17:001 source, 1 articleShow sources
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — www.securityweek.com — 23.03.2026 17:00
-
32% of initial infections originated from exploits in 2025, followed by phishing (11%), prior compromise (10%), and stolen credentials (9%).
First reported: 23.03.2026 17:001 source, 1 articleShow sources
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — www.securityweek.com — 23.03.2026 17:00
-
Top exploited vulnerabilities in 2025 were CVE-2025-31324 (SAP NetWeaver), CVE-2025-61882 (Oracle EBS), and CVE-2025-53770 (SharePoint ToolShell).
First reported: 23.03.2026 17:001 source, 1 articleShow sources
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — www.securityweek.com — 23.03.2026 17:00
-
52% of breaches were detected internally, while 34% were first disclosed by external entities; median dwell time increased to 14 days in 2025.
First reported: 23.03.2026 17:001 source, 1 articleShow sources
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — www.securityweek.com — 23.03.2026 17:00
-
30% of attacks in 2025 were financially motivated, and 40% involved data theft; high-tech was the most targeted sector.
First reported: 23.03.2026 17:001 source, 1 articleShow sources
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — www.securityweek.com — 23.03.2026 17:00
-
714 new malware families were identified in 2025 (up from 632 in 2024), including 146 targeting Linux and 55 targeting macOS; GoldVein downloader (Cl0p group) and Akira ransomware were most frequently observed.
First reported: 23.03.2026 17:001 source, 1 articleShow sources
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — www.securityweek.com — 23.03.2026 17:00
-
In cloud environments, voice phishing accounted for 23% of intrusions, driven by ShinyHunters and Scattered Spider activity; third-party compromise (17%) and stolen credentials (16%) followed.
First reported: 23.03.2026 17:001 source, 1 articleShow sources
- M-Trends 2026: Initial Access Handoff Shrinks From Hours to 22 Seconds — www.securityweek.com — 23.03.2026 17:00