Free Trial
|
Login
Free Trial
Login
Platform
Platform
I want to
report
WHITEPAPER Picus Red Report 2025
white paper
DATASHEET Security Validation Platform
Use Cases
Use Cases
Frameworks
Group
WHITEPAPER Building a Robust Defense-in-Depth Strategy with Breach and Attack Simulation (BAS)
Paper Icons
E-BOOK An Introduction to Exposure Validation
Research
RESEARCH
LEARNING
whitepaper
Whitepaper Modernize Your SOC with Breach and Attack Simulation
report (1)
REPORT Blue Report: Effective Threat Exposure Management
Resources
RESOURCES
LEARNING
Group
WHITEPAPER Double Your Threat Blocking in 90 Days
Paper Icons
E-BOOK An Introduction to Exposure Validation
Company
COMPANY
PARTNERS
webinar
REGISTER NOW: Assessing Your Zero Trust Program with "Assume Breach" Mindset
Data sheet
DATASHEET The Pioneer of Breach & Attack Simulation
GET A DEMO

Red Report 2025: A 3X Increase in Credential Theft While AI Threats Stay More Hype Than Harm

Suleyman Ozarslan, PhD | February 04, 2025

The Red Report 2025

The 10 Most Prevalent MITRE ATT&CK Techniques Used by Adversaries.

DOWNLOAD

For years, the cybersecurity headlines have been dominated by news of sophisticated phishing campaigns and zero-day exploits. But behind these attention-grabbers lurks a far more subtle and explosive evolution in adversarial behavior. Today, we are proud to introduce the Red Report 2025, the fifth edition of our annual threat analysis from Picus Labs. This year’s key revelation? A massive uptick in infostealing malware and multi-stage “heist-style” campaigns that are pushing the boundaries of stealth and persistence, while actual AI-driven attacks remain more hype than reality.

From Infostealers to AI Myths: 2025’s Cyber Threat Reality Check

The Red Report 2025 is based on an analysis of over 1 million real world malware samples collected throughout 2024. These samples revealed more than 14 million malicious actions, 93% of which were related to the top 10 MITRE ATT&CK® techniques. We call these the top ten due to their consistent use by adversaries, underscoring how vital they are to attackers’ efforts to infiltrate and burrow deep into a victim’s environment.

Key Data Points at a Glance:

  • A 3X increase in malware targeting credentials stored in password vaults and managers

  • 93% of all malicious actions mapped to just 10 MITRE ATT&CK techniques

  • No significant use of AI, yet, in real-world malware campaigns

  • Rise of “SneakThief” style infostealers that rely on stealth, automation, and persistence

  • Malware now executes an average of 14 malicious actions

rr25-mockup1

 

  


The Red Report 2025
The 10 Most Prevalent MITRE ATT&CK Techniques
Used by Adversaries

GET THE REPORT


rr25-methodology-graph-with-logo-website

Red Report 2025 in Numbers

Meet “SneakThief” and the Art of the Perfect Heist

This year’s report shines a spotlight on a new wave of infostealer malware we’ve dubbed “SneakThief,” infamous for an attack sequence so effective it’s been likened to “The Perfect Heist.” While the name is fictitious, the techniques are alarmingly real: multi-stage infiltration, advanced process injection, secure channel exfiltration, and boot persistence. The result? An attacker’s dream scenario where precious credentials—and entire networks—can be siphoned off without actually tripping any alarm bells.

Credentials: The Crown Jewels

One of the most alarming shifts we uncovered is a 3X surge in malware that specifically targets credential stores, such as password managers and browser-stored login data. In fact, 25% of the malware examined last year exhibited behaviors mapped to T1555 (Credentials from Password Stores). This means threat actors aren’t just prying open your vault, they’re going after the master keys inside. Once they snag your credentials, lateral movement and privilege escalation within your environment are practically guaranteed.

The Top 10 Techniques Driving Cybercrime

It’s easy to get overwhelmed by the hundreds of MITRE ATT&CK techniques out there in the wild. But if you were to focus on just the top 10, you’d have addressed 93% of the malware activity we observed in 2024. Of these, T1055 (Process Injection) stands out with a 31% prevalence rate, enabling attackers to hide malicious code in legitimate processes. Other heavy hitters include T1059 (Command and Scripting Interpreter) for malicious scripting, T1071 (Application Layer Protocol) for encrypted exfiltration, and T1547 (Boot or Logon Autostart Execution) for its persistence through reboots. Together, they form the backbone of modern cyber heists.

Debunking the Myth: AI-Driven Malware Not Yet a Real Threat

Amid a seemingly never ending media frenzy, our findings actually show no evidence of AI-driven malware playing a significant role in active cyber campaigns. Attackers do leverage AI-like capabilities for tasks such as creating realistic phishing lures or debugging malicious code, but we haven’t seen new or disruptive AI-based attack vectors. Oh it’s coming, but for now, the “dark AI” storyline remains more fiction than fact.

Why Your Security Priorities Need to Shift

Credential theft, encrypted data exfiltration, and stealthy process injection underscore a clear directive for defenders: traditional patchwork defenses, where disparate tools and processes operate in isolation, simply aren’t enough. Organizations need continuous security validation, advanced behavioral monitoring, and a threat-informed strategy that focuses on the TTPs most favored by attackers. Proactive alignment of your defenses to the top 10 MITRE ATT&CK techniques can dramatically reduce the real-world impact of threats like SneakThief.

Get the Full Story

The Red Report 2025 goes beyond threat statistics and highlights the exact ways attackers execute high-stakes exfiltrations of enterprise data. It also provides actionable insights for defenders, including:

  • Threat-informed defense strategies to align your security controls to adversaries’ top TTPs

  • Best practices for credential hardening and multi-factor authentication

  • How to detect and more importantly disrupt Stealth + Persistence combos

  • Real-world examples of “The Perfect Heist,” so you can learn from others before it’s too late

Ready to dive into the world of modern heists and unstoppable infostealers?
Download the Picus Red Report 2025 to get the latest actionable intelligence and join our upcoming live webinar on February 27, 2025, at 1:00 p.m. EST. You’ll hear directly from Picus Labs researchers themselves about the data that shapes modern cyber defenses.
Red Report 2025: A 3X Increase in Credential Theft While AI Threats Stay More Hype Than Harm
MITRE ATT&CK Red Report 2025: A 3X Increase in Credential Theft While AI Threats Stay More Hype Than Harm
Learn More
The Red Report 2025
MITRE ATT&CK The Red Report 2025
Learn More
T1059 Command and Scripting Interpreter Sub-techniques
MITRE ATT&CK Sub-techniques of Command and Scripting Interpreter Explained - MITRE ATT&CK T1059
Learn More
mitre-attck-t1059
MITRE ATT&CK MITRE ATT&CK T1059 Command and Scripting Interpreter
Learn More
mitre-attck-t1486
MITRE ATT&CK MITRE ATT&CK T1486 Data Encrypted for Impact
Learn More
mitre-attck-t1547
MITRE ATT&CK MITRE ATT&CK T1547 Boot or Logon Autostart Execution
Learn More
t1071-application-layer-protocol
MITRE ATT&CK MITRE ATT&CK T1071 Application Layer Protocol
Learn More
red-report-2024
MITRE ATT&CK The Picus Red Report 2024 Reveals Surge in ‘Hunter-killer’ Malware
Learn More
t1047-windows-management-mitre
MITRE ATT&CK T1047 Windows Management Instrumentation of the MITRE ATT&CK Framework
Learn More