Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware
Cybersecurity NewsArchived Jun 06, 2026✓ Full text saved
Cybercriminals have found a clever and dangerous new way to slip past defenses. Instead of building custom attack tools that security software can flag, they are turning everyday system utilities into weapons. This shift is reshaping how attacks unfold, and the numbers are hard to ignore. According to ANY.RUN’s Q1 2026 Cyber Risk Report, based […] The post Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware appeared first on Cyber Security News .
Full text archived locally
✦ AI Summary· Claude Sonnet
HomeCyber Security News
Hackers are Increasingly Weaponizing Trusted Tools to Deploy Notorious Malware
By Tushar Subhra Dutta
June 5, 2026
Cybercriminals have found a clever and dangerous new way to slip past defenses. Instead of building custom attack tools that security software can flag, they are turning everyday system utilities into weapons.
This shift is reshaping how attacks unfold, and the numbers are hard to ignore. According to ANY.RUN’s Q1 2026 Cyber Risk Report, based on over 2.1 million malware and phishing investigations, three trends are redefining the threat landscape.
Credential theft climbed by 14.7%, loader-based attacks spiked by 98.3%, and Living-off-the-Land Binary and Script attacks leveraging JavaScript surged by 58.4%. These figures describe attackers who are becoming quieter and faster at the same time.
Analysts at ANY.RUN noted that the growing reliance on trusted tools is making attacks much harder to detect. When attackers use the same software administrators rely on to run their systems, traditional signature-based detection often fails to raise an alarm.
The challenge is no longer just finding malicious files but understanding whether a normally safe tool is being abused.
ANY.RUN said in a report shared with Cyber Security News (CSN) that early-stage compromise is one of the most overlooked risks in modern security operations.
The report found it takes just 21 seconds for an attacker to establish persistence after initial access, and only 16 seconds for Living-off-the-Land execution to begin. These margins do not allow a slow response.
The broader concern is that the gap between infection and full system compromise is narrowing fast. Security teams not equipped to investigate threats in real time are at increasing risk of falling behind before they even realize an attack has started.
Hackers are Increasingly Weaponizing Trusted Tools
The concept of “living off the land” refers to attackers using tools already present on a target’s system, such as PowerShell, Windows Script Host, or JavaScript environments, rather than deploying external malware.
This approach makes malicious activity blend with normal operations, drastically cutting detection chances.
The Q1 2026 report shows LOLBAS attacks using JavaScript grew by 58.4% during the quarter. Attackers exploit built-in scripting tools to execute malicious code without dropping a traditional malware file on disk.
Outcomes (Source – Any.Run)
This fileless approach is particularly effective against endpoint solutions that rely on file scanning rather than behavioral monitoring.
What makes this trend especially alarming is the speed at which these attacks unfold. When initial access is gained, persistence is established within seconds, leaving a razor-thin window for defenders to respond.
Credential abuse combined with native tool exploitation allows attackers to operate quietly for long periods without triggering any alerts.
Detection in this environment demands a new approach entirely. Behavior-based monitoring and anomaly investigation are now essential for any organization serious about security. Waiting for a known malicious file to appear is simply no longer a viable strategy.
The Rising Cost of Delayed Detection
Perhaps the most striking insight from the report is not the variety of attack techniques but how quickly they play out. Persistence can be established in just 21 seconds after initial compromise, exposing a serious gap in how most organizations approach threat detection today.
Loader-based attacks grew by 98.3%, nearly doubling in a single quarter. These tools operate in the earliest phases of an attack to download and execute additional malware on a compromised system.
Their rapid growth signals that threat actors are focused on securing a foothold first and escalating later. Identity remains a primary target, with credential theft rising by 14.7%.
Attackers armed with valid credentials can move through a network appearing as legitimate users, making it very hard to separate malicious behavior from normal activity. This is where behavioral analytics and rapid triage become critical.
The report recommends that security teams prioritize early-stage threat visibility and invest in real-time investigation capabilities.
Reducing investigation delays, confirming exposure faster, and strengthening detection coverage across all major platforms are the core priorities for Q2 2026. Organizations acting on these findings will be far better positioned to limit damage when the next wave arrives.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Tushar Subhra Dutta
Tushar is a senior cybersecurity and breach reporter. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks. With years of experience, he brings clarity and depth to complex security topics.
Trending News
New Google Gemini Vulnerability Exploited via Prompt Injections from WhatsApp, Slack, and SMS
CISA Flags Palo Alto Networks PAN-OS Vulnerability as Exploited in Attacks
Chinese APT VerdantBamboo Uses BRICKSTORM Malware to Compromise Firewalls and Appliances
Microsoft Unveils Always-On AI Agent Scout to Integrate With Teams, Outlook, and More
Android Banking Trojan OverlayPhantom Abuses Accessibility Service to Control Devices
Latest News
Cyber Security News
Hola Browser for Windows Delivery Pipeline Compromised to Deliver Cryptominer
Cyber Security News
New Gafgyt Variant Targets Multiple Linux Architectures With Modular Propagation
Cyber Security News
Microsoft 365 Service Degradation Bypassed Windows Driver Auto-Update Controls
Cyber Security News
New SHub Stealer Variant Malware Targets Chrome, Firefox, Brave, Edge, Opera, and Crypto Wallets
Cyber Security News
Malicious Browser Add-Ons Target ChatGPT, Claude, Copilot, Gemini, and DeepSeek Users