Full Report
One of the ways threat actors keep up with the constantly evolving cyber defense landscape is by raising the level of sophistication of their attacks. This trend can be seen across many of our engagements, particularly when responding to China-nexus groups. These actors have demonstrated the ability to create custom malware ecosystems, identify and use zero-day vulnerabilities in security and other appliances, leverage proxy networks akin to botnets, target edge devices and platforms that traditionally lack endpoint detection and response, and employ custom obfuscators in their malware. They take these extra steps to evade detection, stifle analysis, and ultimately stay on systems for longer periods of time. However, not all successful attacks are highly complex and technical. Many times attackers will take advantage of the opportunities that are made available to them. This includes using credentials stolen in infostealer operations to gain initial access. Mandiant has seen such a rise in infostealer use that stolen credentials are now the second highest initial infection vector, making up 16% of our investigations. Other ways attackers are taking advantage of opportunities is by exploiting gaps and risks introduced in cloud migrations, and targeting unsecured data repositories to obtain credentials and other sensitive information. Today we released M-Trends 2025, the 16th edition of our annual report, to help organizations stay ahead of all types of attacks. We dive deep into several trends and share data and analysis from the frontlines of our incident response engagements to arm defenders with critical insights into the latest cyber threats. aside_block ), ('btn_text', 'Read now'), ('href', 'https://cloud.google.com/security/resources/m-trends?utm_source=m-trends-launch-blog&utm_medium=blog&utm_campaign=FY25-Q2-global-GCP33067-website-dl-dgcsm-m-trends-2025-report&utm_content=m-trends-launch-blog&utm_term=-'), ('image', )])]> Data and Trends M-Trends 2025 data is based on more than 450,000 hours of Mandiant Consulting investigations. The metrics are based on investigations of targeted attack activity conducted between Jan. 1, 2024 and Dec. 31, 2024. Key findings in M-Trends 2025 include: 55% of threat groups active in 2024 were financially motivated, which marks a steady increase, and 8% of threat groups were motivated by espionage. Exploits continue to be the most common initial infection vector (33%), and for the first time stolen credentials rose to the second most common in 2024 (16%). The top targeted industries include financial (17.4%), business and professional services (11.1%), high tech (10.6%), government (9.5%), and healthcare (9.3%). Global median dwell time rose to 11 days from 10 days in 2023. Global median dwell time was 26 days when external entities notified, 5 days when adversaries notified (notably in ransomware cases), and 10 days when organizations discovered malicious activity internally. M-Trends 2025 dives deep into the aforementioned infostealer, cloud, and unsecured data repository trends, and several other topics, including: Democratic People's Republic of Korea deploying citizens as remote IT contractors, using false identities to generate revenue and fund national interests. Iran-nexus threat actors ramping up cyber operations in 2024, notably targeting Israeli entities and using a variety of methods to improve intrusion success. Attackers targeting cloud-based stores of centralized authority, such as single sign-on portals, to gain broad access. Increased targeting of Web3 technologies such as cryptocurrencies and blockchains for theft, money laundering, and financing illicit activities. Recommendations for Organizations Each article in M-Trends 2025 offers critical recommendations for organizations to enhance their cybersecurity postures, with several of them being applicable to multiple trends. We advise that organizations: Implement a layered security approach that emphasizes sound fundamentals such as vulnerability management, least privilege, and hardening. Enforce FIDO2-compliant multi-factor authentication across all user accounts, especially privileged accounts. Invest in advanced detection technologies and develop robust incident response plans. Improve logging and monitoring practices to identify suspicious activity and reduce dwell time. Consider threat hunting exercises to proactively search for indicators of compromise. Implement strong security controls for cloud migrations and deployments. Regularly assess and audit cloud environments for vulnerabilities and misconfigurations. Mitigate insider risk by practicing thorough vetting processes for employees (especially remote workers), monitoring for suspicious activity, and enforcing strict access controls. Keep up-to-date with the latest threat intelligence, adapt security strategies accordingly, and regularly review and update security policies and procedures to address evolving threats. Be Ready to Respond The M-Trends mission has always been to equip security professionals with frontline insights into the latest evolving cyberattacks and to provide practical and actionable learnings for better organizational security. Read the full M-Trends 2025 report today, and register for our M-Trends 2025 webinar series for a more in-depth look at the data, topics, and recommendations discussed in the report. The M-Trends 2025 Executive Edition is also available, featuring a high-level look at the data and trends, along with key recommendations.
Analysis Summary
# Incident Report: M-Trends 2025 Cybersecurity Threat Analysis
## Executive Summary
This report summarizes key adversarial trends identified through Mandiant Consulting investigations conducted in 2024, highlighting a rise in sophisticated, custom malware ecosystems deployed by China-nexus groups alongside a significant surge in the use of stolen credentials obtained via information stealers as a primary initial access vector. The global median dwell time slightly increased to 11 days, emphasizing the need for improved detection and response capabilities across financial, high-tech, and government sectors.
## Incident Details
- **Discovery Date:** Data analysis based on investigations conducted between Jan. 1, 2024 and Dec. 31, 2024.
- **Incident Date:** Attacks occurred throughout 2024.
- **Affected Organization:** N/A (Report summarizes industry-wide trends/multiple engagements).
- **Sector:** Financial (17.4%), Business and Professional Services (11.1%), High Tech (10.6%), Government (9.5%), Healthcare (9.3%).
- **Geography:** Global.
## Timeline of Events
### Initial Access
- **Date/Time:** Throughout 2024 (specific timeline varies per engagement).
- **Vector:** Exploits (33% of groups) and Stolen Credentials (16% of groups).
- **Details:** Attackers leveraged known vulnerabilities in security and network appliances (e.g., Juniper, Fortinet, Ivanti), used custom malware ecosystems, or utilized credentials harvested via infostealer operations.
### Lateral Movement
- **Details:** Not explicitly detailed chronologically, but threat actors targeting edge devices often follow initial compromises with activities designed to maintain persistence and expand reach. China-nexus groups utilize techniques to evade detection and stay on systems longer.
### Data Exfiltration/Impact
- **Details:** Impact assessment is broad, covering financial motivation (55% of active groups), espionage (8%), and significant targeting of Web3 technologies. Specific data loss details are not provided, but cloud misconfigurations and unsecured repositories were targeted for credential and sensitive information theft.
### Detection & Response
- **How it was discovered:** Varies significantly; median dwell time was 26 days when externally notified, and only 5 days when ransomware adversaries notified internally. Internal discovery led to faster resolution.
- **Response actions taken:** Mandiant provided frontline insights to arm defenders with actionable learnings concerning evolving threats.
## Attack Methodology
- **Initial Access:** Exploits (33%), Stolen Credentials via Infostealers (16%), targeting cloud migration gaps, and unsecured data repositories.
- **Persistence:** Custom obfuscators used in malware to stifle analysis and maintain long-term access.
- **Privilege Escalation:** Attempted via targeting centralized cloud authority stores (e.g., SSO portals) to gain broad access.
- **Defense Evasion:** Creation of custom malware ecosystems, use of custom obfuscators, and targeting platforms lacking EDR visibility (edge devices).
- **Credential Access:** Harvesting via infostealer operations and obtaining credentials from targeted unsecured repositories.
- **Discovery:** Conducted by threat actors throughout the engagement lifecycle.
- **Lateral Movement:** Leveraging proxy networks akin to botnets (China-nexus groups).
- **Collection:** Targeting cloud stores of centralized authority. Increased sampling of Web3 technologies.
- **Exfiltration:** Methods tailored to avoid detection based on operational security (OpSec).
- **Impact:** Financial gain, espionage objectives, and theft/money laundering via Web3 targets.
## Impact Assessment
- **Financial:** 55% of active threat groups in 2024 were financially motivated.
- **Data Breach:** Not quantified, but target areas included credentials and sensitive information accessible via cloud misconfigurations and unsecured repositories.
- **Operational:** Global median dwell time increased slightly to 11 days, indicating slower internal detection capabilities year-over-year.
- **Reputational:** Not explicitly detailed, but impact is inferred across highly targeted sectors (Financial, High Tech, Government).
## Indicators of Compromise
*(Note: Specific indicators were not listed in the provided text, only general TTP trends)*
- **Network indicators:** Use of proxy networks akin to botnets (general observation).
- **File indicators:** Custom malware utilizing custom obfuscators (e.g., POISONPLUG/SCATTERBRAIN).
- **Behavioral indicators:** Targeting edge devices lacking EDR/Visibility; focusing on cloud SSO/centralized authority stores.
## Response Actions
*(Actions described are general recommendations based on findings, not specific containment steps from an incident)*
- **Containment measures:** Not specified.
- **Eradication steps:** Not specified.
- **Recovery actions:** Not specified.
## Lessons Learned
- **Key takeaways:** Exploits remain the top vector, but stolen credentials are now the second leading vector (16%), driven by infostealer operations. Sophisticated state-nexus groups are developing complex custom malware ecosystems to defeat advanced defenses.
- **What could have been done better:** Organizations need to reduce median dwell time (currently 11 days) through proactive hunting and improved logging/monitoring.
## Recommendations
- Implement a layered security approach emphasizing sound fundamentals (vulnerability management, least privilege, hardening).
- Enforce FIDO2-compliant multi-factor authentication across all accounts, especially privileged ones.
- Invest in advanced detection technologies and develop robust incident response plans.
- Improve logging/monitoring to reduce dwell time; utilize threat hunting exercises.
- Implement strong security controls for cloud migrations and regularly audit cloud environments (addressing cloud gap risks).
- Mitigate insider risk and thoroughly vet remote IT contractors.
- Stay updated with threat intelligence, adapting security strategies accordingly.