The headline number is 22 seconds. That is the median time between initial access and hand-off to a secondary threat group in 2025, down from more than 8 hours in 2022. Mandiant's M-Trends 2026 is the most detailed incident data available on this acceleration, and it changes the math on detection strategy.
The 22-second hand-off
In a two-stage intrusion (access broker then ransomware operator, for example), the access broker completes initial access and immediately passes the session to the buyer. In 2022, that hand-off took hours, giving defenders meaningful time to detect initial access before the more destructive second actor arrived. By 2025, that window had collapsed to a median of 22 seconds.
The implications are blunt. Alert triage workflows that assume dwell time are now starting from behind. If your detection-to-response SLA is measured in minutes, and the attacker has already handed off in seconds, you are responding to the second actor, not the first.
This does not mean detection is useless. It means that detection needs to operate closer to the signal source, with automated containment, rather than relying on human triage to interrupt a hand-off that completes before any analyst sees the alert.
AI malware is not just a capability preview
M-Trends 2026 documents two AI-at-runtime malware families. Not AI-assisted development of malware, but malware that calls an LLM during execution.
PROMPTFLUX is a VBScript dropper, first observed in June 2025, that calls the Gemini API on an hourly schedule to rewrite its own source code. It does not download a new binary. It asks an LLM to generate a new version of itself that preserves the same behavior while changing its signature. The result is a new malware sample every hour. Static signature detection fails by design. Behavioral detection needs to operate at a level that survives code regeneration.
PROMPTSTEAL is attributed to APT28, the Russian state actor also tracked as FROZENLAKE. It queries a live LLM to generate one-line Windows commands for document theft, adapting to the target environment in real time rather than running pre-scripted logic. Mandiant describes it as the first confirmed state-sponsored malware that calls a live LLM during operations. It was used against targets in Ukraine.
The significance of PROMPTSTEAL is not that it is sophisticated. A one-line command generator is not impressive tradecraft by itself. The significance is that the pattern is now confirmed in live state-sponsored operations: attackers are using LLMs as adaptive logic engines inside running malware, not just as development tools before deployment.
What changes for defenders
Three things.
First, detection latency budgets need to shrink. If 22-second hand-offs are the median, detection needs to operate at a timescale where automated containment can fire before the second actor is established.
Second, outbound LLM API traffic from unexpected processes is a new indicator of compromise. PROMPTFLUX and PROMPTSTEAL both make outbound calls to LLM APIs during execution. If a process on your endpoint is calling api.openai.com or generativelanguage.googleapis.com and that process is not a known AI tool, that is worth investigating.
Third, signature-based detection needs a complement that survives code regeneration. Memory analysis, behavioral clustering, and process-lineage monitoring will hold up better against PROMPTFLUX-style polymorphism than hash-based endpoint detection.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if your organization is reviewing its detection strategy in light of AI-accelerated threats.