Cyber intrusions are getting faster, quieter, and harder to reverse. That’s the central finding across multiple threat intelligence reports and active campaigns catalogued this week, covering everything from AI-assisted hacking tools to state-sponsored spyware targeting journalists.
Breakout Times Are Collapsing
CrowdStrike’s 2026 Global Threat Report puts the average e-crime breakout time at 29 minutes in 2025, a 65% speed increase from the prior year. Breakout time measures how long attackers take to move from initial access to a second system. That window is now measured in dozens of minutes, not hours.
ReliaQuest recorded similar findings: an average breakout time of 34 minutes, with the fastest intrusions reaching lateral movement in just 4 minutes and completing data exfiltration within 6 minutes. That represents an 85% acceleration compared to last year.
One intrusion by the threat group Luna Moth, targeting a law firm, moved from initial access to data exfiltration in four minutes flat. The primary enabler across most of these cases is the abuse of legitimate credentials, which lets attackers blend into normal network traffic and sidestep traditional detection tools.
AI Is Sharpening Attacker Tradecraft
CrowdStrike observed an 89% increase in attacks by AI-enabled adversaries compared to 2024. The groups using AI to accelerate operations include Fancy Bear, Punk Spider (Akira), Blind Spider (Blind Eagle), Odyssey Spider (TA558), and an India-nexus group called Frantic Tiger, which has used Netlify and Cloudflare pages for credential harvesting.
Separately, Kali Linux has added an integration with Anthropic’s Claude through the Model Context Protocol, allowing users to issue commands in natural language that the system translates into technical instructions. While the tool is designed for ethical hacking and security assessments, its introduction into a penetration testing distribution reflects how AI-assisted command execution is becoming standard on both sides of security operations.
More Read
CrowdStrike also recorded a 42% year-over-year increase in zero-days exploited before public disclosure. Among China-nexus adversaries, 67% of exploited vulnerabilities provided immediate system access, and 40% targeted edge devices that typically lack monitoring coverage.
Notably, 82% of attacks recorded by CrowdStrike involved no malware at all, reflecting a sustained shift toward hands-on-keyboard operations and the repurposing of legitimate system tools.
Surveillance, Phishing, and Active Campaigns
ResidentBat, an Android spyware implant linked to Belarusian authorities, has been active since at least 2021 despite only being documented publicly in December 2025. The implant gives operators access to call logs, microphone recordings, SMS, encrypted messenger traffic, screen captures, and stored files. According to Censys, its infrastructure sits primarily in the Netherlands (5 hosts), Germany (2 hosts), Switzerland (2 hosts), and Russia (1 host), operating over a narrow port range of 7000 to 7257.
On the phishing front, campaigns impersonating cryptocurrency platforms like Bitpanda are pressuring users to reconfirm personal information under threat of account suspension. Cofense noted the attacks collected names, emails, passwords, and location data under the cover of a fake multi-factor authentication process.
Mac users searching for software including Homebrew, 7-Zip, Notepad++, LibreOffice, and Final Cut Pro are being targeted by a malvertising campaign running through at least 35 hijacked Google advertiser accounts. The campaign is active.
ReliaQuest’s data adds one detail that reframes the entire picture: in 47% of incidents reviewed, attackers had already secured high privileges before touching the network. No escalation needed. No alerts triggered. Just access, already granted.
Photo by Jakub Żerdzicki on Unsplash
This article is a curated summary based on third-party sources. Source: Read the original article
