High-Tech Sector Becomes Top Cyberattack Target, Mandiant Report Reveals High-tech cyberattack trends

The high-tech sector emerged as the most targeted industry for cyberattacks in 2025. This marks a significant shift in high-tech cyberattack trends, dethroning financial services.

These findings come from Mandiant’s latest incident response data, detailed in its M-Trends 2026 Report, published on March 23 by the Google Cloud-owned firm.

What Happened

High-tech companies accounted for 17% of all Mandiant investigations in 2025. This compares to financial services, which made up 14.6% of investigations.

Financial services had led as the top cyberattack target in both 2023 and 2024. Other heavily targeted sectors included business and professional services at 13.3% and healthcare at 11.9%.

Details From Sources

Mandiant M-Trends 2026 Findings

According to the Mandiant M-Trends 2026 report, several key trends emerged in 2025.

Increased Dwell Time

The global median dwell time increased from 11 days in 2024 to 14 days in 2025. Dwell time refers to the number of days an attacker is present in a system before detection.

This increase was largely driven by North Korean-linked cyber espionage campaigns and IT worker incidents. These specific incidents showed median dwell times of 122 days.

Cyber Campaigns and Events

In 2025, Mandiant and Google Threat Intelligence Group (GTIG) identified 83 malicious cyber campaigns and 8 global cyber events. These cyber events affected organizations across 73 countries.

Mandiant investigated 35 campaigns and six global events out of 91 incidents. These investigations provide a comprehensive cybersecurity report 2025.

Global ClickFix Adoption

ClickFix was identified as an active global event in 2025, according to reports on emerging threats. This technique involves attackers using prompts on phishing pages to convince users to execute PowerShell or system-level commands.

These commands are often disguised as fixes or verifications. Lures observed in 2025 included CAPTCHAs, video conference verifications, driver updates, and enterprise software compliance verification.

Threat Clusters and Malware Families

GTIG and Mandiant began tracking 661 new threat clusters and 714 new malware families in 2025. This brings the total to over 5000 tracked threat clusters and more than 6000 tracked malware families.

Mandiant encountered 288 threat groups during 2025 investigations, with 205 being newly tracked; this was lower than in 2024. Researchers identified 224 malware families used in investigated campaigns, which is higher than 205 in 2024, including 126 newly tracked families.

Initial Access Vectors

Vulnerability exploits statistics show they were the most frequently observed initial infection vector. This marks the sixth consecutive year for vulnerability exploits, comprising 32% of Mandiant investigations in 2025 where identified.

Voice phishing (vishing) surged to become the second most common vector at 11%, indicating a shift toward interactive, human-led attacks. Email phishing, however, continued to decline, dropping from 22% in 2022 to 6% in 2025.

Most cyber threat actors abused native functionalities and legitimate tools in 2025. Ransomware operators shifted their primary objective from data theft to deliberate recovery denial, targeting backup infrastructure, identity services, and virtualization management planes.

Why This Matters

The observed shift in high-tech cyberattack trends highlights evolving attacker strategies and priorities. The high-tech sector’s new position as the primary target indicates a changing threat landscape for cyberattack target industries.

Increased cyber dwell time is also a significant concern, suggesting attackers remain undetected for longer periods within compromised environments. The global reach of these cyber events, affecting organizations across 73 countries, underscores the widespread impact.

Background Context

Before 2025, financial services consistently held the position as the leading target industry for cyberattacks. This occurred in both 2023 and 2024, providing context for the current shift in top target industries.

Conclusion

The Mandiant M-Trends 2026 Report provides a comprehensive cybersecurity report 2025, revealing the high-tech sector’s emergence as the top target industry. The report also highlights a rise in global median dwell time, from 11 to 14 days, indicating a cyber dwell time increase.

Vulnerability exploits remain the most common initial access method, while vishing attacks have seen a notable increase. These findings underscore the dynamic nature of the cyber threat landscape and the continuous evolution of attacker tactics, impacting high-tech cyberattack trends globally.

Frequently Asked Questions

Q1: Which industry was the most targeted by cyberattacks in 2025, according to Mandiant?

A1: The high-tech sector was the most targeted industry for cyberattacks in 2025.

Q2: How did the global median dwell time change from 2024 to 2025?

A2: The global median dwell time increased from 11 days in 2024 to 14 days in 2025.

Q3: What is “ClickFix” as described in the Mandiant report?

A3: ClickFix is a social engineering technique where attackers use prompts on phishing pages to trick users into executing system-level commands, often under the guise of fixing problems.

Q4: What was the most common initial infection vector observed by Mandiant in 2025?

A4: Vulnerability exploits were the most frequently observed initial infection vector, comprising 32% of Mandiant investigations in 2025 where identified.

Q5: What new objective have ransomware operators adopted?

A5: Ransomware operators have shifted their primary objective from data theft to deliberate recovery denial, targeting backup infrastructure, identity services, and virtualization management planes.