Cybercriminals have turned password theft into a booming enterprise, malware targeting credential stores jumped from 8% of samples in 2023 to 25% in 2024, a threefold increase.
This alarming surge is one of many insights from the newly released Red Report 2025 by Picus Labs, which analyzed over 1 million malware samples to identify the tactics hackers rely on most.
The findings read like a blueprint for a “perfect heist,” revealing how modern attackers combine stealth, automation, and persistence to infiltrate systems and plunder data without detection.
And while the media buzzes about AI-driven attacks, our analysis reveals that the dark allure of AI in malware remains more myth than reality.
Credentials Under Siege: 3× Increase in Theft Attempts
According to the report, credential theft has become a top priority for threat actors. For the first time, stealing credentials from password stores (MITRE ATT&CK technique T1555) broke into the top 10 most-used attacker techniques.
Attackers are aggressively going after password managers, browser-stored logins, and cached credentials, essentially “handing over the keys to the kingdom.”
With those stolen passwords, attackers can quietly escalate privileges and move laterally through networks, making credential theft an incredibly lucrative stage in the cyber kill chain.
Top 10 ATT&CK Techniques Dominate (93% of Attacks)
Another key finding is just how concentrated attacker behavior has become. Among over 200 MITRE ATT&CK techniques, 93% of malware includes at least one of the top ten techniques. In other words, most hackers are relying on a core playbook of tried-and-true tactics.
Chief among them are techniques for stealth and abuse of legitimate tools. For example, process injection (T1055) – hiding malicious code by injecting it into legitimate processes – appeared in 31% of malware samples analyzed.
Likewise, command and scripting interpreter (T1059) was rampant, as attackers leverage built-in scripting tools (like PowerShell or Bash) to execute code without raising alarms. And, as noted, credential from password stores (T1555) spiked to become one of the top techniques.
Based on an analysis of 14M malicious actions, discover the top 10 MITRE ATT&CK techniques behind 93% of attacks and how to defend against them.
The “Perfect Heist”: Rise of SneakThief Infostealers
If 2024’s attacks could be summed up in a metaphor, it’s The Perfect Heist. Picus Labs researchers describe a new breed of information-stealing malware – dubbed “SneakThief” – that executes multi-stage, precision attacks resembling a meticulously planned robbery.
These advanced infostealers blend into networks with stealth, employ automation to speed up tasks, and establish persistence to stick around. In a SneakThief-style operation, malware might quietly inject itself into trusted processes, use encrypted channels (HTTPS, DNS-over-HTTPS) for communication, and even abuse boot-level autoruns to survive reboots.
All of this happens while the attackers methodically search for valuable data to exfiltrate, often before anyone even knows they’re there.
The Red Report shows that such multi-stage “heist-style” campaigns became increasingly common in 2024, with most malware now performing over a dozen discrete malicious actions to reach its goal. In some cases, threat actors combined the data theft of infostealers with the extortion tactics of ransomware.
Instead of immediately deploying encryption, attackers first steal sensitive files and passwords. This evolution underlines how blurred the lines have become between classic infostealers and ransomware crews: both are after sensitive data, and both excel at staying hidden until the payoff is in hand.
AI Threats: Separating Hype from Reality
Amid the buzz about artificial intelligence being used in cyberattacks, Red Report 2025 offers a reality check.
Despite widespread hype, Picus Labs found no evidence that cybercriminals deployed novel AI-driven malware in 2024. Attackers certainly took advantage of AI for productivity (e.g. automating phishing email creation or debugging code) but AI hasn’t revolutionized the core tactics of attacks.
In fact, the top malicious techniques remained largely “human” in origin (credential theft, injection, etc.), with no new AI-born attack methods appearing in the wild.
This doesn’t mean attackers will never weaponize AI, but as of now it’s more of an efficiency booster than a game-changer for them. The report suggests that while defenders should keep an eye on AI developments, the real-world threats still center on conventional techniques that we already understand.
It’s a telling insight: fancy AI malware might grab headlines, but an unpatched server or a stolen password remains a far likelier entry point than a rogue machine-learning algorithm.
Staying Ahead of Attackers: Proactive Defense and Validation
All these findings reinforce a clear message: staying ahead of modern threats requires a proactive, threat-informed defense. The organizations best positioned to thwart attacks are those continuously testing and aligning their security controls to the tactics attackers are using right now.
For example, given that just ten techniques cover the vast majority of malicious behavior, security teams should regularly validate that their defenses can detect and block those top 10 ATT&CK techniques across their environment.
The Red Report 2025 underscores that only a proactive strategy, one that continuously assesses security controls with adversarial exposure validation will enable true cyber resilience. This means going beyond basic patching and occasional audits.
Techniques like breach and attack simulation, rigorous threat hunting, and aligning incident response playbooks to prevalent attacker behaviors are now table stakes.
Don’t Wait for the Cyber Heist – Prepare Now
The data-driven insights from Red Report 2025 paint a vivid picture of the cyber threat landscape: credential thieves roaming unchecked, a handful of techniques enabling the vast majority of breaches, and new “heist-style” attack sequences that stress-test any organization’s defense.
The good news is these are battles we know how to fight – if we’re prepared. Security leaders should take these findings as a call to arms to reinforce fundamentals, focus on the highest-impact threats, and implement security validation. By doing so, you can turn the tables on adversaries and stop the next “perfect heist” before it even begins.
For readers interested in the full deep dive into these trends and the complete list of recommendations, download the complete Picus Red Report 2025 to explore all the findings firsthand.
The report offers a wealth of actionable data and guidance to help you align your defenses with the threats that matter most. Don’t wait for attackers to expose your weaknesses, take a proactive stance and arm yourself with insights that can drive effective, resilient cybersecurity.
Download the complete Picus Red Report 2025 now.
Sponsored and written by Picus Security.