Full Report
Credential theft surged 3× in a year—but AI-powered malware? More hype than reality. The Red Report 2025 by Picus Labs reveals attackers still rely on proven tactics like stealth & automation to execute the "perfect heist." [...]
Analysis Summary
# Incident Report: Rise of Precision Credential Theft and Heist-Style Malware
## Executive Summary
The analysis of over 1 million malware samples shows a significant and alarming shift toward credential theft, with attacks targeting password stores increasing threefold in 2024. Attackers are relying on a core, predictable set of techniques (93% of activity uses the top 10 ATT&CK techniques) to execute multi-stage "SneakThief" operations focused on stealthy data exfiltration before any potential ransomware strike. Proactive validation against these prevalent techniques is essential to counter this trend.
## Incident Details
- **Discovery Date:** Early 2025 (Publication of the Red Report 2025 analyzing 2024 data)
- **Incident Date:** Trends observed throughout 2024
- **Affected Organization:** Not applicable (Industry threat landscape report)
- **Sector:** General Enterprise/All Sectors analyzed
- **Geography:** Global analysis
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing trend throughout 2024
- **Vector:** General vulnerability exploitation, phishing (implied by credential focus)
- **Details:** Attackers rely on a small core set of proven techniques for initial compromise.
### Lateral Movement
- **Details:** Stolen credentials (T1555) are used to "quietly escalate privileges and move laterally through networks."
### Data Exfiltration/Impact
- **Details:** Attackers are executing multi-stage operations (SneakThief style) to methodically search for and exfiltrate valuable data before detection, sometimes combining this with ransomware extortion tactics.
### Detection & Response
- **How it was discovered:** Analysis of over 1 million malware samples by Picus Labs for the Red Report 2025.
- **Response actions taken:** The report recommends continuous security control validation against current attacker tactics (e.g., T1055, T1059, T1555).
## Attack Methodology
- **Initial Access:** Unknown specific vector, but focused on traditional means leading to credential compromise.
- **Persistence:** Malware employs techniques to survive reboots, such as abusing boot-level autoruns.
- **Privilege Escalation:** Achieved via the use of stolen credentials.
- **Defense Evasion:** Achieved via Process Injection (T1055, seen in 31% of samples) to hide malicious code in benign processes, and using encrypted channels (HTTPS, DNS-over-HTTPS).
- **Credential Access:** **T1555 (Credentials from Password Stores)** has become a top 10 technique, aggressively targeting password managers, browser logins, and cached credentials.
- **Discovery:** Implied reconnaissance to locate valuable data for exfiltration.
- **Lateral Movement:** Using stolen credentials to move through networks effectively.
- **Collection:** Methodical searching for valuable data as part of the "Perfect Heist" sequence.
- **Exfiltration:** Utilizes encrypted channels for stealthy data theft.
- **Impact:** Data theft, potential extortion, and establishing hidden, long-term presence.
## Impact Assessment
- **Financial:** Not specified, but implied high due to the increase in lucrative credential theft operations.
- **Data Breach:** Focus on stealing sensitive files and passwords, leading to identity theft, account takeover, and potential ransomware scenarios.
- **Operational:** Potential for significant disruption if data theft is followed by ransomware encryption (though this report notes data theft often precedes encryption).
- **Reputational:** High risk associated with significant credential or sensitive data breaches.
## Indicators of Compromise
- **Network indicators:** Use of encrypted channels for C2 and exfiltration (HTTPS, DoH – must be monitored for anomalous flow).
- **File indicators:** Presence of information-stealing malware ("SneakThief").
- **Behavioral indicators:** Execution of commands via native scripting interpreters (PowerShell, Bash - T1059); Code injection into legitimate processes (T1055).
## Response Actions
- **Containment measures:** Isolation of systems exhibiting evidence of Process Injection or unusual credential usage following T1555 detection.
- **Eradication steps:** Revocation and mandatory reset of all identified stolen credentials; sanitization of endpoints infected with infostealer malware.
- **Recovery actions:** Restoring systems and validating security controls against the top 10 attacker techniques.
## Lessons Learned
- **Key takeaways:** Credential theft (T1555) is now a primary driver for threat actors, showing a 3x increase in 2024. Attackers are highly predictable, with 93% of attacks relying on a core set of 10 ATT&CK techniques.
- **What could have been done better:** Organizations should have continuously tested defenses against T1555, T1055, and T1059 using threat emulation rather than waiting for active incidents.
## Recommendations
- **Prevention measures for similar incidents:**
1. Implement continuous **adversarial exposure validation** (e.g., Breach and Attack Simulation) specifically testing detection/prevention capabilities for the top 10 prevalent ATT&CK techniques, especially T1555.
2. Enforce robust multi-factor authentication (MFA) to mitigate the impact of stolen credentials.
3. Review and restrict permissions for legitimate tools like PowerShell (T1059) and implement application whitelisting where possible.
4. Mandate regular audits of how credentials are stored (browser, OS, password managers) and ensure enterprise-grade protection for these stores.