Google Cloud Security Report 2026: Hackers Abandon Weak Credentials for Zero-Day Exploits

In a stunning shift that’s sending shockwaves through the cybersecurity community, Google’s latest Cloud Threat Horizons Report reveals that hackers have abandoned their old playbook of credential stuffing and misconfigurations in favor of exploiting freshly disclosed vulnerabilities within hours of public disclosure.

The New Battlefield: Zero-Day Windows Collapse from Weeks to Days

The data is unequivocal: exploit-based attacks now account for 44.5% of cloud intrusions investigated by Google’s incident response team, while credential-based breaches have plummeted to just 27%. This represents a tectonic shift in attacker methodology that’s caught many organizations off guard.

“What we’re witnessing is a fundamental change in how threat actors approach cloud environments,” explains Google’s Threat Analysis Group. “The exploitation window has collapsed from weeks to mere days. We’ve observed cryptominers deployed within 48 hours of vulnerability disclosure, indicating attackers are standing ready to weaponize new flaws the moment they become public.”

React2Shell and XWiki: The New Attack Vectors

The most frequently exploited vulnerability type? Remote Code Execution (RCE). Two critical flaws have dominated the landscape: React2Shell (CVE-2025-55182) and the XWiki vulnerability (CVE-2025-24893), which powered the infamous RondoDox botnet attacks.

The React2Shell vulnerability, discovered in the popular React and Next.js frameworks, allows attackers to execute arbitrary JavaScript code remotely. When combined with XWiki’s remote code execution flaw, these vulnerabilities created a perfect storm for attackers seeking rapid, high-impact compromises.

State-Sponsored Espionage: The Long Game

While financially motivated attackers move quickly, state-sponsored operations are playing the long game. Google uncovered evidence of Iranian-linked threat actor UNC1549 maintaining access to a target environment for over 18 months using stolen VPN credentials and the MiniBike malware. The result? Nearly one terabyte of proprietary data exfiltrated.

Similarly, China-sponsored actor UNC5221 used the BrickStorm malware to maintain access to VMware vCenter servers for at least 18 months, stealing source code and intellectual property. These aren’t smash-and-grab operations—they’re calculated, patient campaigns designed to extract maximum value over extended periods.

North Korean Cyber Operations: Millions in Digital Assets Stolen

Perhaps most alarming is the sophistication of North Korean threat actor UNC4899, which compromised cloud environments specifically to steal digital assets. In one high-profile case, the group stole millions of U.S. dollars in cryptocurrency after tricking a developer into downloading malicious archive files.

The attack chain was meticulously crafted: the developer used AirDrop to transfer the file from a personal computer to a corporate workstation, then opened it in an AI-assisted integrated development environment (IDE). Inside was malicious Python code that deployed a binary masquerading as a Kubernetes command-line tool.

“The binary beaconed out to UNC4899-controlled domains and served as the backdoor that gave the threat actors access to the victim’s workstation, effectively granting them a foothold into the corporate network,” Google reports.

From there, the attackers pivoted to the cloud environment, conducted reconnaissance, established persistence, and obtained a token for a high-privileged CI/CD service account. They moved laterally to more sensitive systems, broke out of containers, and ultimately compromised user accounts to steal millions in cryptocurrency.

The OpenID Connect Abuse Nightmare

In another sophisticated attack leveraging a compromised npm package called QuietVault, attackers stole a developer’s GitHub token and abused the GitHub-to-AWS OpenID Connect (OIDC) trust to create a new admin account in the cloud environment.

Within just three days, the attackers had obtained GitHub and NPM API keys using AI prompts with local AI command-line interface tools, abused the CI/CD pipeline to get AWS API keys, stolen data from S3 storage, and destroyed it in production and cloud environments.

This incident was part of the “s1ngularity” supply-chain attack in August 2025, when attackers published compromised npm packages of the Nx open-source build system and monorepo management tool. The attack exposed sensitive information from 2,180 accounts and 7,200 repositories.

Malicious Insiders: The Cloud Exfiltration Trend

Google’s analysis of 1,002 insider data theft incidents revealed a disturbing trend: insiders are increasingly using cloud services for data exfiltration. While email and portable storage devices remain primary methods, cloud services like AWS, Google Cloud, Microsoft Azure, Google Drive, Apple iCloud, Dropbox, and Microsoft OneDrive are becoming the preferred exfiltration vector.

The analysis found that 771 incidents occurred while the insider was still employed, and 255 occurred after termination. Google warns that cloud services will soon replace email as the preferred method for data exfiltration.

The Race Against Time: Automated Response Becomes Critical

Perhaps most concerning is the speed at which modern cloud attacks unfold. Google emphasizes that cloud attack speeds are now too fast for manual response schemes, with payload deployment sometimes occurring within one hour of a new instance’s creation.

“This isn’t a situation where you can rely on human intervention,” Google warns. “The implementation of automated incident response isn’t just recommended—it’s urgent.”

What’s Next: 2026 Threat Landscape

Looking ahead, Google expects threat activity to increase significantly in 2026, with geopolitical conflicts, the FIFA World Cup, and U.S. midterm elections acting as magnets for malicious operations. The convergence of these high-profile events creates perfect conditions for both financially motivated and state-sponsored actors to increase their operational tempo.

Tags:

zero-day exploits, cloud security, credential stuffing, remote code execution, React2Shell, XWiki vulnerability, state-sponsored hacking, North Korean cybercrime, OpenID Connect abuse, insider threats, cryptojacking, supply chain attacks, automated incident response, vulnerability disclosure, espionage campaigns, ransomware evolution, cloud forensics, data exfiltration, geopolitical cyber warfare, npm compromise

Viral Phrases:

“Exploitation window collapsed from weeks to days”, “Hackers weaponize vulnerabilities within 48 hours”, “State actors maintain access for 18+ months”, “Millions in cryptocurrency stolen through social engineering”, “Cloud attacks too fast for manual response”, “Insiders increasingly use cloud services for exfiltration”, “Automated incident response is now urgent”, “Geopolitical events fuel cyber threat escalation”, “AI-powered malware hides in plain sight”, “Supply chain attacks expose 2,180+ accounts”

Viral Sentences:

“The exploitation window has collapsed from weeks to mere days as attackers weaponize new flaws within hours of disclosure”, “State-sponsored actors are playing the long game, maintaining access for over a year to extract maximum value”, “North Korean cybercriminals stole millions in digital assets through meticulously crafted social engineering campaigns”, “Insiders are abandoning traditional exfiltration methods in favor of cloud services that leave minimal forensic traces”, “Modern cloud attacks unfold so rapidly that automated response isn’t just recommended—it’s become a necessity for survival”, “The convergence of geopolitical conflicts and major global events creates perfect conditions for cyber threat escalation”, “Attackers are increasingly using AI-powered tools to create malware that can detect and evade sandbox environments”, “The shift from credential-based to exploit-based attacks represents a fundamental change in how threat actors approach cloud security”, “Supply chain compromises through npm packages exposed sensitive information from thousands of developers in a single attack”, “Organizations must prepare for a threat landscape where the speed of compromise outpaces human response capabilities”

,