Picus Security released The Red Report 2025. Based on an in-depth analysis of more
than 1 million pieces of malware collected in 2024, the fifth annual report
reveals that 25% of malware targets credentials in password stores - a 3X
increase from 2023. For the first time ever, stealing credentials from password
stores is in the top 10 techniques listed in the MITRE ATT&CK Framework.
The report reveals that these top 10 techniques accounted for 93% of all
malicious actions in 2024.
"Threat actors
are leveraging sophisticated extraction methods, including memory scraping,
registry harvesting and compromising local and cloud-based password stores, to
obtain credentials that give attackers the keys to the kingdom," said Picus
Security co-founder and VP of Picus Labs, Dr. Suleyman Ozarslan. "It's vital
that password managers are used in tandem with multi-factor authentication, and
that employees never reuse a password, especially for their password manager."
Picus observed
that attackers are prioritizing complex, prolonged, multi-stage attacks that
require a new generation of malware to succeed. Picus Labs researchers coined
the term "SneakThief" to represent the evolution of info-stealing malware,
which involves increased stealth, persistence and automation. They liken the
increasingly sophisticated approach to "the perfect heist," noting that most
malware samples now contain more than a dozen malicious actions designed to
help attackers evade defenses, increase permissions and exfiltrate data.
"Focusing on
Top 10 MITRE ATT&CK techniques is the most viable way to stop the kill
chain of sophisticated malware strains as early as possible", said Volkan
Ertürk, CTO and co-founder of Picus. "SneakThief malware is not an exception,
enterprise security teams can stop ninety percent of malware by focusing on
just 10 of MITRE's entire library of techniques."
Additional key
findings from the report include:
- Malware samples now contain an average of 14 malicious
actions. This means each individual
piece of malware is more complex and can perform more actions in the cyber
kill chain.
- Exfiltration and stealth tactics made up 11.3 million
actions in 2024. Adversaries
are shifting to covert exfiltration methods - "whispering channels" like
encrypted communications (HTTPS, DoH) - and living-off-the-land techniques
to blend malicious activity into legitimate traffic. It is more common
than ever to see tactics like process injection and application layer
protocols used as key enablers, allowing attackers to persist in
environments and exfiltrate data without triggering an alert.
- No evidence that cybercriminals are using AI-driven
malware. Despite the widespread hype
surrounding AI and its potential applications in cybersecurity, Picus's
analysis revealed no significant increase in the use of AI-driven malware
techniques in 2024.