Q1 2026 Cyber Risk Report: Insights from 2.1 Million Malware and Phishing Investigations
ANY.RUN's Q1 2026 Cyber Risk Report highlights a significant acceleration in attacker operational tempo, with the median time-to-persistence dropping to 21 seconds and LOTL execution occurring in 16 seconds. The data also shows a marked increase in loader-based attacks, credential theft, and the weaponization of trusted tools via JavaScript LOLBAS techniques, emphasizing the critical need for rapid, behavior-based detection capabilities.
Detection / HunterGoogle
What Happened
A recent analysis of over 2 million security investigations reveals that cyberattacks are happening faster than ever, with hackers establishing a permanent foothold in systems in just 21 seconds on average. The report shows a sharp rise in the theft of user passwords and the use of built-in system tools to hide malicious activity. This matters because traditional security defenses often struggle to catch these fast, stealthy techniques, leading to longer compromises and higher costs. Organizations should focus on speeding up their detection and response times to catch these threats before they cause significant damage.
Key Takeaways
- Loader-based attacks nearly doubled (+98.3%), highlighting their expanding role in initial compromise.
- Credential theft activity increased by 14.7%, indicating attackers prioritize low-noise operations using valid accounts.
- LOLBAS attacks leveraging JavaScript (T1059.007) rose significantly by 58.4%.
- Attackers are operating with extreme speed, with a median time-to-persistence of just 21 seconds.
- The median time for attackers to utilize native system tools (LOTL execution) is 16 seconds.
Affected Systems
- Enterprise environments
- Windows
- macOS
- Linux
Attack Chain
Attackers are increasingly utilizing loader-based malware for initial compromise, followed rapidly by credential theft to blend in with normal network activity. Once inside, they leverage Living-off-the-Land (LOTL) techniques, specifically JavaScript-based LOLBAS, to execute payloads within a median time of 16 seconds. Persistence is established almost immediately, often within 21 seconds, by integrating into system services and configuration layers to evade detection and survive reboots.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
The article does not provide specific detection rules, but emphasizes the need for behavior-based monitoring and anomaly investigation to detect rapid persistence and LOLBAS techniques.
Detection Engineering Assessment
EDR Visibility: High — EDR solutions are essential for detecting rapid LOTL execution (16 seconds) and system service modifications used for persistence (21 seconds). Network Visibility: Medium — Network visibility can help detect anomalous credential usage or C2 traffic from loaders, but the rapid on-host execution relies heavily on endpoint telemetry. Detection Difficulty: Hard — The extremely short window (16-21 seconds) between initial access and persistence, combined with the use of legitimate system tools (LOLBAS), makes distinguishing malicious activity from benign administration difficult.
Required Log Sources
- Process Creation (Event ID 4688)
- Sysmon Event ID 1 (Process creation)
- Sysmon Event ID 12/13/14 (Registry Event)
- System Service Installation (Event ID 7045)
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for unusual JavaScript execution (e.g., wscript.exe or cscript.exe) spawning network connections or anomalous child processes, which may indicate T1059.007 LOLBAS abuse. | Process Creation, Network Connections | Execution | Medium |
| Evaluate whether new system services or configuration layer changes occur within seconds of a user logging in or a script executing, potentially indicating rapid persistence establishment. | System Services, Registry Modifications | Persistence | High |
Control Gaps
- Traditional signature-based AV (due to LOLBAS usage)
- Manual triage processes (due to the 21-second persistence window)
Key Behavioral Indicators
- Rapid sequence of script execution followed by service creation
- JavaScript execution via native interpreters (wscript/cscript) performing administrative actions
False Positive Assessment
- Medium
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting.
- Evaluate whether automated isolation policies can be applied to endpoints exhibiting rapid, anomalous LOLBAS execution.
Infrastructure Hardening
- Consider restricting the execution of JavaScript and other script interpreters (wscript.exe, cscript.exe) to authorized administrative users or directories.
- Evaluate implementing strict least-privilege access to limit the impact of credential theft.
User Protection
- If supported by your identity provider, consider enforcing phishing-resistant MFA to mitigate the 14.7% rise in credential theft.
- Evaluate whether endpoint protection rules can block unauthorized modifications to system services and configuration layers.
Security Awareness
- Consider updating security awareness training to emphasize the risks of loader-based attacks, often delivered via phishing or malicious downloads.
MITRE ATT&CK Mapping
- T1059.007 - Command and Scripting Interpreter: JavaScript
- T1078 - Valid Accounts
- T1543 - Create or Modify System Process
- T1059 - Command and Scripting Interpreter
